cc-safe-setup 28.4.1 → 28.4.2

package/README.md

@@ -6,13 +6,13 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 319 examples = **327 hooks**. 45 CLI commands. 955 tests. 5 languages. [**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
-
 ```bash
 npx cc-safe-setup
 ```
 
-Installs 8 production-tested safety hooks in ~10 seconds. Zero dependencies. No manual configuration.
+Installs 8 safety hooks in ~10 seconds. Blocks `rm -rf /`, prevents pushes to main, catches secret leaks, validates syntax after every edit. Zero dependencies.
+
+[**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**All Tools**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Validate your settings.json](https://yurukusa.github.io/cc-safe-setup/validator.html)
 
 ```
   cc-safe-setup

package/examples/claudemd-enforcer.sh

@@ -0,0 +1,42 @@
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+RESULT=$(echo "$INPUT" | jq -r '.tool_result // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if [ "${CC_REQUIRE_TESTS:-0}" = "1" ]; then
+    if echo "$COMMAND" | grep -qE '^\s*git\s+commit'; then
+        LAST_TEST=$(stat -c %Y coverage/.last-run.json 2>/dev/null || stat -c %Y test-results 2>/dev/null || echo 0)
+        NOW=$(date +%s)
+        if [ "$LAST_TEST" -eq 0 ] || [ $((NOW - LAST_TEST)) -gt 600 ]; then
+            echo "⚠ CLAUDE.md VIOLATION: Committed without running tests first" >&2
+        fi
+    fi
+fi
+if [ -n "${CC_ENFORCED_BRANCH}" ]; then
+    if echo "$COMMAND" | grep -qE "git\s+push.*${CC_ENFORCED_BRANCH}"; then
+        echo "⚠ CLAUDE.md VIOLATION: Pushed to protected branch '${CC_ENFORCED_BRANCH}'" >&2
+    fi
+fi
+if [ "${CC_NO_FORCE_PUSH:-1}" = "1" ]; then
+    if echo "$COMMAND" | grep -qE 'git\s+push.*--force'; then
+        echo "⚠ CLAUDE.md VIOLATION: Force push detected" >&2
+    fi
+fi
+MAX_FILES=${CC_MAX_FILES_PER_COMMIT:-20}
+if echo "$COMMAND" | grep -qE '^\s*git\s+commit'; then
+    STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+    if [ "$STAGED" -gt "$MAX_FILES" ]; then
+        echo "⚠ CLAUDE.md VIOLATION: Committing $STAGED files (max: $MAX_FILES)" >&2
+    fi
+fi
+if echo "$COMMAND" | grep -qE '^\s*git\s+add'; then
+    STAGED_FILES=$(git diff --cached --name-only 2>/dev/null)
+    for f in $STAGED_FILES; do
+        [ -f "$f" ] || continue
+        if grep -qE 'console\.log\(|debugger;|print\(' "$f" 2>/dev/null; then
+            echo "⚠ CLAUDE.md REMINDER: Debug statements found in staged file: $f" >&2
+            break
+        fi
+    done
+fi
+exit 0

package/examples/test-before-commit.sh

@@ -0,0 +1,17 @@
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+RECENT=0
+TIMEOUT=${CC_TEST_TIMEOUT:-600}
+NOW=$(date +%s)
+for marker in coverage/.last-run.json test-results .nyc_output junit.xml; do
+    [ -e "$marker" ] || continue
+    MTIME=$(stat -c %Y "$marker" 2>/dev/null || echo 0)
+    [ $((NOW - MTIME)) -lt "$TIMEOUT" ] && RECENT=1 && break
+done
+if [ "$RECENT" -eq 0 ]; then
+    echo "BLOCKED: No recent test results (within $((TIMEOUT/60)) min)" >&2
+    echo "Run your test suite first, then commit." >&2
+    exit 2
+fi
+exit 0

package/examples/usage-warn.sh

@@ -0,0 +1,13 @@
+COUNTER="${HOME}/.claude/session-tool-count"
+COUNT=$(cat "$COUNTER" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER"
+WARN1=${CC_USAGE_WARN1:-100}
+WARN2=${CC_USAGE_WARN2:-200}
+WARN3=${CC_USAGE_WARN3:-300}
+case "$COUNT" in
+    "$WARN1") echo "NOTE: $COUNT tool calls this session" >&2 ;;
+    "$WARN2") echo "WARNING: $COUNT tool calls — consider wrapping up" >&2 ;;
+    "$WARN3") echo "ALERT: $COUNT tool calls — approaching typical session limit" >&2 ;;
+esac
+exit 0

package/index.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, copyFileSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, copyFileSync, unlinkSync } from 'fs';
