cc-safe-setup 28.3.5 → 28.4.1

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 313 examples = **321 hooks**. 45 CLI commands. 941 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 319 examples = **327 hooks**. 45 CLI commands. 955 tests. 5 languages. [**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -110,6 +110,8 @@ Each hook exists because a real incident happened without it.
 | `--init-project` | Full project setup (hooks + CLAUDE.md + CI) |
 | `--score` | CI-friendly safety score (exit 1 if below threshold) |
 | `--test-hook <name>` | Test a specific hook with sample input |
+| `--simulate "cmd"` | Preview how all hooks react to a command |
+| `--protect <path>` | Block edits to a file or directory |
 | `--changelog` | Show what changed in each version |
 | `--report` | Generate safety report |
 | `--help` | Show help |
@@ -127,6 +129,11 @@ Each hook exists because a real incident happened without it.
 | Choose a safety level | `npx cc-safe-setup --profile strict` |
 | See what Claude blocked today | `npx cc-safe-setup --replay` |
 | Know why a hook exists | `npx cc-safe-setup --why destructive-guard` |
+| Block silent memory file edits | `npx cc-safe-setup --install-example memory-write-guard` |
+| Stop built-in skills editing opaquely | `npx cc-safe-setup --install-example skill-gate` |
+| Diagnose why hooks aren't working | `npx cc-safe-setup --doctor` |
+| Preview how hooks react to a command | `npx cc-safe-setup --simulate "git push origin main"` |
+| Protect a specific file from edits | `npx cc-safe-setup --protect .env` |
 | Migrate from Cursor/Windsurf | [Migration Guide](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) |
 
 ## How It Works

package/examples/auto-compact-prep.sh

@@ -0,0 +1,31 @@
+INPUT=$(cat)
+STATE_DIR="${HOME}/.claude"
+COUNTER_FILE="${STATE_DIR}/session-call-count"
+PREP_FLAG="${STATE_DIR}/compact-prep-done"
+CHECKPOINT=".claude/pre-compact-checkpoint.md"
+COUNT=0
+[ -f "$COUNTER_FILE" ] && COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+if [ "$COUNT" -eq 0 ]; then
+    COUNT=1
+    echo "$COUNT" > "$COUNTER_FILE"
+else
+    COUNT=$((COUNT + 1))
+    echo "$COUNT" > "$COUNTER_FILE"
+fi
+THRESHOLD=${CC_COMPACT_PREP_THRESHOLD:-200}
+if (( COUNT >= THRESHOLD )) && [ ! -f "$PREP_FLAG" ]; then
+    mkdir -p "$(dirname "$CHECKPOINT")" 2>/dev/null
+    BRANCH=$(git branch --show-current 2>/dev/null || echo "?")
+    DIRTY=$(git status --porcelain 2>/dev/null | wc -l)
+    LAST_5=$(git log --oneline -5 2>/dev/null)
+    cat > "$CHECKPOINT" << CKPT
+Saved: $(date -Iseconds) | Tool call: #${COUNT}
+Branch: ${BRANCH} | Dirty files: ${DIRTY}
+${LAST_5}
+Read this file to understand what you were working on before context was compacted.
+Check git status and git log for current state. Continue from the last commit.
+CKPT
+    touch "$PREP_FLAG"
+    echo "NOTICE: Context may compact soon (call #${COUNT}). Checkpoint saved to ${CHECKPOINT}" >&2
+fi
+exit 0

package/examples/auto-git-checkpoint.sh

@@ -0,0 +1,15 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]] && exit 0
+[ -z "$FILE" ] && exit 0
+git rev-parse --git-dir >/dev/null 2>&1 || exit 0
+[ ! -f "$FILE" ] && exit 0
+CKPT_DIR=".claude/checkpoints"
+mkdir -p "$CKPT_DIR" 2>/dev/null
+BASENAME=$(basename "$FILE")
+TIMESTAMP=$(date +%H%M%S)
+CKPT_FILE="${CKPT_DIR}/${BASENAME}.${TIMESTAMP}.bak"
+cp "$FILE" "$CKPT_FILE" 2>/dev/null
+ls -t "${CKPT_DIR}/${BASENAME}".*.bak 2>/dev/null | tail -n +21 | xargs rm -f 2>/dev/null
+exit 0

