cc-safe-setup 25.1.0 → 26.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/README.md +1 -1
  2. package/examples/check-cookie-flags.sh +4 -0
  3. package/examples/check-cors-config.sh +4 -0
  4. package/examples/check-csp-headers.sh +4 -0
  5. package/examples/check-dependency-age.sh +4 -0
  6. package/examples/check-error-stack.sh +4 -0
  7. package/examples/check-https-redirect.sh +4 -0
  8. package/examples/check-tls-version.sh +4 -0
  9. package/examples/no-default-credentials.sh +4 -0
  10. package/examples/no-document-write.sh +4 -0
  11. package/examples/no-exec-user-input.sh +4 -0
  12. package/examples/no-helmet-missing.sh +4 -0
  13. package/examples/no-innerhtml.sh +4 -0
  14. package/examples/no-jwt-in-url.sh +4 -0
  15. package/examples/no-md5-sha1.sh +4 -0
  16. package/examples/no-wildcard-cors.sh +4 -0
  17. package/package.json +1 -1
package/README.md CHANGED
@@ -6,7 +6,7 @@
6
6
 
7
7
  **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
8
8
 
9
- 8 built-in + 124 examples = **235 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
9
+ 8 built-in + 124 examples = **250 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
10
10
 
11
11
  ```bash
12
12
  npx cc-safe-setup
package/examples/check-cookie-flags.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "setCookie|res\.cookie" && ! echo "$CONTENT" | grep -q "secure" && echo "NOTE: Cookie without secure flag" >&2
4
+ exit 0
package/examples/check-cors-config.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "cors\(\{.*origin.*true" && echo "NOTE: Permissive CORS config" >&2
4
+ exit 0
package/examples/check-csp-headers.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "Content-Security-Policy" || (echo "$CONTENT" | grep -q "helmet" && echo "NOTE: Consider adding CSP headers" >&2)
4
+ exit 0
package/examples/check-dependency-age.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "NOTE: Run npm outdated to check dependency age" >&2
4
+ exit 0
package/examples/check-error-stack.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "res\.(send|json)\(.*err\.(stack|message)" && echo "WARNING: Exposing error details to client" >&2
4
+ exit 0
package/examples/check-https-redirect.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "http://" && echo "$CONTENT" | grep -q "redirect" && ! echo "$CONTENT" | grep -q "https" && echo "NOTE: HTTP redirect without HTTPS" >&2
4
+ exit 0
package/examples/check-tls-version.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "TLSv1[^.]|SSLv3" && echo "WARNING: Weak TLS version" >&2
4
+ exit 0
package/examples/no-default-credentials.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qiE "password.*admin|pass.*1234|secret.*default" && echo "WARNING: Default credentials" >&2
4
+ exit 0
package/examples/no-document-write.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "document\.write\(" && echo "WARNING: document.write XSS risk" >&2
4
+ exit 0
package/examples/no-exec-user-input.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "exec\(.*req\.|spawn\(.*req\." && echo "WARNING: exec with user input — command injection" >&2
4
+ exit 0
package/examples/no-helmet-missing.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "express\(\)" && ! echo "$CONTENT" | grep -q "helmet" && echo "NOTE: Express without helmet()" >&2
4
+ exit 0
package/examples/no-innerhtml.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "\.innerHTML\s*=" && echo "WARNING: innerHTML XSS risk" >&2
4
+ exit 0
package/examples/no-jwt-in-url.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qiE "token=eyJ|\?jwt=" && echo "WARNING: JWT in URL params" >&2
4
+ exit 0
package/examples/no-md5-sha1.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qiE "createHash\(.*(md5|sha1)" && echo "WARNING: Weak hash (md5/sha1)" >&2
4
+ exit 0
package/examples/no-wildcard-cors.sh ADDED
@@ -0,0 +1,4 @@
1
+ CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
+ [ -z "$CONTENT" ] && exit 0
3
+ echo "$CONTENT" | grep -qE "Access-Control.*\*" && echo "WARNING: Wildcard CORS origin" >&2
4
+ exit 0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cc-safe-setup",
3
- "version": "25.1.0",
3
+ "version": "26.0.0",
4
4
  "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
5
5
  "main": "index.mjs",
6
6
  "bin": {