 import { join, dirname } from 'path';
 import { homedir } from 'os';
 import { createInterface } from 'readline';
@@ -11,6 +11,9 @@ const HOME = homedir();
 const HOOKS_DIR = join(HOME, '.claude', 'hooks');
 const SETTINGS_PATH = join(HOME, '.claude', 'settings.json');
 
+// Convert Windows backslash paths to bash-compatible forward slashes
+const toBashPath = (p) => p.replace(/\\/g, '/');
+
 const c = {
   reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
   red: '\x1b[31m', green: '\x1b[32m', yellow: '\x1b[33m',
@@ -132,52 +135,43 @@ if (HELP) {
   console.log(`
   cc-safe-setup — Make Claude Code safe for autonomous operation
 
-  Usage:
-    npx cc-safe-setup              Install 8 safety hooks
-    npx cc-safe-setup --status     Check installed hooks
-    npx cc-safe-setup --verify     Test each hook with sample inputs
-    npx cc-safe-setup --dry-run    Preview without installing
-    npx cc-safe-setup --uninstall  Remove all installed hooks
-    npx cc-safe-setup --examples   List 30 example hooks (5 categories)
-    npx cc-safe-setup --install-example <name>  Install a specific example
-    npx cc-safe-setup --full       Complete setup: hooks + scan + audit + badge
-    npx cc-safe-setup --audit      Safety score (0-100) with fixes
-    npx cc-safe-setup --audit --fix  Auto-fix missing protections
-    npx cc-safe-setup --audit --json  Machine-readable output for CI/CD
-    npx cc-safe-setup --scan       Detect tech stack, recommend hooks
-    npx cc-safe-setup --learn      Learn from your block history
-    npx cc-safe-setup --generate-ci   Generate GitHub Actions workflow for safety checks
-    npx cc-safe-setup --migrate       Detect hooks from other projects, suggest replacements
-    npx cc-safe-setup --compare <a> <b>  Compare two hooks side-by-side
-    npx cc-safe-setup --issues        Show GitHub Issues each hook addresses
-    npx cc-safe-setup --dashboard     Real-time status dashboard
-    npx cc-safe-setup --benchmark     Measure hook execution time
-    npx cc-safe-setup --share         Generate shareable URL for your setup
-    npx cc-safe-setup --diff <file>   Compare your settings with another file
-    npx cc-safe-setup --lint       Static analysis of hook configuration
-    npx cc-safe-setup --doctor     Diagnose why hooks aren't working
-    npx cc-safe-setup --simulate "rm -rf /"  See how hooks react to a command
-    npx cc-safe-setup --protect .env         Block edits to a specific file/dir
-    npx cc-safe-setup --rules [file]       Compile YAML rules into a single hook
-    npx cc-safe-setup --watch      Live dashboard of blocked commands
-    npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
-    npx cc-safe-setup --test-hook <name>  Test a specific hook with sample inputs
-    npx cc-safe-setup --save-profile <name>  Save current hooks as a named profile
-    npx cc-safe-setup --changelog       Show what changed in recent versions
-    npx cc-safe-setup --score           Print safety score (0-100) and exit
-    npx cc-safe-setup --init-project    Complete project setup (CLAUDE.md + hooks + CI + .gitignore)
-    npx cc-safe-setup --suggest        Analyze project and predict risks → suggest hooks
-    npx cc-safe-setup --why <hook>     Why this hook exists (real incident + issue link)
-    npx cc-safe-setup --replay         Replay blocked commands timeline (demo/review)
-    npx cc-safe-setup --guard "<rule>"  Instantly enforce a rule (generate + install + activate)
-    npx cc-safe-setup --diff-hooks <path>  Compare hooks between two settings files
-    npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
-    npx cc-safe-setup --health        Hook health dashboard (size, permissions, age)
-    npx cc-safe-setup --migrate-from <tool>  Migrate from safety-net/hooks-mastery/etc.