package/examples/edit-verify.sh

@@ -0,0 +1,30 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]] && exit 0
+[ -z "$FILE" ] && exit 0
+[ ! -f "$FILE" ] && { echo "WARNING: File does not exist after edit: $FILE" >&2; exit 0; }
+SIZE=$(wc -c < "$FILE" 2>/dev/null || echo 0)
+if [ "$SIZE" -eq 0 ]; then
+    echo "WARNING: File is empty after edit: $FILE (possible truncation)" >&2
+    exit 0
+fi
+if [ "$TOOL" = "Edit" ]; then
+    NEW_STR=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+    if [ -n "$NEW_STR" ]; then
+        FIRST_LINE=$(echo "$NEW_STR" | head -1)
+        if [ -n "$FIRST_LINE" ] && ! grep -qF "$FIRST_LINE" "$FILE" 2>/dev/null; then
+            echo "WARNING: Edit may not have applied — new_string not found in $FILE" >&2
+        fi
+    fi
+fi
+if grep -qE '^(<<<<<<<|=======|>>>>>>>)' "$FILE" 2>/dev/null; then
+    echo "WARNING: Merge conflict markers detected in $FILE after edit" >&2
+fi
+if [ "$SIZE" -lt 10 ]; then
+    case "$FILE" in
+        *.json|*.yaml|*.yml|*.toml) ;; # Config files can be small
+        *) echo "WARNING: File suspiciously small ($SIZE bytes) after edit: $FILE" >&2 ;;
+    esac
+fi
+exit 0

package/examples/mcp-tool-guard.sh

@@ -0,0 +1,26 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+echo "$TOOL" | grep -q '^mcp__' || exit 0
+if [ "${CC_MCP_WARN_ALL:-0}" = "1" ]; then
+    echo "NOTE: MCP tool call: $TOOL" >&2
+fi
+BLOCKED="${CC_MCP_BLOCKED_TOOLS:-}"
+if [ -n "$BLOCKED" ]; then
+    IFS=',' read -ra PATTERNS <<< "$BLOCKED"
+    for pattern in "${PATTERNS[@]}"; do
+        pattern=$(echo "$pattern" | xargs)  # trim whitespace
+        if [[ "$TOOL" == *"$pattern"* ]]; then
+            echo "BLOCKED: MCP tool $TOOL matches blocked pattern: $pattern" >&2
+            exit 2
+        fi
+    done
+fi
+case "$TOOL" in
+    *delete*|*remove*|*drop*|*destroy*|*purge*)
+        echo "WARNING: Potentially destructive MCP tool: $TOOL" >&2
+        ;;
+    *send_email*|*send_message*|*post*|*publish*)
+        echo "WARNING: MCP tool with external side effects: $TOOL" >&2
+        ;;
+esac
+exit 0

package/examples/prompt-injection-guard.sh

@@ -44,6 +44,28 @@ if echo "$OUTPUT" | grep -qP '<!--.*(?:execute|run|delete|remove).*-->'; then
     SUSPICIOUS=1
 fi
 
+# tool_runtime_configuration injection (GitHub #28586)
+if echo "$OUTPUT" | grep -qiE '<tool_runtime_configuration>|</tool_runtime_configuration>'; then
+    echo "WARNING: tool_runtime_configuration injection detected — can disable tools" >&2
+    SUSPICIOUS=1
+fi
+
+# MCP server instruction override (GitHub #30545)
+if echo "$OUTPUT" | grep -qiE 'override.*CLAUDE\.md|ignore.*project\s+rules|disregard.*instructions'; then
+    echo "WARNING: Possible MCP instruction override detected" >&2
+    SUSPICIOUS=1
+fi
+
+# Base64-encoded commands (obfuscated injection)
+if echo "$OUTPUT" | grep -qE '[A-Za-z0-9+/]{40,}={0,2}'; then
+    # Check if it decodes to something suspicious
+    DECODED=$(echo "$OUTPUT" | grep -oE '[A-Za-z0-9+/]{40,}={0,2}' | head -1 | base64 -d 2>/dev/null || true)
+    if echo "$DECODED" | grep -qiE 'rm\s+-rf|curl.*\|.*sh|eval|exec'; then
+        echo "WARNING: Base64-encoded command detected in tool output" >&2
+        SUSPICIOUS=1
+    fi
+fi
+
 if [ "$SUSPICIOUS" -eq 1 ]; then
     echo "Review the output carefully before acting on it." >&2
 fi

package/examples/session-state-saver.sh

@@ -0,0 +1,30 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+STATE_DIR="${HOME}/.claude"
+COUNTER_FILE="${STATE_DIR}/session-call-count"
+STATE_FILE=".claude/session-state.md"
+SAVE_INTERVAL=${CC_STATE_SAVE_INTERVAL:-50}
+mkdir -p "${STATE_DIR}" 2>/dev/null
+mkdir -p "$(dirname "${STATE_FILE}")" 2>/dev/null
+COUNT=0
+[ -f "$COUNTER_FILE" ] && COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+if (( COUNT % SAVE_INTERVAL == 0 )); then
+    BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
+    MODIFIED=$(git diff --name-only 2>/dev/null | head -10)
+    STAGED=$(git diff --cached --name-only 2>/dev/null | head -10)
+    RECENT_COMMITS=$(git log --oneline -5 2>/dev/null)
+    cat > "$STATE_FILE" << STATE
+Updated: $(date -Iseconds)
+${BRANCH}
+${MODIFIED:-none}
+${STAGED:-none}
+${RECENT_COMMITS:-none}
+${COUNT}
+---
+*Read this file after compaction to restore context.*
+STATE
+    echo "Session state saved (call #${COUNT})" >&2
+fi
+exit 0

