cc-safe-setup 2.5.0 → 2.7.0

package/index.mjs

@@ -72,6 +72,8 @@ const AUDIT = process.argv.includes('--audit');
 const LEARN = process.argv.includes('--learn');
 const SCAN = process.argv.includes('--scan');
 const FULL = process.argv.includes('--full');
+const DOCTOR = process.argv.includes('--doctor');
+const WATCH = process.argv.includes('--watch');
 
 if (HELP) {
   console.log(`
@@ -90,6 +92,8 @@ if (HELP) {
     npx cc-safe-setup --audit --fix  Auto-fix missing protections
     npx cc-safe-setup --scan       Detect tech stack, recommend hooks
     npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --doctor     Diagnose why hooks aren't working
+    npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --help       Show this help
 
   Hooks installed:
@@ -738,6 +742,285 @@ async function fullSetup() {
   console.log();
 }
 
+async function watch() {
+  const { spawn } = await import('child_process');
+  const { createReadStream, watchFile } = await import('fs');
+  const { createInterface: createRL } = await import('readline');
+
+  const LOG_PATH = join(HOME, '.claude', 'blocked-commands.log');
+  const ERROR_LOG = join(HOME, '.claude', 'session-errors.log');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --watch' + c.reset);
+  console.log(c.dim + '  Live safety dashboard — watching blocked commands' + c.reset);
+  console.log(c.dim + '  Log: ' + LOG_PATH + c.reset);
+  console.log();
+
+  let blockCount = 0;
+  let lastPrint = 0;
+
+  function formatLine(line) {
+    // Format: [2026-03-24T01:30:00+09:00] BLOCKED: reason | cmd: actual command
+    const match = line.match(/^\[([^\]]+)\]\s*BLOCKED:\s*(.+?)\s*\|\s*cmd:\s*(.+)$/);
+    if (!match) return c.dim + '  ' + line + c.reset;
+
+    const [, ts, reason, cmd] = match;
+    const time = ts.replace(/T/, ' ').replace(/\+.*/, '');
+    blockCount++;
+
+    let severity = c.yellow;
+    if (reason.match(/rm|reset|clean|Remove-Item|drop/i)) severity = c.red;
+    if (reason.match(/push|force/i)) severity = c.red;
+    if (reason.match(/env|secret|credential/i)) severity = c.red;
+
+    return severity + '  BLOCKED' + c.reset + ' ' + c.dim + time + c.reset + '\n' +
+           '    ' + c.bold + reason.trim() + c.reset + '\n' +
+           '    ' + c.dim + cmd.trim().slice(0, 120) + c.reset;
+  }
+
+  function printStats() {
+    const now = Date.now();
+    if (now - lastPrint < 30000) return;
+    lastPrint = now;
+    console.log(c.dim + '  --- ' + blockCount + ' blocks total | ' + new Date().toLocaleTimeString() + ' ---' + c.reset);
+  }
+
+  // Print existing log entries
+  if (existsSync(LOG_PATH)) {
+    const rl = createRL({ input: createReadStream(LOG_PATH) });
+    for await (const line of rl) {
+      if (line.trim()) console.log(formatLine(line));
+    }
+    if (blockCount > 0) {
+      console.log();
+      console.log(c.dim + '  === History: ' + blockCount + ' blocks ===' + c.reset);
+      console.log(c.dim + '  Watching for new blocks... (Ctrl+C to stop)' + c.reset);
+      console.log();
+    }
+  } else {
+    console.log(c.dim + '  No blocked-commands.log yet. Hooks will create it on first block.' + c.reset);
+    console.log(c.dim + '  Watching... (Ctrl+C to stop)' + c.reset);
+    console.log();
+  }
+
+  // Watch for new entries using tail -f
+  let tailProcess;
+  try {
+    // Ensure log file exists for tail
+    if (!existsSync(LOG_PATH)) {
+      const { mkdirSync: mkDir, writeFileSync: writeFile } = await import('fs');
+      mkDir(dirname(LOG_PATH), { recursive: true });
+      writeFile(LOG_PATH, '', 'utf-8');
+    }
+
+    tailProcess = spawn('tail', ['-f', '-n', '0', LOG_PATH], { stdio: ['ignore', 'pipe', 'ignore'] });
+
+    const tailRL = createRL({ input: tailProcess.stdout });
+    for await (const line of tailRL) {
+      if (line.trim()) {
+        console.log(formatLine(line));
+        printStats();
+      }
+    }
+  } catch (e) {
+    // tail not available — fall back to polling
+    let lastSize = 0;
+    try {
+      const { statSync } = await import('fs');
+      lastSize = statSync(LOG_PATH).size;
+    } catch {}
+
