npm - cc-safe-setup - Versions diffs - 2.4.0 → 2.6.0 - Mend

cc-safe-setup 2.4.0 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +8 -1
package/SAFETY_CHECKLIST.md +53 -0
package/audit-web/index.html +494 -38
package/docs/index.html +603 -0
package/examples/case-sensitive-guard.sh +145 -0
package/index.mjs +176 -1
package/package.json +2 -2

package/audit-web/index.html CHANGED Viewed

@@ -3,18 +3,24 @@
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Claude Code Safety Audit</title>
+<title>Claude Code Safety Audit & Setup Generator</title>
+<meta name="description" content="Audit your Claude Code settings and generate safety hooks — 100% in your browser. No npm required.">
 <style>
 * { box-sizing: border-box; margin: 0; padding: 0; }
 body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0d1117; color: #c9d1d9; min-height: 100vh; padding: 2rem; }
-.container { max-width: 720px; margin: 0 auto; }
+.container { max-width: 800px; margin: 0 auto; }
 h1 { font-size: 1.5rem; margin-bottom: 0.5rem; color: #f0f6fc; }
+h2 { font-size: 1.2rem; margin: 1.5rem 0 0.75rem; color: #f0f6fc; }
+h3 { font-size: 1rem; margin: 1rem 0 0.5rem; color: #c9d1d9; }
 .subtitle { color: #8b949e; margin-bottom: 2rem; }
-textarea { width: 100%; height: 200px; background: #161b22; border: 1px solid #30363d; border-radius: 6px; color: #c9d1d9; font-family: monospace; font-size: 13px; padding: 1rem; resize: vertical; }
+textarea { width: 100%; height: 180px; background: #161b22; border: 1px solid #30363d; border-radius: 6px; color: #c9d1d9; font-family: monospace; font-size: 13px; padding: 1rem; resize: vertical; }
 textarea::placeholder { color: #484f58; }
-button { background: #238636; color: #fff; border: none; padding: 0.75rem 1.5rem; border-radius: 6px; font-size: 1rem; cursor: pointer; margin-top: 1rem; }
-button:hover { background: #2ea043; }
-.results { margin-top: 2rem; }
+.btn { background: #238636; color: #fff; border: none; padding: 0.6rem 1.2rem; border-radius: 6px; font-size: 0.9rem; cursor: pointer; margin-top: 0.75rem; margin-right: 0.5rem; }
+.btn:hover { background: #2ea043; }
+.btn-secondary { background: #30363d; }
+.btn-secondary:hover { background: #484f58; }
+.btn-sm { padding: 0.3rem 0.6rem; font-size: 0.75rem; margin-top: 0; }
+.results { margin-top: 1.5rem; }
 .score { font-size: 2rem; font-weight: bold; margin: 1rem 0; }
 .score.good { color: #3fb950; }
 .score.mid { color: #d29922; }
@@ -28,12 +34,37 @@ button:hover { background: #2ea043; }
 .good-item { color: #3fb950; margin: 0.25rem 0; }
 .privacy { color: #484f58; font-size: 12px; margin-top: 2rem; text-align: center; }
 a { color: #58a6ff; text-decoration: none; }
+.tabs { display: flex; gap: 0; margin-top: 2rem; border-bottom: 1px solid #30363d; }
+.tab { padding: 0.6rem 1.2rem; cursor: pointer; color: #8b949e; border-bottom: 2px solid transparent; font-size: 0.9rem; }
+.tab.active { color: #f0f6fc; border-bottom-color: #f78166; }
+.tab:hover { color: #c9d1d9; }
+.tab-content { display: none; }
+.tab-content.active { display: block; }
+.code-block { position: relative; background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 1rem; margin: 0.5rem 0; overflow-x: auto; }
+.code-block pre { font-family: monospace; font-size: 12px; white-space: pre; color: #c9d1d9; margin: 0; }
+.code-block .copy-btn { position: absolute; top: 0.5rem; right: 0.5rem; background: #30363d; color: #c9d1d9; border: 1px solid #484f58; padding: 0.2rem 0.5rem; border-radius: 4px; font-size: 11px; cursor: pointer; }
+.code-block .copy-btn:hover { background: #484f58; }
+.hook-card { background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 1rem; margin: 0.5rem 0; }