package/examples/subagent-budget-guard.sh

@@ -0,0 +1,34 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[[ "$TOOL" != "Agent" ]] && exit 0
+MAX_AGENTS=${CC_MAX_SUBAGENTS:-5}
+TRACKER="${HOME}/.claude/active-agents"
+mkdir -p "$(dirname "$TRACKER")" 2>/dev/null
+NOW=$(date +%s)
+ACTIVE=0
+if [ -f "$TRACKER" ]; then
+    while IFS= read -r line; do
+        TS=$(echo "$line" | cut -d'|' -f1)
+        AGE=$(( NOW - TS ))
+        if (( AGE < 1800 )); then
+            ACTIVE=$((ACTIVE + 1))
+        fi
+    done < "$TRACKER"
+fi
+if (( ACTIVE >= MAX_AGENTS )); then
+    echo "BLOCKED: $ACTIVE active subagents (max: $MAX_AGENTS)." >&2
+    echo "Wait for existing agents to complete before spawning more." >&2
+    echo "Override: CC_MAX_SUBAGENTS=10" >&2
+    exit 2
+fi
+echo "${NOW}|agent" >> "$TRACKER"
+if [ -f "$TRACKER" ]; then
+    TMP=$(mktemp)
+    while IFS= read -r line; do
+        TS=$(echo "$line" | cut -d'|' -f1)
+        AGE=$(( NOW - TS ))
+        (( AGE < 1800 )) && echo "$line"
+    done < "$TRACKER" > "$TMP"
+    mv "$TMP" "$TRACKER"
+fi
+exit 0

package/index.mjs

@@ -114,6 +114,15 @@ const SUGGEST = process.argv.includes('--suggest');
 const INIT_PROJECT = process.argv.includes('--init-project');
 const SCORE_ONLY = process.argv.includes('--score');
 const CHANGELOG_CMD = process.argv.includes('--changelog');
+const VALIDATE = process.argv.includes('--validate');
+const SAFE_MODE = process.argv.includes('--safe-mode');
+const SAFE_MODE_OFF = process.argv.includes('--safe-mode') && process.argv.includes('off');
+const SIMULATE_IDX = process.argv.findIndex(a => a === '--simulate');
+const SIMULATE_CMD = SIMULATE_IDX !== -1 ? process.argv.slice(SIMULATE_IDX + 1).join(' ') : null;
+const PROTECT_IDX = process.argv.findIndex(a => a === '--protect');
+const PROTECT_PATH = PROTECT_IDX !== -1 ? process.argv[PROTECT_IDX + 1] : null;
+const RULES_IDX = process.argv.findIndex(a => a === '--rules');
+const RULES_FILE = RULES_IDX !== -1 ? (process.argv[RULES_IDX + 1] || '.claude/rules.yaml') : null;
 const TEST_HOOK_IDX = process.argv.findIndex(a => a === '--test-hook');
 const TEST_HOOK = TEST_HOOK_IDX !== -1 ? process.argv[TEST_HOOK_IDX + 1] : null;
 const WHY_IDX = process.argv.findIndex(a => a === '--why');
@@ -147,6 +156,9 @@ if (HELP) {
     npx cc-safe-setup --diff <file>   Compare your settings with another file
     npx cc-safe-setup --lint       Static analysis of hook configuration
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
+    npx cc-safe-setup --simulate "rm -rf /"  See how hooks react to a command
+    npx cc-safe-setup --protect .env         Block edits to a specific file/dir
+    npx cc-safe-setup --rules [file]       Compile YAML rules into a single hook
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
     npx cc-safe-setup --test-hook <name>  Test a specific hook with sample inputs
@@ -4260,6 +4272,581 @@ async function watch() {
   }
 }
 
