cc-safe-setup 28.4.7 → 28.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (147) hide show
  1. package/examples/auto-approve-docker.sh +1 -0
  2. package/examples/auto-approve-test.sh +1 -0
  3. package/examples/auto-compact-prep.sh +19 -8
  4. package/examples/auto-git-checkpoint.sh +1 -0
  5. package/examples/backup-before-refactor.sh +1 -0
  6. package/examples/branch-naming-convention.sh +1 -0
  7. package/examples/check-accessibility.sh +1 -0
  8. package/examples/check-aria-labels.sh +1 -0
  9. package/examples/check-charset-meta.sh +1 -0
  10. package/examples/check-cookie-flags.sh +1 -0
  11. package/examples/check-cors-config.sh +1 -0
  12. package/examples/check-csp-headers.sh +1 -0
  13. package/examples/check-csrf-protection.sh +1 -0
  14. package/examples/check-dependency-age.sh +1 -0
  15. package/examples/check-dependency-license.sh +1 -0
  16. package/examples/check-dockerfile-best-practice.sh +1 -0
  17. package/examples/check-error-boundaries.sh +1 -0
  18. package/examples/check-error-handling.sh +1 -0
  19. package/examples/check-error-message.sh +1 -0
  20. package/examples/check-error-stack.sh +1 -0
  21. package/examples/check-favicon.sh +1 -0
  22. package/examples/check-git-hooks-compat.sh +1 -0
  23. package/examples/check-gitattributes.sh +1 -0
  24. package/examples/check-https-redirect.sh +1 -0
  25. package/examples/check-input-validation.sh +1 -0
  26. package/examples/check-lang-attribute.sh +1 -0
  27. package/examples/check-npm-scripts-exist.sh +1 -0
  28. package/examples/check-package-size.sh +1 -0
  29. package/examples/check-port-availability.sh +1 -0
  30. package/examples/check-rate-limiting.sh +1 -0
  31. package/examples/check-return-types.sh +1 -0
  32. package/examples/check-semantic-versioning.sh +1 -0
  33. package/examples/check-test-naming.sh +1 -0
  34. package/examples/check-tls-version.sh +1 -0
  35. package/examples/check-viewport-meta.sh +1 -0
  36. package/examples/claudemd-enforcer.sh +1 -0
  37. package/examples/cors-star-warn.sh +1 -0
  38. package/examples/docker-volume-guard.sh +1 -0
  39. package/examples/edit-verify.sh +1 -0
  40. package/examples/env-naming-convention.sh +1 -0
  41. package/examples/env-prod-guard.sh +1 -0
  42. package/examples/env-required-check.sh +1 -0
  43. package/examples/file-size-limit.sh +1 -0
  44. package/examples/git-hook-bypass-guard.sh +1 -0
  45. package/examples/git-merge-conflict-prevent.sh +1 -0
  46. package/examples/git-message-length.sh +1 -0
  47. package/examples/git-submodule-guard.sh +1 -0
  48. package/examples/git-tag-guard.sh +1 -0
  49. package/examples/gitignore-check.sh +1 -0
  50. package/examples/log-level-guard.sh +1 -0
  51. package/examples/max-file-count-guard.sh +1 -0
  52. package/examples/max-file-delete-count.sh +1 -0
  53. package/examples/max-function-length.sh +1 -0
  54. package/examples/max-import-count.sh +1 -0
  55. package/examples/max-subagent-count.sh +1 -0
  56. package/examples/mcp-tool-guard.sh +1 -0
  57. package/examples/no-absolute-import.sh +1 -0
  58. package/examples/no-alert-confirm-prompt.sh +1 -0
  59. package/examples/no-anonymous-default-export.sh +1 -0
  60. package/examples/no-any-type.sh +1 -0
  61. package/examples/no-assignment-in-condition.sh +1 -0
  62. package/examples/no-callback-hell.sh +1 -0
  63. package/examples/no-circular-dependency.sh +1 -0
  64. package/examples/no-cleartext-storage.sh +1 -0
  65. package/examples/no-commented-code.sh +1 -0
  66. package/examples/no-commit-fixup.sh +1 -0
  67. package/examples/no-console-assert.sh +1 -0
  68. package/examples/no-console-error-swallow.sh +1 -0
  69. package/examples/no-console-in-prod.sh +1 -0
  70. package/examples/no-console-log.sh +1 -0
  71. package/examples/no-console-time.sh +1 -0
  72. package/examples/no-curl-upload.sh +1 -0
  73. package/examples/no-dangerouslySetInnerHTML.sh +1 -0
  74. package/examples/no-debug-in-commit.sh +1 -0
  75. package/examples/no-deep-nesting.sh +1 -0
  76. package/examples/no-default-credentials.sh +1 -0
  77. package/examples/no-disabled-test.sh +1 -0
  78. package/examples/no-document-write.sh +1 -0
  79. package/examples/no-empty-function.sh +1 -0
  80. package/examples/no-eval-in-template.sh +1 -0
  81. package/examples/no-eval.sh +1 -0
  82. package/examples/no-exec-user-input.sh +1 -0
  83. package/examples/no-floating-promises.sh +1 -0
  84. package/examples/no-force-install.sh +1 -0
  85. package/examples/no-git-rebase-public.sh +1 -0
  86. package/examples/no-global-state.sh +1 -0