+    console.log(c.dim + '  (tail not available, using polling)' + c.reset);
+
+    setInterval(async () => {
+      try {
+        const { statSync, readFileSync: readFile } = await import('fs');
+        const stat = statSync(LOG_PATH);
+        if (stat.size > lastSize) {
+          const content = readFile(LOG_PATH, 'utf-8');
+          const lines = content.split('\n').slice(-10);
+          for (const line of lines) {
+            if (line.trim()) console.log(formatLine(line));
+          }
+          lastSize = stat.size;
+          printStats();
+        }
+      } catch {}
+    }, 2000);
+
+    // Keep process alive
+    await new Promise(() => {});
+  }
+}
+
+async function doctor() {
+  const { execSync, spawnSync } = await import('child_process');
+  const { statSync, readdirSync } = await import('fs');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --doctor' + c.reset);
+  console.log(c.dim + '  Diagnosing why hooks might not be working...' + c.reset);
+  console.log();
+
+  let issues = 0;
+  let warnings = 0;
+
+  const pass = (msg) => console.log(c.green + '  ✓ ' + c.reset + msg);
+  const fail = (msg) => { console.log(c.red + '  ✗ ' + c.reset + msg); issues++; };
+  const warn = (msg) => { console.log(c.yellow + '  ! ' + c.reset + msg); warnings++; };
+
+  // 1. Check jq
+  try {
+    execSync('which jq', { stdio: 'pipe' });
+    const ver = execSync('jq --version', { stdio: 'pipe' }).toString().trim();
+    pass('jq installed (' + ver + ')');
+  } catch {
+    fail('jq is not installed — hooks cannot parse JSON input');
+    console.log(c.dim + '    Fix: brew install jq (macOS) | apt install jq (Linux) | choco install jq (Windows)' + c.reset);
+  }
+
+  // 2. Check settings.json exists
+  if (!existsSync(SETTINGS_PATH)) {
+    fail('~/.claude/settings.json does not exist');
+    console.log(c.dim + '    Fix: npx cc-safe-setup' + c.reset);
+  } else {
+    pass('settings.json exists');
+
+    // 3. Parse settings.json
+    let settings;
+    try {
+      settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+      pass('settings.json is valid JSON');
+    } catch (e) {
+      fail('settings.json has invalid JSON: ' + e.message);
+      console.log(c.dim + '    Fix: npx cc-safe-setup --uninstall && npx cc-safe-setup' + c.reset);
+    }
+
+    if (settings) {
+      // 4. Check hooks section exists
+      const hooks = settings.hooks;
+      if (!hooks) {
+        fail('No "hooks" section in settings.json');
+      } else {
+        pass('"hooks" section exists in settings.json');
+
+        // 5. Check each hook trigger type
+        for (const trigger of ['PreToolUse', 'PostToolUse', 'Stop']) {
+          const entries = hooks[trigger] || [];
+          if (entries.length > 0) {
+            pass(trigger + ': ' + entries.length + ' hook(s) registered');
+
+            // 6. Check each hook command path
+            for (const entry of entries) {
+              const hookList = entry.hooks || [];
+              for (const h of hookList) {
+                if (h.type !== 'command') continue;
+                const cmd = h.command;
+                // Extract the script path from commands like "bash ~/.claude/hooks/x.sh" or "~/bin/x.sh arg1 arg2"
+                let scriptPath = cmd;
+                // Strip leading interpreter (bash, sh, node, python3, etc.)
+                scriptPath = scriptPath.replace(/^(bash|sh|node|python3?)\s+/, '');
+                // Take first token (before arguments)
+                scriptPath = scriptPath.split(/\s+/)[0];
+                // Resolve ~ to HOME
+                const resolved = scriptPath.replace(/^~/, HOME);
+
+                if (!existsSync(resolved)) {
+                  fail('Hook script not found: ' + scriptPath + (scriptPath !== cmd ? ' (from: ' + cmd + ')' : ''));
+                  console.log(c.dim + '    Fix: create the missing script or update settings.json' + c.reset);
+                  continue;
+                }
+
+                // 7. Check executable permission
+                try {
+                  const stat = statSync(resolved);