+async function validateHooks() {
+  const { spawnSync } = await import('child_process');
+  const { readdirSync, renameSync } = await import('fs');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --validate' + c.reset);
+  console.log(c.dim + '  Checking all hooks for syntax errors and dangerous exit codes...' + c.reset);
+  console.log();
+
+  if (!existsSync(HOOKS_DIR)) {
+    console.log(c.yellow + '  No hooks directory found.' + c.reset);
+    return;
+  }
+
+  const disabledDir = join(HOME, '.claude', 'hooks-disabled');
+  const hooks = readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'));
+  let ok = 0, dangerous = 0;
+
+  for (const h of hooks) {
+    const path = join(HOOKS_DIR, h);
+    const name = h.replace('.sh', '');
+
+    // 1. Syntax check
+    const syntax = spawnSync('bash', ['-n', path], { stdio: 'pipe', timeout: 5000 });
+    if (syntax.status !== 0) {
+      mkdirSync(disabledDir, { recursive: true });
+      renameSync(path, join(disabledDir, h));
+      console.log(c.red + '  ✗ ' + name + c.reset + ' — SYNTAX ERROR (exit ' + syntax.status + ')');
+      console.log(c.dim + '    Moved to hooks-disabled/. A syntax error exit 2 blocks ALL tools.' + c.reset);
+      dangerous++;
+      continue;
+    }
+
+    // 2. Empty input test — exit 2 = would block all tools
+    const test = spawnSync('bash', [path], {
+      input: '{}', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
+    });
+    if (test.status === 2) {
+      mkdirSync(disabledDir, { recursive: true });
+      renameSync(path, join(disabledDir, h));
+      console.log(c.red + '  ✗ ' + name + c.reset + ' — BLOCKS on empty input (exit 2)');
+      console.log(c.dim + '    Moved to hooks-disabled/.' + c.reset);
+      dangerous++;
+      continue;
+    }
+
+    ok++;
+    console.log(c.green + '  ✓ ' + c.reset + name);
+  }
+
+  console.log();
+  if (dangerous > 0) {
+    console.log(c.red + '  ' + dangerous + ' dangerous hook(s) disabled.' + c.reset);
+    console.log(c.dim + '  Restart Claude Code to apply. Disabled hooks are in ~/.claude/hooks-disabled/' + c.reset);
+  } else {
+    console.log(c.green + '  All ' + ok + ' hooks passed validation.' + c.reset);
+  }
+  console.log();
+}
+
+async function safeMode(enable) {
+  const { readdirSync, renameSync, rmdirSync } = await import('fs');
+  const disabledDir = join(HOME, '.claude', 'hooks-disabled');
+  const backupSettings = join(HOME, '.claude', 'settings-backup.json');
+
+  console.log();
+  if (enable) {
+    console.log(c.bold + '  cc-safe-setup --safe-mode' + c.reset);
+    console.log(c.dim + '  Disabling all hooks...' + c.reset);
+
+    if (!existsSync(HOOKS_DIR)) {
+      console.log(c.yellow + '  No hooks to disable.' + c.reset);
+      return;
+    }
+
+    mkdirSync(disabledDir, { recursive: true });
+    const hooks = readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'));
+    for (const h of hooks) {
+      renameSync(join(HOOKS_DIR, h), join(disabledDir, h));
+    }
+
+    // Backup settings and clear hooks
+    if (existsSync(SETTINGS_PATH)) {
+      const settings = readFileSync(SETTINGS_PATH, 'utf-8');
+      writeFileSync(backupSettings, settings);
+      const parsed = JSON.parse(settings);
+      parsed.hooks = {};
+      writeFileSync(SETTINGS_PATH, JSON.stringify(parsed, null, 2));
+    }
+
+    console.log(c.green + '  Safe mode ON.' + c.reset + ' ' + hooks.length + ' hooks disabled.');
+    console.log(c.dim + '  Restart Claude Code. Run --safe-mode off to restore.' + c.reset);
+  } else {
+    console.log(c.bold + '  cc-safe-setup --safe-mode off' + c.reset);
+
+    if (existsSync(disabledDir)) {
+      mkdirSync(HOOKS_DIR, { recursive: true });
+      const hooks = readdirSync(disabledDir).filter(f => f.endsWith('.sh'));
+      for (const h of hooks) {
+        renameSync(join(disabledDir, h), join(HOOKS_DIR, h));
+      }
+      try { rmdirSync(disabledDir); } catch {}
+      console.log(c.green + '  Restored ' + hooks.length + ' hooks.' + c.reset);
+    }
+
+    if (existsSync(backupSettings)) {
+      copyFileSync(backupSettings, SETTINGS_PATH);
+      unlinkSync(backupSettings);
+      console.log(c.green + '  Restored settings.json from backup.' + c.reset);
+    }
+
+    console.log(c.dim + '  Restart Claude Code to activate hooks.' + c.reset);
+  }
+  console.log();
+}
+
+async function compileRules(rulesFile) {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --rules' + c.reset);
+
+  if (!existsSync(rulesFile)) {