+.hook-card summary { cursor: pointer; font-weight: bold; color: #f0f6fc; }
+.hook-card summary:hover { color: #58a6ff; }
+.hook-card .desc { color: #8b949e; font-size: 0.85rem; margin-top: 0.25rem; }
+.setup-steps { counter-reset: step; list-style: none; padding: 0; }
+.setup-steps li { counter-increment: step; padding: 0.75rem 0 0.75rem 2.5rem; position: relative; border-left: 2px solid #30363d; margin-left: 1rem; }
+.setup-steps li::before { content: counter(step); position: absolute; left: -1rem; top: 0.65rem; width: 2rem; height: 2rem; background: #238636; color: #fff; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-size: 0.8rem; font-weight: bold; }
+.setup-steps li:last-child { border-left: 2px solid transparent; }
+.badge-row { display: flex; gap: 0.5rem; margin: 1rem 0; flex-wrap: wrap; }
+.badge { display: inline-block; padding: 0.2rem 0.5rem; border-radius: 4px; font-size: 0.75rem; font-weight: bold; }
+.badge-green { background: #238636; color: #fff; }
+.badge-yellow { background: #9e6a03; color: #fff; }
+.badge-red { background: #da3633; color: #fff; }
+.empty-state { text-align: center; padding: 3rem 1rem; color: #484f58; }
+.empty-state p { margin: 0.5rem 0; }
 </style>
 </head>
 <body>
 <div class="container">
 <h1>Claude Code Safety Audit</h1>
-<p class="subtitle">Paste your <code>~/.claude/settings.json</code> below. Nothing leaves your browser.</p>
+<p class="subtitle">Audit your setup and generate safety hooks — 100% in your browser. No npm required.</p>
 <textarea id="settings" placeholder='{
   "permissions": { "allow": ["Bash(git:*)"] },
@@ -42,18 +73,100 @@ a { color: #58a6ff; text-decoration: none; }
   }
 }'></textarea>
 <br>
-<button onclick="runAudit()">Run Audit</button>
+<button class="btn" onclick="runAudit()">Run Audit</button>
+<button class="btn btn-secondary" onclick="generateFresh()">Generate Fresh Setup</button>
 <div class="results" id="results"></div>
-<p class="privacy">🔒 100% client-side. Your settings never leave this page. <a href="https://github.com/yurukusa/cc-safe-setup">Source</a></p>
+<div class="tabs" id="tabs" style="display:none">
+  <div class="tab active" onclick="switchTab('audit')">Audit Results</div>
+  <div class="tab" onclick="switchTab('fix')">Fix & Generate</div>
+  <div class="tab" onclick="switchTab('manual')">Manual Install Guide</div>
+</div>
+<div class="tab-content active" id="tab-audit"></div>
+<div class="tab-content" id="tab-fix"></div>
+<div class="tab-content" id="tab-manual"></div>
+<p class="privacy">100% client-side. Your settings never leave this page. <a href="https://github.com/yurukusa/cc-safe-setup">Source</a> · <a href="https://www.npmjs.com/package/cc-safe-setup">npm</a></p>
 </div>
 <script>
+// Hook metadata for generation
+const HOOKS = {
+  'destructive-guard': {
+    trigger: 'PreToolUse', matcher: 'Bash',
+    name: 'Destructive Command Blocker',
+    desc: 'Blocks rm -rf /, git reset --hard, git clean -fd, PowerShell Remove-Item'
+  },
+  'branch-guard': {
+    trigger: 'PreToolUse', matcher: 'Bash',
+    name: 'Branch Push Protector',
+    desc: 'Blocks push to main/master and force-push on all branches'
+  },
+  'secret-guard': {
+    trigger: 'PreToolUse', matcher: 'Bash',
+    name: 'Secret Leak Prevention',
+    desc: 'Blocks git add .env, credential files, git add . with .env present'
+  },
+  'comment-strip': {
+    trigger: 'PreToolUse', matcher: 'Bash',
+    name: 'Bash Comment Stripper',
+    desc: 'Strips comments that break permission allowlists'
+  },
+  'cd-git-allow': {
+    trigger: 'PreToolUse', matcher: 'Bash',
+    name: 'cd+git Auto-Approver',
+    desc: 'Auto-approves read-only cd + git compound commands'
+  },
+  'syntax-check': {
+    trigger: 'PostToolUse', matcher: 'Edit|Write',
