cc-safe-setup 2.4.0 → 2.6.0

package/examples/case-sensitive-guard.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# ================================================================
+# case-sensitive-guard.sh — Case-Insensitive Filesystem Safety Guard
+# ================================================================
+# PURPOSE:
+#   Detects case-insensitive filesystems (exFAT, NTFS, HFS+, APFS
+#   case-insensitive) and warns before mkdir/rm that would collide
+#   due to case folding.
+#
+#   Real incident: GitHub #37875 — Claude created "Content" dir on
+#   exFAT drive where "content" already existed. Both resolved to
+#   the same path. Claude then ran rm -rf on "content", destroying
+#   all user data.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# WHAT IT BLOCKS (exit 2):
+#   - rm -rf on case-insensitive FS when a case-variant directory
+#     exists that resolves to the same inode
+#   - mkdir that would silently collide with existing dir on
+#     case-insensitive FS
+#
+# WHAT IT ALLOWS (exit 0):
+#   - All commands on case-sensitive filesystems
+#   - rm/mkdir where no case collision exists
+#   - Commands that don't involve mkdir or rm
+#
+# HOW IT WORKS:
+#   1. Extract target path from mkdir/rm commands
+#   2. Check if filesystem is case-insensitive (create temp file,
+#      check if uppercase variant exists)
+#   3. If case-insensitive, check for case-variant collisions
+#   4. Block if collision detected
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# Only check mkdir and rm commands
+if ! echo "$COMMAND" | grep -qE '^\s*(mkdir|rm)\s'; then
+    exit 0
+fi
+
+# Extract the target path
+TARGET=""
+if echo "$COMMAND" | grep -qE '^\s*mkdir'; then
+    TARGET=$(echo "$COMMAND" | grep -oP 'mkdir\s+(-p\s+)?\K\S+' | tail -1)
+elif echo "$COMMAND" | grep -qE '^\s*rm\s'; then
+    TARGET=$(echo "$COMMAND" | grep -oP 'rm\s+(-[rf]+\s+)*\K\S+' | tail -1)
+fi
+
+if [[ -z "$TARGET" ]]; then
+    exit 0
+fi
+
+# Resolve the parent directory
+PARENT_DIR=$(dirname "$TARGET" 2>/dev/null)
+BASE_NAME=$(basename "$TARGET" 2>/dev/null)
+
+if [[ -z "$PARENT_DIR" ]] || [[ ! -d "$PARENT_DIR" ]]; then
+    exit 0
+fi
+
+# --- Check if filesystem is case-insensitive ---
+is_case_insensitive() {
+    local dir="$1"
+    local test_file="${dir}/.cc_case_test_$$"
+    local test_upper="${dir}/.CC_CASE_TEST_$$"
+
+    # Create lowercase test file
+    if ! touch "$test_file" 2>/dev/null; then
+        return 1  # Can't test, assume case-sensitive (safe default)
+    fi
+
+    # Check if uppercase variant resolves to the same file
+    if [[ -f "$test_upper" ]]; then
+        rm -f "$test_file" 2>/dev/null
+        return 0  # Case-insensitive
+    else
+        rm -f "$test_file" 2>/dev/null
+        return 1  # Case-sensitive
+    fi
+}
+
+# --- Check for case-variant collisions ---
+find_case_collision() {
+    local dir="$1"
+    local name="$2"
+    local name_lower
+    name_lower=$(echo "$name" | tr '[:upper:]' '[:lower:]')
+
+    # List directory entries and check for case variants
+    while IFS= read -r entry; do
+        local entry_lower
+        entry_lower=$(echo "$entry" | tr '[:upper:]' '[:lower:]')
+        if [[ "$entry_lower" == "$name_lower" ]] && [[ "$entry" != "$name" ]]; then
+            echo "$entry"
+            return 0
+        fi
+    done < <(ls -1 "$dir" 2>/dev/null)
+
+    return 1
+}
+
+# Only proceed if filesystem is case-insensitive
+if ! is_case_insensitive "$PARENT_DIR"; then
+    exit 0
+fi
+
+# Check for collision
+COLLISION=$(find_case_collision "$PARENT_DIR" "$BASE_NAME")
+
+if [[ -n "$COLLISION" ]]; then
+    if echo "$COMMAND" | grep -qE '^\s*rm\s'; then
+        echo "BLOCKED: Case-insensitive filesystem collision detected." >&2
+        echo "" >&2
+        echo "Command: $COMMAND" >&2
+        echo "" >&2
+        echo "Target: $TARGET" >&2
+        echo "Collides with: $PARENT_DIR/$COLLISION" >&2
+        echo "" >&2
+        echo "This filesystem is case-insensitive (exFAT, NTFS, HFS+, etc.)." >&2
+        echo "'$BASE_NAME' and '$COLLISION' resolve to the SAME path." >&2
+        echo "rm -rf would destroy the data you think you're keeping." >&2
+        echo "" >&2
+        echo "Verify with: ls -la \"$PARENT_DIR\" | grep -i \"$BASE_NAME\"" >&2
+        exit 2
+    elif echo "$COMMAND" | grep -qE '^\s*mkdir'; then
+        echo "WARNING: Case-insensitive filesystem — directory already exists." >&2
+        echo "" >&2
+        echo "Command: $COMMAND" >&2
+        echo "Existing: $PARENT_DIR/$COLLISION" >&2
+        echo "" >&2
+        echo "On this filesystem, '$BASE_NAME' and '$COLLISION' are the same path." >&2
+        echo "mkdir will either fail or silently use the existing directory." >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/index.mjs