+    // Create example rules file
+    const exampleDir = rulesFile.includes('/') ? rulesFile.substring(0, rulesFile.lastIndexOf('/')) : '.';
+    mkdirSync(exampleDir, { recursive: true });
+    writeFileSync(rulesFile, `# Claude Code Safety Rules
+# Run: npx cc-safe-setup --rules ${rulesFile}
+
+# Block dangerous commands
+- block: "rm -rf on root or home"
+  pattern: "rm\\\\s+-rf\\\\s+(\\\\/$|~)"
+
+- block: "git push to main"
+  pattern: "git\\\\s+push.*(main|master)"
+
+- block: "git force push"
+  pattern: "git\\\\s+push.*--force"
+
+- block: "git add .env"
+  pattern: "git\\\\s+add.*\\\\.env"
+
+# Auto-approve safe commands
+- approve: "read-only commands"
+  commands: [cat, head, tail, ls, grep, find, which, pwd, date]
+
+- approve: "git read commands"
+  pattern: "^\\\\s*git\\\\s+(status|log|diff|show|branch)"
+
+- approve: "test runners"
+  pattern: "^\\\\s*(npm\\\\s+test|pytest|go\\\\s+test|cargo\\\\s+test)"
+
+# Protect files from edits
+- protect: ".env"
+- protect: "config/secrets.yaml"
+`);
+    console.log(c.green + '  + ' + c.reset + 'Created ' + rulesFile + ' with example rules');
+    console.log(c.dim + '  Edit the file, then run this command again to compile.' + c.reset);
+    console.log();
+    return;
+  }
+
+  // Parse YAML (simple parser — no dependency needed)
+  const content = readFileSync(rulesFile, 'utf-8');
+  const rules = [];
+  let current = null;
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith('#') || !trimmed) continue;
+
+    const blockMatch = trimmed.match(/^-\s+block:\s+"(.+)"/);
+    const approveMatch = trimmed.match(/^-\s+approve:\s+"(.+)"/);
+    const protectMatch = trimmed.match(/^-\s+protect:\s+"(.+)"/);
+    const patternMatch = trimmed.match(/^\s+pattern:\s+"(.+)"/);
+    const commandsMatch = trimmed.match(/^\s+commands:\s+\[(.+)\]/);
+
+    if (blockMatch) { current = { type: 'block', name: blockMatch[1] }; rules.push(current); }
+    else if (approveMatch) { current = { type: 'approve', name: approveMatch[1] }; rules.push(current); }
+    else if (protectMatch) { rules.push({ type: 'protect', path: protectMatch[1] }); current = null; }
+    else if (patternMatch && current) { current.pattern = patternMatch[1]; }
+    else if (commandsMatch && current) { current.commands = commandsMatch[1].split(',').map(s => s.trim()); }
+  }
+
+  if (rules.length === 0) {
+    console.log(c.yellow + '  No rules found in ' + rulesFile + c.reset);
+    return;
+  }
+
+  console.log(c.dim + '  Compiling ' + rules.length + ' rules from ' + rulesFile + c.reset);
+
+  // Generate consolidated hook script
+  let script = `#!/bin/bash
+# Auto-generated from: ${rulesFile}
+# Generated: $(date -Iseconds)
+# Rules: ${rules.length}
+# Regenerate: npx cc-safe-setup --rules ${rulesFile}
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+`;
+
+  // Block rules
+  const blocks = rules.filter(r => r.type === 'block');
+  if (blocks.length > 0) {
+    script += '# === Block Rules ===\n';
+    script += 'if [ "$TOOL" = "Bash" ] && [ -n "$COMMAND" ]; then\n';
+    for (const rule of blocks) {
+      if (rule.pattern) {
+        script += `  if echo "$COMMAND" | grep -qE '${rule.pattern}'; then\n`;
+        script += `    echo "BLOCKED: ${rule.name}" >&2\n`;
+        script += `    exit 2\n`;
+        script += `  fi\n`;
+      }
+    }
+    script += 'fi\n\n';
+  }
+
+  // Approve rules
+  const approves = rules.filter(r => r.type === 'approve');
+  if (approves.length > 0) {
+    script += '# === Approve Rules ===\n';
+    script += 'if [ "$TOOL" = "Bash" ] && [ -n "$COMMAND" ]; then\n';
+    for (const rule of approves) {
+      if (rule.commands) {
+        const base = '$(echo "$COMMAND" | awk \'{ print $1 }\' | sed \'s|.*/||\')'
+        script += `  BASE=${base}\n`;
+        script += `  case "$BASE" in\n`;
+        script += `    ${rule.commands.join('|')}) echo '{"decision":"approve","reason":"${rule.name}"}'; exit 0 ;;\n`;
+        script += `  esac\n`;
+      }
+      if (rule.pattern) {
+        script += `  if echo "$COMMAND" | grep -qE '${rule.pattern}'; then\n`;
+        script += `    echo '{"decision":"approve","reason":"${rule.name}"}'\n`;
+        script += `    exit 0\n`;
+        script += `  fi\n`;
+      }
+    }
+    script += 'fi\n\n';
+  }
+
+  // Protect rules
+  const protects = rules.filter(r => r.type === 'protect');
+  if (protects.length > 0) {
+    script += '# === Protect Rules ===\n';
+    script += 'if [ "$TOOL" = "Edit" ] || [ "$TOOL" = "Write" ]; then\n';
