cc-safe-setup 28.3.2 → 28.3.4

package/README.md

@@ -64,7 +64,7 @@ Claude Code ships with no safety hooks by default. This tool fixes that.
 
 Each hook exists because a real incident happened without it.
 
-## All 26 Commands
+## All 45 Commands
 
 | Command | What It Does |
 |---------|-------------|
@@ -87,7 +87,7 @@ Each hook exists because a real incident happened without it.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 118 examples |
+| `--install-example <name>` | Install from 316 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |
@@ -107,6 +107,11 @@ Each hook exists because a real incident happened without it.
 | `--why <hook>` | Show real incident behind hook |
 | `--migrate-from <tool>` | Migrate from other hook tools |
 | `--diff-hooks [path]` | Compare hook configurations |
+| `--init-project` | Full project setup (hooks + CLAUDE.md + CI) |
+| `--score` | CI-friendly safety score (exit 1 if below threshold) |
+| `--test-hook <name>` | Test a specific hook with sample input |
+| `--changelog` | Show what changed in each version |
+| `--report` | Generate safety report |
 | `--help` | Show help |
 
 ## Quick Start by Scenario

package/examples/auto-approve-test.sh

@@ -0,0 +1,35 @@
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*(npm\s+test|npm\s+run\s+test|npx\s+(jest|vitest|mocha|ava|tap|playwright\s+test|cypress\s+run)|yarn\s+test|pnpm\s+test|bun\s+test)\b'; then
+    echo '{"decision":"approve","reason":"Test runner command"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*(pytest|python\s+-m\s+(pytest|unittest)|tox)\b'; then
+    echo '{"decision":"approve","reason":"Python test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*go\s+test\b'; then
+    echo '{"decision":"approve","reason":"Go test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*cargo\s+test\b'; then
+    echo '{"decision":"approve","reason":"Cargo test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*(phpunit|vendor/bin/phpunit|php\s+artisan\s+test)\b'; then
+    echo '{"decision":"approve","reason":"PHP test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*(rspec|bundle\s+exec\s+rspec|rake\s+test|rails\s+test)\b'; then
+    echo '{"decision":"approve","reason":"Ruby test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*(mvn\s+test|gradle\s+test|./gradlew\s+test)\b'; then
+    echo '{"decision":"approve","reason":"Java test runner"}'
+    exit 0
+fi
+if echo "$COMMAND" | grep -qE '^\s*dotnet\s+test\b'; then
+    echo '{"decision":"approve","reason":".NET test runner"}'
+    exit 0
+fi
+exit 0

package/examples/no-commit-fixup.sh

@@ -0,0 +1,15 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+push\b' || exit 0
+BASE=$(git merge-base HEAD main 2>/dev/null || git merge-base HEAD master 2>/dev/null)
+if [ -n "$BASE" ]; then
+    BAD_COMMITS=$(git log --oneline "$BASE"..HEAD 2>/dev/null | grep -iE '^[a-f0-9]+ (fixup!|squash!|amend!|WIP:?|wip:?|FIXME:?|TODO:?) ')
+    if [ -n "$BAD_COMMITS" ]; then
+        echo "WARNING: Branch contains uncommitted fixup/WIP commits:" >&2
+        echo "$BAD_COMMITS" | head -5 >&2
+        echo "" >&2
+        echo "Consider: git rebase -i $BASE to squash these before pushing." >&2
+    fi
+fi
+exit 0

package/examples/no-push-without-ci.sh

@@ -0,0 +1,27 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+push\b' || exit 0
+if [ -f "package.json" ]; then
+    HAS_TEST=$(jq -r '.scripts.test // empty' package.json 2>/dev/null)
+    if [ -n "$HAS_TEST" ] && [ "$HAS_TEST" != "echo \"Error: no test specified\" && exit 1" ]; then
+        RECENT_TEST=0
+        for marker in coverage/.last-run.json test-results junit.xml .nyc_output; do
+            if [ -e "$marker" ]; then
+                AGE=$(( $(date +%s) - $(stat -c %Y "$marker" 2>/dev/null || echo 0) ))
+                if [ "$AGE" -lt 600 ]; then
+                    RECENT_TEST=1
+                    break
+                fi
+            fi
+        done
+        if [ "$RECENT_TEST" -eq 0 ]; then
+            echo "WARNING: Pushing without recent test run." >&2
+            echo "Run 'npm test' before pushing to verify changes." >&2
+        fi
+    fi
+fi
+if [ -f "Makefile" ] && grep -q "^test:" Makefile 2>/dev/null; then
+    :  # Could check make test recency, but keeping it simple
+fi
+exit 0

package/index.mjs

@@ -2391,7 +2391,7 @@ async function shield() {
   if (existsSync(join(cwd, '.env'))) extras.push('env-source-guard');
 
   // Always include these for maximum safety
-  extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd');
+  extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd', 'memory-write-guard', 'skill-gate', 'auto-approve-test', 'auto-approve-readonly');
 
   for (const ex of extras) {
     const exPath = join(__dirname, 'examples', `${ex}.sh`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "28.3.2",
-  "description": "One command to make Claude Code safe. 321 hooks (8 built-in + 313 examples). 45 CLI commands. 941 tests. 5 languages.",
+  "version": "28.3.4",
+  "description": "One command to make Claude Code safe. 324 hooks (8 built-in + 316 examples). 45 CLI commands. 941 tests. 5 languages.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"