+    name: 'Post-Edit Syntax Validator',
+    desc: 'Checks Python, Shell, JSON, YAML, JS syntax after edits'
+  },
+  'context-monitor': {
+    trigger: 'PostToolUse', matcher: '',
+    name: 'Context Window Monitor',
+    desc: 'Graduated warnings at 40%/25%/20%/15% context remaining'
+  },
+  'api-error-alert': {
+    trigger: 'Stop', matcher: '',
+    name: 'API Error Alert',
+    desc: 'Desktop notification + log when session stops from API errors'
+  }
+};
+let lastAuditState = null;
+function switchTab(name) {
+  document.querySelectorAll('.tab').forEach((t,i) => {
+    t.classList.toggle('active', ['audit','fix','manual'][i] === name);
+  });
+  document.querySelectorAll('.tab-content').forEach(t => t.classList.remove('active'));
+  document.getElementById('tab-' + name).classList.add('active');
+}
+function copyText(id) {
+  const el = document.getElementById(id);
+  const text = el.textContent || el.innerText;
+  navigator.clipboard.writeText(text).then(() => {
+    const btn = el.closest('.code-block').querySelector('.copy-btn');
+    btn.textContent = 'Copied!';
+    setTimeout(() => btn.textContent = 'Copy', 1500);
+  });
+}
+function escHtml(s) { return s.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'); }
 function runAudit() {
   const raw = document.getElementById('settings').value.trim();
   const el = document.getElementById('results');
+  if (!raw) {
+    generateFresh();
+    return;
+  }
   let settings;
   try {
     settings = JSON.parse(raw);
@@ -62,56 +175,107 @@ function runAudit() {
     return;
   }
+  const {risks, good, score, missing} = analyzeSettings(settings);
+  lastAuditState = {settings, risks, good, score, missing};
+  // Show tabs
+  document.getElementById('tabs').style.display = 'flex';
+  renderAuditTab(risks, good, score);
+  renderFixTab(settings, risks, missing);
+  renderManualTab();
+  switchTab('audit');
+  el.innerHTML = '';
+}
+function generateFresh() {
+  const emptySettings = {};
+  const {risks, good, score, missing} = analyzeSettings(emptySettings);
+  lastAuditState = {settings: emptySettings, risks, good, score, missing};
+  document.getElementById('tabs').style.display = 'flex';
+  document.getElementById('results').innerHTML = '';
+  renderAuditTab(risks, good, score);
+  renderFixTab(emptySettings, risks, Object.keys(HOOKS));
+  renderManualTab();
+  switchTab('fix');
+}
+function analyzeSettings(settings) {
   const risks = [];
   const good = [];
+  const missing = [];
   const preHooks = settings.hooks?.PreToolUse || [];
   const postHooks = settings.hooks?.PostToolUse || [];
+  const stopHooks = settings.hooks?.Stop || [];
   const allCmds = JSON.stringify(preHooks).toLowerCase();
+  const postCmds = JSON.stringify(postHooks).toLowerCase();
+  const stopCmds = JSON.stringify(stopHooks).toLowerCase();
-  // 1. PreToolUse hooks
   if (preHooks.length === 0) {
     risks.push({ severity: 'CRITICAL', issue: 'No PreToolUse hooks — rm -rf, git reset --hard run unchecked', fix: 'npx cc-safe-setup' });
+    missing.push('destructive-guard', 'branch-guard', 'secret-guard', 'comment-strip', 'cd-git-allow');
   } else {
     good.push('PreToolUse hooks (' + preHooks.length + ')');
-  }
+    if (!allCmds.match(/destructive|guard|block|rm.*rf|reset.*hard/)) {
+      risks.push({ severity: 'HIGH', issue: 'No destructive command blocker', fix: 'npx cc-safe-setup' });
+      missing.push('destructive-guard');
+    } else good.push('Destructive command protection');
-  // 2. Destructive guard
-  if (!allCmds.match(/destructive|guard|block|rm.*rf|reset.*hard/)) {
-    risks.push({ severity: 'HIGH', issue: 'No destructive command blocker', fix: 'npx cc-safe-setup' });