+    script += '  [ -z "$FILE" ] && exit 0\n';
+    for (const rule of protects) {
+      const path = rule.path;
+      if (path.endsWith('/')) {
+        script += `  [[ "$FILE" == *"${path}"* ]] && { jq -n '{"decision":"block","reason":"Protected: ${path}"}'; exit 0; }\n`;
+      } else {
+        script += `  [[ "$FILE" == *"${path}" ]] && { jq -n '{"decision":"block","reason":"Protected: ${path}"}'; exit 0; }\n`;
+      }
+    }
+    script += 'fi\n\n';
+  }
+
+  script += 'exit 0\n';
+
+  // Write hook
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  const hookPath = join(HOOKS_DIR, 'compiled-rules.sh');
+  writeFileSync(hookPath, script);
+  chmodSync(hookPath, 0o755);
+
+  // Register in settings.json
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+
+  const hookCmd = `bash ${hookPath}`;
+
+  // Check all matchers for existing compiled-rules entry
+  let found = false;
+  for (const entry of settings.hooks.PreToolUse) {
+    const idx = (entry.hooks || []).findIndex(h => h.command && h.command.includes('compiled-rules'));
+    if (idx !== -1) {
+      entry.hooks[idx] = { type: 'command', command: hookCmd };
+      found = true;
+      break;
+    }
+  }
+
+  if (!found) {
+    // Add to catch-all matcher
+    let allMatcher = settings.hooks.PreToolUse.find(e => e.matcher === '');
+    if (!allMatcher) {
+      allMatcher = { matcher: '', hooks: [] };
+      settings.hooks.PreToolUse.push(allMatcher);
+    }
+    allMatcher.hooks.push({ type: 'command', command: hookCmd });
+  }
+
+  writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+
+  // Summary
+  console.log();
+  for (const rule of rules) {
+    if (rule.type === 'block') console.log(c.red + '  ✗ ' + c.reset + 'Block: ' + rule.name);
+    else if (rule.type === 'approve') console.log(c.green + '  ✓ ' + c.reset + 'Approve: ' + rule.name);
+    else if (rule.type === 'protect') console.log(c.blue + '  🔒 ' + c.reset + 'Protect: ' + rule.path);
+  }
+  console.log();
+  console.log(c.bold + '  ' + rules.length + ' rules compiled' + c.reset + ' → ' + hookPath);
+  console.log(c.dim + '  Restart Claude Code to activate.' + c.reset);
+  console.log(c.dim + '  Edit ' + rulesFile + ' and re-run to update.' + c.reset);
+  console.log();
+}
+
+async function protect(targetPath) {
+  const { resolve, basename } = await import('path');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --protect' + c.reset);
+
+  // Normalize path
+  const normalized = targetPath.replace(/\\/g, '/');
+  const safeName = basename(normalized).replace(/[^a-zA-Z0-9._-]/g, '_');
+  const hookName = `protect-${safeName}.sh`;
+  const hookPath = join(HOOKS_DIR, hookName);
+
+  // Generate hook script
+  const isDir = normalized.endsWith('/');
+  const pattern = isDir ? `*${normalized}*` : normalized;
+
+  const script = `#!/bin/bash
+# Auto-generated by: npx cc-safe-setup --protect ${targetPath}
+# Blocks Edit/Write to: ${normalized}
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+[[ "$TOOL" != "Edit" && "$TOOL" != "Write" ]] && exit 0
+[ -z "$FILE" ] && exit 0
+
+${isDir
+  ? `if [[ "$FILE" == *"${normalized}"* ]]; then`
+  : `if [[ "$FILE" == *"${normalized}" ]] || [[ "$FILE" == *"/${normalized}" ]]; then`
+}
+    jq -n '{"decision":"block","reason":"Protected path: ${normalized}"}'
+    exit 0
+fi
+
+exit 0
+`;
+
+  // Safety: write to /tmp first, validate, then copy to hooks/
+  const tmpScript = '/tmp/cc-compiled-rules-' + Date.now() + '.sh';
+  writeFileSync(tmpScript, script);
+  chmodSync(tmpScript, 0o755);
+
+  // Validate 1: bash syntax check
+  const { spawnSync: checkSpawn } = await import('child_process');
+  const syntaxCheck = checkSpawn('bash', ['-n', tmpScript], { stdio: 'pipe' });
+  if (syntaxCheck.status !== 0) {
+    const err = (syntaxCheck.stderr || '').toString().trim();
+    console.log(c.red + '  ERROR: Generated script has syntax errors:' + c.reset);
+    console.log(c.dim + '  ' + err + c.reset);
+    try { unlinkSync(tmpScript); } catch {}
+    console.log(c.dim + '  Script NOT installed. Fix your rules and try again.' + c.reset);
+    return;
+  }
+
+  // Validate 2: empty input must NOT return exit 2 (which blocks all tools)
+  const emptyTest = checkSpawn('bash', [tmpScript], {
+    input: '{}', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
+  });
+  if (emptyTest.status === 2) {
+    console.log(c.red + '  ERROR: Script returns exit 2 on empty input.' + c.reset);