  87. package/examples/no-hardcoded-port.sh +1 -0
  88. package/examples/no-hardcoded-url.sh +1 -0
  89. package/examples/no-helmet-missing.sh +1 -0
  90. package/examples/no-http-without-https.sh +1 -0
  91. package/examples/no-inline-style.sh +1 -0
  92. package/examples/no-innerhtml.sh +1 -0
  93. package/examples/no-install-global.sh +1 -0
  94. package/examples/no-jwt-in-url.sh +1 -0
  95. package/examples/no-large-commit.sh +1 -0
  96. package/examples/no-localhost-expose.sh +1 -0
  97. package/examples/no-magic-number.sh +1 -0
  98. package/examples/no-md5-sha1.sh +1 -0
  99. package/examples/no-mixed-line-endings.sh +1 -0
  100. package/examples/no-mutation-in-reducer.sh +1 -0
  101. package/examples/no-nested-ternary.sh +1 -0
  102. package/examples/no-network-exfil.sh +1 -0
  103. package/examples/no-open-redirect.sh +1 -0
  104. package/examples/no-package-downgrade.sh +1 -0
  105. package/examples/no-package-lock-edit.sh +1 -0
  106. package/examples/no-path-join-user-input.sh +1 -0
  107. package/examples/no-port-bind.sh +1 -0
  108. package/examples/no-process-exit.sh +1 -0
  109. package/examples/no-prototype-pollution.sh +1 -0
  110. package/examples/no-push-without-ci.sh +1 -0
  111. package/examples/no-raw-password-in-url.sh +1 -0
  112. package/examples/no-root-write.sh +1 -0
  113. package/examples/no-secrets-in-logs.sh +1 -0
  114. package/examples/no-sensitive-log.sh +1 -0
  115. package/examples/no-sleep-in-hooks.sh +1 -0
  116. package/examples/no-string-concat-sql.sh +1 -0
  117. package/examples/no-sudo-guard.sh +1 -0
  118. package/examples/no-sync-fs.sh +1 -0
  119. package/examples/no-todo-in-merge.sh +1 -0
  120. package/examples/no-todo-without-issue.sh +1 -0
  121. package/examples/no-unused-import.sh +1 -0
  122. package/examples/no-var-keyword.sh +1 -0
  123. package/examples/no-wildcard-cors.sh +1 -0
  124. package/examples/no-wildcard-delete.sh +1 -0
  125. package/examples/no-wildcard-import.sh +1 -0
  126. package/examples/no-with-statement.sh +1 -0
  127. package/examples/no-write-outside-src.sh +1 -0
  128. package/examples/no-xml-external-entity.sh +1 -0
  129. package/examples/npm-audit-warn.sh +1 -0
  130. package/examples/npm-publish-guard.sh +1 -0
  131. package/examples/npm-script-injection.sh +1 -0
  132. package/examples/package-json-guard.sh +1 -0
  133. package/examples/pr-description-check.sh +1 -0
  134. package/examples/prefer-const.sh +1 -0
  135. package/examples/prefer-optional-chaining.sh +1 -0
  136. package/examples/rate-limit-guard.sh +1 -0
  137. package/examples/readme-exists-check.sh +1 -0
  138. package/examples/session-state-saver.sh +1 -0
  139. package/examples/session-summary.sh +1 -0
  140. package/examples/skill-gate.sh +1 -0
  141. package/examples/sql-injection-detect.sh +1 -0
  142. package/examples/subagent-budget-guard.sh +1 -0
  143. package/examples/test-before-commit.sh +1 -0
  144. package/examples/timezone-guard.sh +1 -0
  145. package/examples/usage-warn.sh +1 -0
  146. package/examples/write-test-ratio.sh +1 -0
  147. package/package.json +2 -2
package/examples/no-hardcoded-url.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  if echo "$CONTENT" | grep -qE "http://localhost:[0-9]+|http://127\.0\.0\.1"; then echo "NOTE: Hardcoded localhost URL — use env var instead" >&2; fi
package/examples/no-helmet-missing.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "express\(\)" && ! echo "$CONTENT" | grep -q "helmet" && echo "NOTE: Express without helmet()" >&2
package/examples/no-http-without-https.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "http://[^l]" && ! echo "$CONTENT" | grep -q "localhost" && echo "NOTE: http:// without TLS" >&2
package/examples/no-inline-style.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
3
4
  [ -z "$CONTENT" ] && exit 0
package/examples/no-innerhtml.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "\.innerHTML\s*=" && echo "WARNING: innerHTML XSS risk" >&2
package/examples/no-install-global.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE 'npm\s+install\s+-g\s|npm\s+i\s+-g\s'; then
package/examples/no-jwt-in-url.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qiE "token=eyJ|\?jwt=" && echo "WARNING: JWT in URL params" >&2
package/examples/no-large-commit.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
3
4
  [ -z "$COMMAND" ] && exit 0
package/examples/no-localhost-expose.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE "0\.0\.0\.0|INADDR_ANY|--host\s+0"; then echo "WARNING: Binding to all interfaces exposes service to network" >&2; fi