-  } else good.push('Destructive command protection');
+    if (!allCmds.match(/branch|push|main|master/)) {
+      risks.push({ severity: 'HIGH', issue: 'No branch push protection', fix: 'npx cc-safe-setup' });
+      missing.push('branch-guard');
+    } else good.push('Branch push protection');
-  // 3. Branch guard
-  if (!allCmds.match(/branch|push|main|master/)) {
-    risks.push({ severity: 'HIGH', issue: 'No branch push protection', fix: 'npx cc-safe-setup' });
-  } else good.push('Branch push protection');
+    if (!allCmds.match(/secret|env|credential/)) {
+      risks.push({ severity: 'HIGH', issue: 'No secret leak protection (.env commits)', fix: 'npx cc-safe-setup' });
+      missing.push('secret-guard');
+    } else good.push('Secret leak protection');
-  // 4. Secret guard
-  if (!allCmds.match(/secret|env|credential/)) {
-    risks.push({ severity: 'HIGH', issue: 'No secret leak protection (.env commits)', fix: 'npx cc-safe-setup' });
-  } else good.push('Secret leak protection');
+    if (!allCmds.match(/comment|strip/)) missing.push('comment-strip');
+    if (!allCmds.match(/cd.*git.*allow|auto.*approv/)) missing.push('cd-git-allow');
+  }
-  // 5. Database wipe
   if (!allCmds.match(/database|wipe|migrate|prisma/)) {
     risks.push({ severity: 'MEDIUM', issue: 'No database wipe protection', fix: 'npx cc-safe-setup --install-example block-database-wipe' });
   } else good.push('Database wipe protection');
-  // 6. PostToolUse
   if (postHooks.length === 0) {
     risks.push({ severity: 'MEDIUM', issue: 'No PostToolUse hooks (no syntax checking)', fix: 'npx cc-safe-setup' });
-  } else good.push('PostToolUse hooks (' + postHooks.length + ')');
+    missing.push('syntax-check', 'context-monitor');
+  } else {
+    good.push('PostToolUse hooks (' + postHooks.length + ')');
+    if (!postCmds.match(/syntax|check|py_compile|node.*check/)) missing.push('syntax-check');
+    if (!postCmds.match(/context|monitor|capacity/)) missing.push('context-monitor');
+  }
+  if (stopHooks.length === 0) {
+    missing.push('api-error-alert');
+  } else {
+    good.push('Stop hooks (' + stopHooks.length + ')');
+  }
-  // 7. Allow rules check
   const allows = settings.permissions?.allow || [];
   if (allows.includes('Bash(*)')) {
-    risks.push({ severity: 'MEDIUM', issue: 'Bash(*) in allow list — all commands auto-approved without checks', fix: 'Use specific patterns like Bash(git:*) instead' });
+    risks.push({ severity: 'MEDIUM', issue: 'Bash(*) in allow list — all commands auto-approved', fix: 'Use specific patterns like Bash(git:*) instead' });
   }
-  // 8. Deny rules
   const denies = settings.permissions?.deny || [];
-  if (denies.length > 0) good.push('Deny rules configured (' + denies.length + ')');
+  if (denies.length > 0) good.push('Deny rules (' + denies.length + ')');
+  const mode = settings.defaultMode;
+  if (mode === 'bypassPermissions') {
+    risks.push({ severity: 'HIGH', issue: 'bypassPermissions — all permission checks disabled', fix: 'Use dontAsk with hooks instead' });
+  } else if (mode === 'dontAsk') {
+    good.push('dontAsk mode (auto-approve, hooks still run)');
+  }
+  if (settings.sandbox?.enabled === false) {
+    risks.push({ severity: 'MEDIUM', issue: 'Sandbox disabled', fix: 'Re-enable or use excludedCommands' });
+  }
-  // Score
   const score = Math.max(0, 100 - risks.reduce((s, r) => {
     if (r.severity === 'CRITICAL') return s + 30;
     if (r.severity === 'HIGH') return s + 20;
@@ -119,20 +283,23 @@ function runAudit() {
     return s + 5;
   }, 0));
-  const scoreClass = score >= 80 ? 'good' : score >= 50 ? 'mid' : 'bad';
+  return {risks, good, score, missing: [...new Set(missing)]};
+}