-    npx cc-safe-setup --team         Set up project-level hooks (commit to repo for team)
-    npx cc-safe-setup --profile <level>  Switch safety profile (strict/standard/minimal)
-    npx cc-safe-setup --analyze     Analyze what Claude did in your last session
-    npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
+  Quick Start:
+    npx cc-safe-setup              Install 8 safety hooks (30 sec)
+    npx cc-safe-setup --shield     Maximum safety — one command
+    npx cc-safe-setup --doctor     Diagnose hook problems
+
+  Protect:
+    --protect .env                 Block edits to a specific file
+    --guard "never delete prod"    Enforce a rule from plain English
+    --simulate "rm -rf /"          Preview how hooks react to a command
+    --validate                     Check all hooks for errors (auto-fix)
+    --safe-mode                    Emergency: disable all hooks
+
+  Install & Configure:
+    --install-example <name>       Install from 300+ example hooks
+    --examples                     Browse examples by category
+    --from-claudemd                Convert CLAUDE.md rules into hooks
+    --rules [file]                 Compile YAML rules into hooks
+    --team                         Set up project-level hooks for git
+    --profile <level>              Switch profile (strict/standard/minimal)
+    --shield                       Full setup: hooks + scan + CLAUDE.md
+
+  Diagnose & Monitor:
+    --status / --verify            Check installed hooks / test them
+    --doctor                       13-point diagnostic
+    --audit [--fix] [--json]       Safety score 0-100
+    --watch                        Live blocked command feed
+    --health                       Hook health dashboard
+    --suggest                      Predict risks from project analysis
+
+  Manage:
+    --dry-run / --uninstall        Preview / remove hooks
+    --export / --import            Share configuration
+    --diff <file>                  Compare settings
+    --lint                         Static analysis of config
+
+  More: --create, --why, --replay, --score, --changelog, --analyze,
+        --benchmark, --dashboard, --migrate-from, --init-project
     npx cc-safe-setup --quickfix   Auto-detect and fix common Claude Code problems
     npx cc-safe-setup --stats      Block statistics and patterns report
     npx cc-safe-setup --export     Export hooks config for team sharing
@@ -311,6 +305,8 @@ function status() {
     console.log('  ' + c.dim + '+ ' + installedExamples.length + ' example hooks' + c.reset);
   }
   console.log();
+  console.log(c.dim + '  Tip: --validate to check health · --simulate "cmd" to test · --shield for max safety' + c.reset);
+  console.log();
 
   // Exit code for CI: 0 = all installed, 1 = missing hooks
   if (missing > 0) process.exit(1);
@@ -621,7 +617,7 @@ async function installExample(name) {
 
   const hookEntry = {
     matcher: matcher,
-    hooks: [{ type: 'command', command: destPath }],
+    hooks: [{ type: 'command', command: toBashPath(destPath) }],
   };
 
   // Check if already installed
@@ -2220,7 +2216,7 @@ async function profile(level) {
 
   // Register all hooks in settings
   const hookFiles = prof.hooks.filter(h => existsSync(join(HOOKS_DIR, `${h}.sh`)));
-  const bashHooks = hookFiles.map(h => ({ type: 'command', command: `bash ${join(HOOKS_DIR, h + '.sh')}` }));
+  const bashHooks = hookFiles.map(h => ({ type: 'command', command: `bash ${toBashPath(join(HOOKS_DIR, h + '.sh'))}` }));
 
   // Simplified: put all under PreToolUse Bash for now
   if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
@@ -3887,7 +3883,7 @@ exit 0`,
   if (!existing.some(cmd => cmd.includes(matched.name))) {
     settings.hooks[matched.trigger].push({
       matcher: matched.matcher,
-      hooks: [{ type: 'command', command: hookPath }],
+      hooks: [{ type: 'command', command: toBashPath(hookPath) }],
     });
     writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
     console.log(c.green + '  ✓ Registered in settings.json' + c.reset);
@@ -4401,26 +4397,26 @@ async function compileRules(rulesFile) {
 
 # Block dangerous commands
 - block: "rm -rf on root or home"