+    console.log(c.red + '  This would BLOCK ALL Claude Code tools.' + c.reset);
+    try { unlinkSync(tmpScript); } catch {}
+    return;
+  }
+
+  // Validated — copy to hooks dir
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  const hookContent = readFileSync(tmpScript, 'utf-8');
+  writeFileSync(hookPath, hookContent);
+  chmodSync(hookPath, 0o755);
+  try { unlinkSync(tmpScript); } catch {}
+  console.log(c.green + '  + ' + c.reset + 'Created ' + hookName + ' (syntax verified)');
+
+  // Register in settings.json — use "Bash" matcher ONLY (never "")
+  // "" matcher affects ALL tools and a broken hook would lock out the session
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+
+  // Register under specific matchers based on rule types (NEVER use "" matcher)
+  const hookCmd = `bash ${hookPath}`;
+  const hasBlocks = rules.some(r => r.type === 'block');
+  const hasApproves = rules.some(r => r.type === 'approve');
+  const hasProtects = rules.some(r => r.type === 'protect');
+
+  // Block and approve rules need Bash matcher
+  if (hasBlocks || hasApproves) {
+    let bashMatcher = settings.hooks.PreToolUse.find(e => e.matcher === 'Bash');
+    if (!bashMatcher) {
+      bashMatcher = { matcher: 'Bash', hooks: [] };
+      settings.hooks.PreToolUse.push(bashMatcher);
+    }
+    if (!bashMatcher.hooks.some(h => h.command === hookCmd)) {
+      bashMatcher.hooks.push({ type: 'command', command: hookCmd });
+    }
+  }
+
+  // Protect rules need Edit|Write matcher
+  if (hasProtects) {
+    let editMatcher = settings.hooks.PreToolUse.find(e => e.matcher === 'Edit|Write');
+    if (!editMatcher) {
+      editMatcher = { matcher: 'Edit|Write', hooks: [] };
+      settings.hooks.PreToolUse.push(editMatcher);
+    }
+    if (!editMatcher.hooks.some(h => h.command === hookCmd)) {
+      editMatcher.hooks.push({ type: 'command', command: hookCmd });
+    }
+  }
+
+  writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  console.log(c.green + '  + ' + c.reset + 'Registered in settings.json');
+
+  console.log();
+  console.log(c.bold + '  Protected: ' + c.reset + c.blue + normalized + c.reset);
+  console.log(c.dim + '  Edit and Write to this path will be blocked.' + c.reset);
+  console.log(c.dim + '  Restart Claude Code to activate.' + c.reset);
+  console.log();
+
+  // Show how to unprotect
+  console.log(c.dim + '  To unprotect: rm ' + hookPath + c.reset);
+  console.log(c.dim + '  Then remove the entry from ~/.claude/settings.json' + c.reset);
+  console.log();
+}
+
+async function simulate(command) {
+  const { spawnSync } = await import('child_process');
+  const { readdirSync } = await import('fs');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --simulate' + c.reset);
+  console.log(c.dim + '  Simulating how hooks would react to:' + c.reset);
+  console.log(c.blue + '  $ ' + command + c.reset);
+  console.log();
+
+  // Build fake PreToolUse JSON for Bash
+  const fakeInput = JSON.stringify({
+    tool_name: 'Bash',
+    tool_input: { command }
+  });
+
+  // Read settings to find registered hooks
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+
+  const hookEntries = settings.hooks?.PreToolUse || [];
+  let tested = 0;
+  let approved = 0;
+  let blocked = 0;
+  let passthrough = 0;
+
+  for (const entry of hookEntries) {
+    const matcher = entry.matcher || '';
+    // Check if matcher includes Bash (or matches all)
+    if (matcher && !matcher.match(/Bash/i) && matcher !== '') continue;
+
+    for (const h of (entry.hooks || [])) {
+      if (h.type !== 'command') continue;
+      const cmd = h.command;
+
+      // Extract script name for display
+      const parts = cmd.split(/\s+/);
+      const scriptPath = parts[parts.length - 1];
+      const scriptName = scriptPath.split('/').pop().replace('.sh', '');
+
+      // Resolve path
+      const resolved = scriptPath.replace(/^~/, HOME);
+      if (!existsSync(resolved)) {
+        console.log(c.yellow + '  ? ' + c.reset + scriptName + c.dim + ' (script not found)' + c.reset);
+        continue;
+      }
+
+      tested++;
+
+      // Run the hook with fake input
+      const result = spawnSync('bash', [resolved], {
+        input: fakeInput,
+        timeout: 5000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+
+      const stdout = (result.stdout || '').toString().trim();
+      const stderr = (result.stderr || '').toString().trim();
+      const exitCode = result.status;
+
+      if (exitCode === 2) {