@@ -72,6 +72,7 @@ const AUDIT = process.argv.includes('--audit');
 const LEARN = process.argv.includes('--learn');
 const SCAN = process.argv.includes('--scan');
 const FULL = process.argv.includes('--full');
+const DOCTOR = process.argv.includes('--doctor');
 
 if (HELP) {
   console.log(`
@@ -85,7 +86,12 @@ if (HELP) {
     npx cc-safe-setup --uninstall  Remove all installed hooks
     npx cc-safe-setup --examples   List 25 example hooks (5 categories)
     npx cc-safe-setup --install-example <name>  Install a specific example
-    npx cc-safe-setup --audit      Analyze your setup and recommend missing protections
+    npx cc-safe-setup --full       Complete setup: hooks + scan + audit + badge
+    npx cc-safe-setup --audit      Safety score (0-100) with fixes
+    npx cc-safe-setup --audit --fix  Auto-fix missing protections
+    npx cc-safe-setup --scan       Detect tech stack, recommend hooks
+    npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --help       Show this help
 
   Hooks installed:
@@ -734,6 +740,174 @@ async function fullSetup() {
   console.log();
 }
 
+async function doctor() {
+  const { execSync, spawnSync } = await import('child_process');
+  const { statSync, readdirSync } = await import('fs');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --doctor' + c.reset);
+  console.log(c.dim + '  Diagnosing why hooks might not be working...' + c.reset);
+  console.log();
+
+  let issues = 0;
+  let warnings = 0;
+
+  const pass = (msg) => console.log(c.green + '  ✓ ' + c.reset + msg);
+  const fail = (msg) => { console.log(c.red + '  ✗ ' + c.reset + msg); issues++; };
+  const warn = (msg) => { console.log(c.yellow + '  ! ' + c.reset + msg); warnings++; };
+
+  // 1. Check jq
+  try {
+    execSync('which jq', { stdio: 'pipe' });
+    const ver = execSync('jq --version', { stdio: 'pipe' }).toString().trim();
+    pass('jq installed (' + ver + ')');
+  } catch {
+    fail('jq is not installed — hooks cannot parse JSON input');
+    console.log(c.dim + '    Fix: brew install jq (macOS) | apt install jq (Linux) | choco install jq (Windows)' + c.reset);
+  }
+
+  // 2. Check settings.json exists
+  if (!existsSync(SETTINGS_PATH)) {
+    fail('~/.claude/settings.json does not exist');
+    console.log(c.dim + '    Fix: npx cc-safe-setup' + c.reset);
+  } else {
+    pass('settings.json exists');
+
+    // 3. Parse settings.json
+    let settings;
+    try {
+      settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+      pass('settings.json is valid JSON');
+    } catch (e) {
+      fail('settings.json has invalid JSON: ' + e.message);
+      console.log(c.dim + '    Fix: npx cc-safe-setup --uninstall && npx cc-safe-setup' + c.reset);
+    }
+
+    if (settings) {
+      // 4. Check hooks section exists
+      const hooks = settings.hooks;
+      if (!hooks) {
+        fail('No "hooks" section in settings.json');
+      } else {
+        pass('"hooks" section exists in settings.json');
+
+        // 5. Check each hook trigger type
+        for (const trigger of ['PreToolUse', 'PostToolUse', 'Stop']) {
+          const entries = hooks[trigger] || [];
+          if (entries.length > 0) {
+            pass(trigger + ': ' + entries.length + ' hook(s) registered');
+
+            // 6. Check each hook command path
+            for (const entry of entries) {
+              const hookList = entry.hooks || [];
+              for (const h of hookList) {
+                if (h.type !== 'command') continue;
+                const cmd = h.command;
+                // Extract the script path from commands like "bash ~/.claude/hooks/x.sh" or "~/bin/x.sh arg1 arg2"
+                let scriptPath = cmd;
+                // Strip leading interpreter (bash, sh, node, python3, etc.)
+                scriptPath = scriptPath.replace(/^(bash|sh|node|python3?)\s+/, '');
+                // Take first token (before arguments)
+                scriptPath = scriptPath.split(/\s+/)[0];
+                // Resolve ~ to HOME
+                const resolved = scriptPath.replace(/^~/, HOME);
+
+                if (!existsSync(resolved)) {
+                  fail('Hook script not found: ' + scriptPath + (scriptPath !== cmd ? ' (from: ' + cmd + ')' : ''));
+                  console.log(c.dim + '    Fix: create the missing script or update settings.json' + c.reset);
+                  continue;