+function renderAuditTab(risks, good, score) {
+  const scoreClass = score >= 80 ? 'good' : score >= 50 ? 'mid' : 'bad';
   let html = '<div class="score ' + scoreClass + '">Safety Score: ' + score + '/100</div>';
   if (good.length > 0) {
-    html += '<h3 style="color:#3fb950;margin:1rem 0 0.5rem">✓ Working</h3>';
-    html += good.map(g => '<div class="good-item">✓ ' + g + '</div>').join('');
+    html += '<h3 style="color:#3fb950">Working</h3>';
+    html += good.map(g => '<div class="good-item">' + g + '</div>').join('');
   }
   if (risks.length > 0) {
-    html += '<h3 style="margin:1rem 0 0.5rem">⚠ Risks (' + risks.length + ')</h3>';
+    html += '<h3 style="margin-top:1rem">Risks (' + risks.length + ')</h3>';
     html += risks.map(r =>
-      '<div class="risk"><span class="severity ' + r.severity.toLowerCase() + '">[' + r.severity + ']</span>' + r.issue +
-      '<div class="fix">Fix: ' + r.fix + '</div></div>'
+      '<div class="risk"><span class="severity ' + r.severity.toLowerCase() + '">[' + r.severity + ']</span> ' + escHtml(r.issue) +
+      '<div class="fix">Fix: ' + escHtml(r.fix) + '</div></div>'
     ).join('');
   }
@@ -140,7 +307,296 @@ function runAudit() {
     html += '<p style="color:#3fb950;margin-top:1rem">No risks detected. Your setup looks solid.</p>';
   }
-  el.innerHTML = html;
+  document.getElementById('tab-audit').innerHTML = html;
+}
+function renderFixTab(settings, risks, missing) {
+  if (missing.length === 0) {
+    document.getElementById('tab-fix').innerHTML = '<p style="color:#3fb950;margin-top:1rem">All 8 hooks detected. Nothing to add.</p>';
+    return;
+  }
+  // Generate the settings.json patch
+  const patch = generateSettingsPatch(settings, missing);
+  const installScript = generateInstallScript(missing);
+  let html = '<h2>Quick Fix</h2>';
+  html += '<p style="color:#8b949e;margin-bottom:1rem">Missing ' + missing.length + ' hook(s). Choose your install method:</p>';
+  // Option 1: npx
+  html += '<h3>Option 1: One command (recommended)</h3>';
+  html += '<div class="code-block"><button class="copy-btn" onclick="copyText(\'npx-cmd\')">Copy</button><pre id="npx-cmd">npx cc-safe-setup</pre></div>';
+  // Option 2: Generated settings.json
+  html += '<h3>Option 2: Copy settings.json patch</h3>';
+  html += '<p style="color:#8b949e;font-size:0.85rem;margin:0.25rem 0">Merge this into your <code>~/.claude/settings.json</code>:</p>';
+  html += '<div class="code-block"><button class="copy-btn" onclick="copyText(\'settings-patch\')">Copy</button><pre id="settings-patch">' + escHtml(JSON.stringify(patch, null, 2)) + '</pre></div>';
+  // Option 3: Full install script
+  html += '<h3>Option 3: Shell script (no npm needed)</h3>';
+  html += '<p style="color:#8b949e;font-size:0.85rem;margin:0.25rem 0">Run this in your terminal. Creates hook scripts and updates settings.json:</p>';
+  html += '<div class="code-block" style="max-height:400px;overflow-y:auto"><button class="copy-btn" onclick="copyText(\'install-script\')">Copy</button><pre id="install-script">' + escHtml(installScript) + '</pre></div>';
+  // Hook details
+  html += '<h3 style="margin-top:1.5rem">Hooks being added</h3>';
+  for (const id of missing) {
+    const h = HOOKS[id];
+    if (!h) continue;
+    html += '<div class="hook-card"><summary>' + escHtml(h.name) + '</summary>';
+    html += '<div class="desc">' + escHtml(h.desc) + ' &middot; Trigger: ' + h.trigger + (h.matcher ? ' &middot; Matcher: ' + h.matcher : '') + '</div></div>';
+  }
+  document.getElementById('tab-fix').innerHTML = html;
+}
+function renderManualTab() {
+  let html = '<h2>Manual Installation Guide</h2>';
+  html += '<p style="color:#8b949e;margin-bottom:1rem">Step-by-step for setting up Claude Code safety hooks without any tools.</p>';