+                  const isExec = (stat.mode & 0o111) !== 0;
+                  if (!isExec) {
+                    fail('Not executable: ' + cmd);
+                    console.log(c.dim + '    Fix: chmod +x ' + resolved + c.reset);
+                  }
+                } catch {}
+
+                // 8. Check shebang
+                try {
+                  const content = readFileSync(resolved, 'utf-8');
+                  if (!content.startsWith('#!/')) {
+                    warn('Missing shebang (#!/bin/bash) in: ' + cmd);
+                    console.log(c.dim + '    Add #!/bin/bash as the first line' + c.reset);
+                  }
+                } catch {}
+
+                // 9. Test hook with empty input
+                try {
+                  const result = spawnSync('bash', [resolved], {
+                    input: '{}',
+                    timeout: 5000,
+                    stdio: ['pipe', 'pipe', 'pipe'],
+                  });
+                  if (result.status !== 0 && result.status !== 2) {
+                    warn('Hook exits with code ' + result.status + ' on empty input: ' + cmd);
+                    const stderr = (result.stderr || '').toString().trim();
+                    if (stderr) console.log(c.dim + '    stderr: ' + stderr.slice(0, 200) + c.reset);
+                  }
+                } catch {}
+              }
+            }
+          }
+        }
+      }
+
+      // 10. Check for common misconfigurations
+      if (settings.defaultMode === 'bypassPermissions') {
+        warn('defaultMode is "bypassPermissions" — hooks may be skipped entirely');
+        console.log(c.dim + '    Consider using "dontAsk" instead (hooks still run)' + c.reset);
+      }
+
+      // 11. Check for dangerouslySkipPermissions in allow
+      const allows = settings.permissions?.allow || [];
+      if (allows.includes('Bash(*)')) {
+        warn('Bash(*) in allow list — commands auto-approved before hooks run');
+      }
+    }
+  }
+
+  // 12. Check hooks directory
+  if (!existsSync(HOOKS_DIR)) {
+    fail('~/.claude/hooks/ directory does not exist');
+    console.log(c.dim + '    Fix: npx cc-safe-setup' + c.reset);
+  } else {
+    const files = readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'));
+    pass('hooks directory exists (' + files.length + ' scripts)');
+  }
+
+  // 13. Check Claude Code version (needs hooks support)
+  try {
+    const ver = execSync('claude --version 2>/dev/null || echo "not found"', { stdio: 'pipe' }).toString().trim();
+    if (ver === 'not found') {
+      warn('Claude Code CLI not found in PATH');
+    } else {
+      pass('Claude Code: ' + ver);
+    }
+  } catch {
+    warn('Could not check Claude Code version');
+  }
+
+  // Summary
+  console.log();
+  if (issues === 0 && warnings === 0) {
+    console.log(c.bold + c.green + '  All checks passed. Hooks should be working.' + c.reset);
+    console.log(c.dim + '  If hooks still don\'t fire, restart Claude Code (hooks load on startup).' + c.reset);
+  } else if (issues === 0) {
+    console.log(c.bold + c.yellow + '  ' + warnings + ' warning(s), but no blocking issues.' + c.reset);
+    console.log(c.dim + '  Hooks should work. Restart Claude Code if they don\'t fire.' + c.reset);
+  } else {
+    console.log(c.bold + c.red + '  ' + issues + ' issue(s) found that prevent hooks from working.' + c.reset);
+    console.log(c.dim + '  Fix the issues above, then restart Claude Code.' + c.reset);
+  }
+  console.log();
+
+  process.exit(issues > 0 ? 1 : 0);
+}
+
 function scan() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --scan' + c.reset);
@@ -888,6 +1171,8 @@ async function main() {
   if (LEARN) return learn();
   if (SCAN) return scan();
   if (FULL) return fullSetup();
+  if (DOCTOR) return doctor();
+  if (WATCH) return watch();
 
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.5.0",
+  "version": "2.7.0",
   "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 26 installable examples. Destructive blocker, branch guard, database wipe protection, case-insensitive FS guard, and more.",
   "main": "index.mjs",
   "bin": {