-  pattern: "rm\\\\s+-rf\\\\s+(\\\\/$|~)"
+  pattern: "rm\\s+-rf\\s+(\\/$|~)"
 
 - block: "git push to main"
-  pattern: "git\\\\s+push.*(main|master)"
+  pattern: "git\\s+push.*(main|master)"
 
 - block: "git force push"
-  pattern: "git\\\\s+push.*--force"
+  pattern: "git\\s+push.*--force"
 
 - block: "git add .env"
-  pattern: "git\\\\s+add.*\\\\.env"
+  pattern: "git\\s+add.*\\.env"
 
 # Auto-approve safe commands
 - approve: "read-only commands"
   commands: [cat, head, tail, ls, grep, find, which, pwd, date]
 
 - approve: "git read commands"
-  pattern: "^\\\\s*git\\\\s+(status|log|diff|show|branch)"
+  pattern: "^\\s*git\\s+(status|log|diff|show|branch)"
 
 - approve: "test runners"
-  pattern: "^\\\\s*(npm\\\\s+test|pytest|go\\\\s+test|cargo\\\\s+test)"
+  pattern: "^\\s*(npm\\s+test|pytest|go\\s+test|cargo\\s+test)"
 
 # Protect files from edits
 - protect: ".env"
@@ -4444,8 +4440,8 @@ async function compileRules(rulesFile) {
     const blockMatch = trimmed.match(/^-\s+block:\s+"(.+)"/);
     const approveMatch = trimmed.match(/^-\s+approve:\s+"(.+)"/);
     const protectMatch = trimmed.match(/^-\s+protect:\s+"(.+)"/);
-    const patternMatch = trimmed.match(/^\s+pattern:\s+"(.+)"/);
-    const commandsMatch = trimmed.match(/^\s+commands:\s+\[(.+)\]/);
+    const patternMatch = trimmed.match(/^pattern:\s+"(.+)"/);
+    const commandsMatch = trimmed.match(/^commands:\s+\[(.+)\]/);
 
     if (blockMatch) { current = { type: 'block', name: blockMatch[1] }; rules.push(current); }
     else if (approveMatch) { current = { type: 'approve', name: approveMatch[1] }; rules.push(current); }
@@ -4539,6 +4535,20 @@ FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
   writeFileSync(hookPath, script);
   chmodSync(hookPath, 0o755);
 
+  // Syntax check — a broken hook returns exit 2 which blocks ALL tools
+  const { execSync } = await import('child_process');
+  try {
+    execSync(`bash -n "${hookPath}"`, { stdio: 'pipe' });
+  } catch (e) {
+    const stderr = (e.stderr || '').toString().trim();
+    unlinkSync(hookPath);
+    console.log(c.red + '  ✗ Syntax error in generated hook — aborted' + c.reset);
+    if (stderr) console.log(c.dim + '    ' + stderr + c.reset);
+    console.log(c.dim + '  Check your rules file for unescaped special characters.' + c.reset);
+    console.log();
+    return;
+  }
+
   // Register in settings.json
   let settings = {};
   if (existsSync(SETTINGS_PATH)) {
@@ -5285,7 +5295,7 @@ async function main() {
     if (!exists) {
       settings.hooks[trigger].push({
         matcher: hook.matcher,
-        hooks: [{ type: 'command', command: hookPath }]
+        hooks: [{ type: 'command', command: toBashPath(hookPath) }]
       });
     }
   }
@@ -5297,10 +5307,13 @@ async function main() {
   console.log();
   console.log(c.bold + '  Done.' + c.reset + ' ' + Object.keys(HOOKS).length + ' safety hooks installed.');
   console.log('  ' + c.dim + 'Restart Claude Code to activate.' + c.reset);
-  console.log('  ' + c.dim + 'Verify:' + c.reset + ' ' + c.blue + 'npx cc-health-check' + c.reset);
   console.log();
-  console.log('  ' + c.dim + 'Need more? 16 hooks + templates for autonomous teams:' + c.reset);
-  console.log('  https://yurukusa.github.io/cc-ops-kit-landing/?utm_source=npm&utm_medium=cli&utm_campaign=safe-setup');
+  console.log('  ' + c.dim + 'Next steps:' + c.reset);
+  console.log('  ' + c.blue + '  --doctor' + c.reset + '            Verify hooks work');
+  console.log('  ' + c.blue + '  --simulate "cmd"' + c.reset + '    Test how hooks react');
+  console.log('  ' + c.blue + '  --shield' + c.reset + '            Maximum safety (recommended)');
+  console.log();
+  console.log('  ' + c.dim + '22 web tools: https://yurukusa.github.io/cc-safe-setup/hub.html' + c.reset);
   console.log();
 }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "28.4.1",
-  "description": "One command to make Claude Code safe. 327 hooks (8 built-in + 319 examples). 45 CLI commands. 941 tests. 5 languages.",
+  "version": "28.4.2",
+  "description": "One command to make Claude Code safe. 336 hooks (8 built-in + 328 examples). 49 CLI commands. 978 tests. 5 languages.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"