+  html += '<ol class="setup-steps">';
+  html += '<li><strong>Create the hooks directory</strong><div class="code-block"><pre>mkdir -p ~/.claude/hooks</pre></div></li>';
+  html += '<li><strong>Create hook scripts</strong><br><span style="color:#8b949e;font-size:0.85rem">Use the "Fix & Generate" tab to get the script content, or run <code>npx cc-safe-setup --dry-run</code> to preview.</span></li>';
+  html += '<li><strong>Make scripts executable</strong><div class="code-block"><pre>chmod +x ~/.claude/hooks/*.sh</pre></div></li>';
+  html += '<li><strong>Update settings.json</strong><br><span style="color:#8b949e;font-size:0.85rem">Add the hook entries from "Fix & Generate" tab to <code>~/.claude/settings.json</code>.</span></li>';
+  html += '<li><strong>Restart Claude Code</strong><br><span style="color:#8b949e;font-size:0.85rem">Close and reopen Claude Code. Hooks activate on restart.</span></li>';
+  html += '<li><strong>Verify</strong><div class="code-block"><pre>npx cc-safe-setup --verify</pre></div><span style="color:#8b949e;font-size:0.85rem">Or test manually: try <code>rm -rf /</code> in Claude Code — the hook should block it.</span></li>';
+  html += '</ol>';
+  html += '<h3 style="margin-top:1.5rem">Requirements</h3>';
+  html += '<ul style="margin-left:1.5rem;color:#8b949e;font-size:0.85rem">';
+  html += '<li><code>jq</code> — for JSON parsing in hooks (<code>brew install jq</code> / <code>apt install jq</code>)</li>';
+  html += '<li><code>bash</code> — hooks are bash scripts</li>';
+  html += '<li>Claude Code v2.1+ — for hooks support</li>';
+  html += '</ul>';
+  html += '<h3 style="margin-top:1.5rem">Hooks Reference</h3>';
+  for (const [id, h] of Object.entries(HOOKS)) {
+    html += '<div class="hook-card"><details><summary>' + escHtml(h.name) + ' <span style="color:#484f58;font-weight:normal;font-size:0.8rem">(' + id + '.sh)</span></summary>';
+    html += '<div class="desc" style="margin-top:0.5rem">' + escHtml(h.desc) + '</div>';
+    html += '<div style="margin-top:0.25rem;font-size:0.8rem;color:#484f58">Trigger: ' + h.trigger + (h.matcher ? ' | Matcher: ' + h.matcher : ' | Matcher: (all)') + '</div>';
+    html += '</details></div>';
+  }
+  document.getElementById('tab-manual').innerHTML = html;
+}
+function generateSettingsPatch(existing, missing) {
+  const patch = JSON.parse(JSON.stringify(existing || {}));
+  if (!patch.hooks) patch.hooks = {};
+  if (!patch.hooks.PreToolUse) patch.hooks.PreToolUse = [];
+  if (!patch.hooks.PostToolUse) patch.hooks.PostToolUse = [];
+  if (!patch.hooks.Stop) patch.hooks.Stop = [];
+  for (const id of missing) {
+    const h = HOOKS[id];
+    if (!h) continue;
+    const entry = {
+      matcher: h.matcher,
+      hooks: [{ type: 'command', command: '~/.claude/hooks/' + id + '.sh' }]
+    };
+    if (h.trigger === 'PreToolUse') patch.hooks.PreToolUse.push(entry);
+    else if (h.trigger === 'PostToolUse') patch.hooks.PostToolUse.push(entry);
+    else if (h.trigger === 'Stop') patch.hooks.Stop.push(entry);
+  }
+  // Clean empty arrays
+  if (patch.hooks.PreToolUse.length === 0) delete patch.hooks.PreToolUse;
+  if (patch.hooks.PostToolUse.length === 0) delete patch.hooks.PostToolUse;
+  if (patch.hooks.Stop.length === 0) delete patch.hooks.Stop;
+  return patch;
+}
+function generateInstallScript(missing) {
+  let script = '#!/bin/bash\n';
+  script += '# Claude Code Safety Hooks — Generated by https://yurukusa.github.io/cc-safe-setup/\n';
+  script += '# Run: bash install-safety-hooks.sh\n\n';
+  script += 'set -euo pipefail\n\n';
+  script += 'HOOK_DIR="$HOME/.claude/hooks"\n';
+  script += 'SETTINGS="$HOME/.claude/settings.json"\n\n';