+        blocked++;
+        console.log(c.red + '  ✗ BLOCK ' + c.reset + c.bold + scriptName + c.reset);
+        if (stderr) console.log(c.dim + '    ' + stderr.split('\n')[0] + c.reset);
+      } else if (stdout.includes('"approve"') || stdout.includes('"decision":"approve"')) {
+        approved++;
+        let reason = '';
+        try { reason = JSON.parse(stdout).reason || JSON.parse(stdout).decision; } catch {}
+        console.log(c.green + '  ✓ APPROVE ' + c.reset + scriptName + (reason ? c.dim + ' (' + reason + ')' + c.reset : ''));
+      } else {
+        passthrough++;
+        console.log(c.dim + '  · pass    ' + scriptName + c.reset);
+      }
+    }
+  }
+
+  // Also check installed hook scripts not in settings
+  if (existsSync(HOOKS_DIR)) {
+    const hookFiles = readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'));
+    const registeredScripts = new Set();
+    for (const entry of hookEntries) {
+      for (const h of (entry.hooks || [])) {
+        if (h.command) registeredScripts.add(h.command.split('/').pop().replace('.sh', ''));
+      }
+    }
+
+    const unregistered = hookFiles.filter(f => !registeredScripts.has(f.replace('.sh', '')));
+    if (unregistered.length > 0) {
+      console.log();
+      console.log(c.dim + '  Unregistered hooks (not in settings.json):' + c.reset);
+      for (const f of unregistered.slice(0, 5)) {
+        const resolved = join(HOOKS_DIR, f);
+        const result = spawnSync('bash', [resolved], {
+          input: fakeInput,
+          timeout: 5000,
+          stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const exitCode = result.status;
+        const stdout = (result.stdout || '').toString().trim();
+        const name = f.replace('.sh', '');
+
+        if (exitCode === 2) {
+          console.log(c.red + '  ✗ BLOCK ' + c.reset + name + c.dim + ' (unregistered)' + c.reset);
+        } else if (stdout.includes('"approve"')) {
+          console.log(c.green + '  ✓ APPROVE ' + c.reset + name + c.dim + ' (unregistered)' + c.reset);
+        } else {
+          console.log(c.dim + '  · pass    ' + name + ' (unregistered)' + c.reset);
+        }
+      }
+      if (unregistered.length > 5) {
+        console.log(c.dim + '    ... and ' + (unregistered.length - 5) + ' more' + c.reset);
+      }
+    }
+  }
+
+  // Summary
+  console.log();
+  console.log(c.bold + '  Summary: ' + c.reset +
+    (blocked > 0 ? c.red + blocked + ' blocked' + c.reset + ' · ' : '') +
+    (approved > 0 ? c.green + approved + ' approved' + c.reset + ' · ' : '') +
+    passthrough + ' passthrough');
+
+  if (blocked > 0) {
+    console.log(c.red + '  → This command would be BLOCKED' + c.reset);
+  } else if (approved > 0) {
+    console.log(c.green + '  → This command would be auto-approved (no prompt)' + c.reset);
+  } else {
+    console.log(c.dim + '  → This command would trigger a permission prompt' + c.reset);
+  }
+  console.log();
+}
+
 async function doctor() {
   const { execSync, spawnSync } = await import('child_process');
   const { statSync, readdirSync } = await import('fs');
@@ -4578,7 +5165,12 @@ async function main() {
   if (LEARN) return learn();
   if (SCAN) return scan();
   if (FULL) return fullSetup();
+  if (VALIDATE) return validateHooks();
+  if (SAFE_MODE) return safeMode(!SAFE_MODE_OFF);
   if (DOCTOR) return doctor();
+  if (SIMULATE_CMD) return simulate(SIMULATE_CMD);
+  if (PROTECT_PATH) return protect(PROTECT_PATH);
+  if (RULES_FILE) return compileRules(RULES_FILE);
   if (WATCH) return watch();
   if (TEST_HOOK_IDX !== -1) return testHook(TEST_HOOK);
   if (SAVE_PROFILE_IDX !== -1) return saveProfile(SAVE_PROFILE);
@@ -4707,7 +5299,7 @@ async function main() {
   console.log('  ' + c.dim + 'Restart Claude Code to activate.' + c.reset);
   console.log('  ' + c.dim + 'Verify:' + c.reset + ' ' + c.blue + 'npx cc-health-check' + c.reset);
   console.log();
-  console.log('  ' + c.dim + 'Full kit (16 hooks + templates + tools):' + c.reset);
+  console.log('  ' + c.dim + 'Need more? 16 hooks + templates for autonomous teams:' + c.reset);
   console.log('  https://yurukusa.github.io/cc-ops-kit-landing/?utm_source=npm&utm_medium=cli&utm_campaign=safe-setup');
   console.log();
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "28.3.5",
+  "version": "28.4.1",
   "description": "One command to make Claude Code safe. 327 hooks (8 built-in + 319 examples). 45 CLI commands. 941 tests. 5 languages.",
   "main": "index.mjs",
   "bin": {