+                }
+
+                // 7. Check executable permission
+                try {
+                  const stat = statSync(resolved);
+                  const isExec = (stat.mode & 0o111) !== 0;
+                  if (!isExec) {
+                    fail('Not executable: ' + cmd);
+                    console.log(c.dim + '    Fix: chmod +x ' + resolved + c.reset);
+                  }
+                } catch {}
+
+                // 8. Check shebang
+                try {
+                  const content = readFileSync(resolved, 'utf-8');
+                  if (!content.startsWith('#!/')) {
+                    warn('Missing shebang (#!/bin/bash) in: ' + cmd);
+                    console.log(c.dim + '    Add #!/bin/bash as the first line' + c.reset);
+                  }
+                } catch {}
+
+                // 9. Test hook with empty input
+                try {
+                  const result = spawnSync('bash', [resolved], {
+                    input: '{}',
+                    timeout: 5000,
+                    stdio: ['pipe', 'pipe', 'pipe'],
+                  });
+                  if (result.status !== 0 && result.status !== 2) {
+                    warn('Hook exits with code ' + result.status + ' on empty input: ' + cmd);
+                    const stderr = (result.stderr || '').toString().trim();
+                    if (stderr) console.log(c.dim + '    stderr: ' + stderr.slice(0, 200) + c.reset);
+                  }
+                } catch {}
+              }
+            }
+          }
+        }
+      }
+
+      // 10. Check for common misconfigurations
+      if (settings.defaultMode === 'bypassPermissions') {
+        warn('defaultMode is "bypassPermissions" — hooks may be skipped entirely');
+        console.log(c.dim + '    Consider using "dontAsk" instead (hooks still run)' + c.reset);
+      }
+
+      // 11. Check for dangerouslySkipPermissions in allow
+      const allows = settings.permissions?.allow || [];
+      if (allows.includes('Bash(*)')) {
+        warn('Bash(*) in allow list — commands auto-approved before hooks run');
+      }
+    }
+  }
+
+  // 12. Check hooks directory
+  if (!existsSync(HOOKS_DIR)) {
+    fail('~/.claude/hooks/ directory does not exist');
+    console.log(c.dim + '    Fix: npx cc-safe-setup' + c.reset);
+  } else {
+    const files = readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'));
+    pass('hooks directory exists (' + files.length + ' scripts)');
+  }
+
+  // 13. Check Claude Code version (needs hooks support)
+  try {
+    const ver = execSync('claude --version 2>/dev/null || echo "not found"', { stdio: 'pipe' }).toString().trim();
+    if (ver === 'not found') {
+      warn('Claude Code CLI not found in PATH');
+    } else {
+      pass('Claude Code: ' + ver);
+    }
+  } catch {
+    warn('Could not check Claude Code version');
+  }
+
+  // Summary
+  console.log();
+  if (issues === 0 && warnings === 0) {
+    console.log(c.bold + c.green + '  All checks passed. Hooks should be working.' + c.reset);
+    console.log(c.dim + '  If hooks still don\'t fire, restart Claude Code (hooks load on startup).' + c.reset);
+  } else if (issues === 0) {
+    console.log(c.bold + c.yellow + '  ' + warnings + ' warning(s), but no blocking issues.' + c.reset);
+    console.log(c.dim + '  Hooks should work. Restart Claude Code if they don\'t fire.' + c.reset);
+  } else {
+    console.log(c.bold + c.red + '  ' + issues + ' issue(s) found that prevent hooks from working.' + c.reset);
+    console.log(c.dim + '  Fix the issues above, then restart Claude Code.' + c.reset);
+  }
+  console.log();
+
+  process.exit(issues > 0 ? 1 : 0);
+}
+
 function scan() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --scan' + c.reset);
@@ -884,6 +1058,7 @@ async function main() {
   if (LEARN) return learn();
   if (SCAN) return scan();
   if (FULL) return fullSetup();
+  if (DOCTOR) return doctor();
 
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.4.0",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 25 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
+  "version": "2.6.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 26 installable examples. Destructive blocker, branch guard, database wipe protection, case-insensitive FS guard, and more.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"