+  script += '# Check jq\n';
+  script += 'if ! command -v jq &>/dev/null; then\n';
+  script += '  echo "Error: jq is required. Install with: brew install jq / apt install jq"\n';
+  script += '  exit 1\n';
+  script += 'fi\n\n';
+  script += 'mkdir -p "$HOOK_DIR"\n\n';
+  // Write each hook script
+  for (const id of missing) {
+    const h = HOOKS[id];
+    if (!h) continue;
+    script += '# --- ' + h.name + ' ---\n';
+    script += 'cat > "$HOOK_DIR/' + id + '.sh" << \'HOOKEOF\'\n';
+    script += getMinimalHookScript(id);
+    script += '\nHOOKEOF\n';
+    script += 'chmod +x "$HOOK_DIR/' + id + '.sh"\n';
+    script += 'echo "Installed: ' + id + '.sh"\n\n';
+  }
+  // Update settings.json
+  script += '# --- Update settings.json ---\n';
+  script += 'if [ ! -f "$SETTINGS" ]; then\n';
+  script += '  echo "{}" > "$SETTINGS"\n';
+  script += 'fi\n\n';
+  // Build jq command to merge hooks
+  const pre = missing.filter(id => HOOKS[id]?.trigger === 'PreToolUse');
+  const post = missing.filter(id => HOOKS[id]?.trigger === 'PostToolUse');
+  const stop = missing.filter(id => HOOKS[id]?.trigger === 'Stop');
+  if (pre.length > 0) {
+    script += '# Add PreToolUse hooks\n';
+    for (const id of pre) {
+      const h = HOOKS[id];
+      script += 'jq \'.hooks.PreToolUse += [{"matcher":"' + h.matcher + '","hooks":[{"type":"command","command":"\'$HOOK_DIR\'/' + id + '.sh"}]}]\' "$SETTINGS" > /tmp/cc-settings-tmp.json && mv /tmp/cc-settings-tmp.json "$SETTINGS"\n';
+    }
+    script += '\n';
+  }
+  if (post.length > 0) {
+    script += '# Add PostToolUse hooks\n';
+    for (const id of post) {
+      const h = HOOKS[id];
+      script += 'jq \'.hooks.PostToolUse += [{"matcher":"' + h.matcher + '","hooks":[{"type":"command","command":"\'$HOOK_DIR\'/' + id + '.sh"}]}]\' "$SETTINGS" > /tmp/cc-settings-tmp.json && mv /tmp/cc-settings-tmp.json "$SETTINGS"\n';
+    }
+    script += '\n';
+  }
+  if (stop.length > 0) {
+    script += '# Add Stop hooks\n';
+    for (const id of stop) {
+      script += 'jq \'.hooks.Stop += [{"matcher":"","hooks":[{"type":"command","command":"\'$HOOK_DIR\'/' + id + '.sh"}]}]\' "$SETTINGS" > /tmp/cc-settings-tmp.json && mv /tmp/cc-settings-tmp.json "$SETTINGS"\n';
+    }
+    script += '\n';
+  }
+  script += 'echo ""\n';
+  script += 'echo "Done. ' + missing.length + ' safety hooks installed."\n';
+  script += 'echo "Restart Claude Code to activate."\n';
+  return script;
+}
+function getMinimalHookScript(id) {
+  // Minimal but functional versions of each hook
+  const scripts = {
+    'destructive-guard': `#!/bin/bash
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+[ "\${CC_ALLOW_DESTRUCTIVE:-0}" = "1" ] && exit 0
+SAFE_DIRS="\${CC_SAFE_DELETE_DIRS:-node_modules:dist:build:.cache:__pycache__:coverage:.next}"
+# rm -rf on sensitive paths
+if echo "$COMMAND" | grep -qE 'rm\\s+(-[rf]+\\s+)*(\\/$|\\/\\s|\\/home|\\/etc|\\/usr|~\\/|~\\s*$|\\.\\.\\/|\\.\\s*$)'; then
+  SAFE=0
+  IFS=':' read -ra D <<< "$SAFE_DIRS"
+  for d in "\${D[@]}"; do echo "$COMMAND" | grep -qE "rm\\s+.*\${d}\\s*$" && SAFE=1 && break; done
+  [ "$SAFE" = 0 ] && echo "BLOCKED: rm on sensitive path. Command: $COMMAND" >&2 && exit 2
+fi
+# git reset --hard
+echo "$COMMAND" | grep -qE '(^|;|&&)\\s*git\\s+reset\\s+--hard' && echo "BLOCKED: git reset --hard" >&2 && exit 2
+# git clean
+echo "$COMMAND" | grep -qE '(^|;|&&)\\s*git\\s+clean\\s+-[a-z]*[fd]' && echo "BLOCKED: git clean" >&2 && exit 2
+# PowerShell destructive
+echo "$COMMAND" | grep -qiE 'Remove-Item.*-Recurse.*-Force|rd\\s+/s\\s+/q' && echo "BLOCKED: Destructive PowerShell command" >&2 && exit 2
+# git checkout --force
+echo "$COMMAND" | grep -qE '(^|;|&&)\\s*git\\s+(checkout|switch)\\s+.*(--force|-f\\b)' && echo "BLOCKED: git checkout --force" >&2 && exit 2
+exit 0`,
+    'branch-guard': `#!/bin/bash
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\\s*git\\s+push' || exit 0
+# Force push
+if [ "\${CC_ALLOW_FORCE_PUSH:-0}" != "1" ]; then
+  echo "$COMMAND" | grep -qE 'git\\s+push\\s+.*(-f\\b|--force\\b|--force-with-lease)' && echo "BLOCKED: Force push" >&2 && exit 2
+fi
+# Protected branches
+PROTECTED="\${CC_PROTECT_BRANCHES:-main:master}"
+IFS=':' read -ra B <<< "$PROTECTED"
+for b in "\${B[@]}"; do
+  echo "$COMMAND" | grep -qwE "origin\\s+\${b}|\${b}\\s|\${b}$" && echo "BLOCKED: Push to protected branch $b" >&2 && exit 2
+done
+exit 0`,
+    'secret-guard': `#!/bin/bash
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\\s*git\\s+add' || exit 0
+# Direct .env staging
+echo "$COMMAND" | grep -qiE 'git\\s+add\\s+.*\\.env(\\s|$|\\.)' && echo "BLOCKED: .env file staging" >&2 && exit 2
+# Credential files
+echo "$COMMAND" | grep -qiE 'git\\s+add\\s+.*(credentials|\\.pem|\\.key|\\.p12|id_rsa|id_ed25519)' && echo "BLOCKED: Credential file staging" >&2 && exit 2
+# git add . with .env present
+if echo "$COMMAND" | grep -qE 'git\\s+add\\s+(-A|--all|\\.)(\\s|$)'; then
+  [ -f ".env" ] || [ -f ".env.local" ] && echo "BLOCKED: git add . with .env present" >&2 && exit 2
+fi
+exit 0`,
+    'comment-strip': `#!/bin/bash
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+CLEAN=$(echo "$COMMAND" | sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d')
+[ "$CLEAN" = "$COMMAND" ] && exit 0
+[ -z "$CLEAN" ] && exit 0
+jq -n --arg cmd "$CLEAN" '{"hookSpecificOutput":{"hookEventName":"PreToolUse","updatedInput":{"command":$cmd}}}'`,
+    'cd-git-allow': `#!/bin/bash
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\\s*cd\\s+.*&&\\s*git\\s' || exit 0
+GIT_CMD=$(echo "$COMMAND" | grep -oP '&&\\s*git\\s+\\K\\S+')
+for safe in log diff status branch show rev-parse tag remote; do
+  [ "$GIT_CMD" = "$safe" ] && jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"cd+git auto-approved"}}' && exit 0
+done
+exit 0`,
+    'syntax-check': `#!/bin/bash
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ] && exit 0
+EXT="\${FILE_PATH##*.}"
+case "$EXT" in
+  py) python3 -m py_compile "$FILE_PATH" 2>&1 || echo "SYNTAX ERROR (Python): $FILE_PATH" >&2 ;;
+  sh|bash) bash -n "$FILE_PATH" 2>&1 || echo "SYNTAX ERROR (Shell): $FILE_PATH" >&2 ;;
+  json) command -v jq &>/dev/null && { jq empty "$FILE_PATH" 2>&1 || echo "SYNTAX ERROR (JSON): $FILE_PATH" >&2; } ;;
+  js) command -v node &>/dev/null && { node --check "$FILE_PATH" 2>&1 || echo "SYNTAX ERROR (JS): $FILE_PATH" >&2; } ;;
+esac
+exit 0`,
+    'context-monitor': `#!/bin/bash
+COUNTER_FILE="/tmp/cc-context-monitor-count"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 5)) -ne 0 ] && exit 0
+# Estimate context usage from tool call count (~180 calls = full context)
+PCT=$(( 100 - (COUNT * 100 / 180) ))
+[ "$PCT" -lt 0 ] && PCT=0
+if [ "$PCT" -le 15 ]; then
+  echo "EMERGENCY: Context ~\${PCT}% remaining. Run /compact NOW." >&2
+elif [ "$PCT" -le 25 ]; then
+  echo "WARNING: Context ~\${PCT}% remaining. Finish current task." >&2
+elif [ "$PCT" -le 40 ]; then
+  echo "CAUTION: Context ~\${PCT}% remaining." >&2
+fi
+exit 0`,
+    'api-error-alert': `#!/bin/bash
+INPUT=$(cat)
+REASON=$(echo "$INPUT" | jq -r '.stop_reason // "unknown"' 2>/dev/null)
+[ "$REASON" = "user" ] || [ "$REASON" = "normal" ] || [ -z "$REASON" ] && exit 0
+LOG="\${CC_ERROR_ALERT_LOG:-$HOME/.claude/session-errors.log}"
+mkdir -p "$(dirname "$LOG")" 2>/dev/null
+echo "[$(date -Iseconds)] Session stopped: reason=$REASON" >> "$LOG"
+exit 0`
+  };
+  return scripts[id] || '#!/bin/bash\nexit 0';
 }
 </script>
 </body>