package/examples/no-magic-number.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
3
4
  [ -z "$CONTENT" ] && exit 0
package/examples/no-md5-sha1.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qiE "createHash\(.*(md5|sha1)" && echo "WARNING: Weak hash (md5/sha1)" >&2
package/examples/no-mixed-line-endings.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  if echo "$CONTENT" | grep -qP "\r\n" && echo "$CONTENT" | grep -qP "[^\r]\n"; then echo "NOTE: Mixed line endings (CRLF + LF)" >&2; fi
package/examples/no-mutation-in-reducer.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "(state\.\w+\s*=|\.push\(|\.splice\()" && echo "$CONTENT" | grep -q "reducer\|Reducer" && echo "WARNING: Direct state mutation in reducer" >&2
package/examples/no-nested-ternary.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "\?.*\?.*:" && echo "NOTE: Nested ternary detected — use if/else" >&2
package/examples/no-network-exfil.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE 'curl\s+.*(-X\s+POST|--data|--upload-file|-F\s).*[^localhost]'; then
package/examples/no-open-redirect.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "redirect\(req\.(query|params|body)" && echo "WARNING: Open redirect risk" >&2
package/examples/no-package-downgrade.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE "npm\s+install\s+\S+@[0-9]" && echo "$COMMAND" | grep -qE "@[0-1]\."; then echo "WARNING: Possible package downgrade" >&2; fi
package/examples/no-package-lock-edit.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
2
3
  [ -z "$FILE" ] && exit 0
3
4
  case "$FILE" in */package-lock.json|*/yarn.lock|*/pnpm-lock.yaml|*/Cargo.lock)
package/examples/no-path-join-user-input.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "path\.(join|resolve)\(.*req\." && echo "WARNING: Path traversal risk" >&2
package/examples/no-port-bind.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE '(--port|--listen|-p\s+\d|0\.0\.0\.0|INADDR_ANY|nc\s+-l)'; then
package/examples/no-process-exit.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "process\.exit\(" && echo "NOTE: process.exit() may cause issues in library code" >&2
package/examples/no-prototype-pollution.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "__proto__|Object\.assign\(\{\}," && echo "WARNING: Potential prototype pollution" >&2
package/examples/no-push-without-ci.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
3
4
  [ -z "$COMMAND" ] && exit 0
package/examples/no-raw-password-in-url.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  # TRIGGER: PostToolUse MATCHER: "Edit|Write"
2
3
  CONTENT=$(cat | jq -r ".tool_input.new_string // empty" 2>/dev/null)
3
4
  [ -z "$CONTENT" ] && exit 0
package/examples/no-root-write.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
2
3
  [ -z "$FILE" ] && exit 0
3
4
  case "$FILE" in /etc/*|/usr/*|/bin/*|/sbin/*|/boot/*|/sys/*|/proc/*)
package/examples/no-secrets-in-logs.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  OUTPUT=$(cat | jq -r '.tool_result // empty' 2>/dev/null)
2
3
  [ -z "$OUTPUT" ] && exit 0
3
4
  echo "$OUTPUT" | grep -qiE 'password|api.key|secret.key|bearer\s+[a-zA-Z0-9]' && echo "WARNING: Secret in output" >&2
package/examples/no-sensitive-log.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qiE "console\.\(log\|warn\|error\).*password|log.*token|print.*secret"; then echo "WARNING: Logging sensitive data" >&2; fi
package/examples/no-sleep-in-hooks.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
3
4
  [ -z "$FILE" ] && exit 0
package/examples/no-string-concat-sql.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qiE "\"SELECT.*\+|'SELECT.*\+" && echo "WARNING: String concatenation in SQL — use parameterized queries" >&2
package/examples/no-sudo-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE '^\s*sudo\s'; then
package/examples/no-sync-fs.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "readFileSync|writeFileSync|mkdirSync|existsSync" && echo "NOTE: Sync fs in hot path — consider async" >&2
package/examples/no-todo-in-merge.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null); echo "$COMMAND" | grep -qE "git\s+merge" && git diff --cached 2>/dev/null | grep -q "TODO" && echo "WARNING: TODO markers in merge target" >&2
package/examples/no-todo-without-issue.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "TODO[^(]|FIXME[^(]" && ! echo "$CONTENT" | grep -qE "TODO\(#|FIXME\(#" && echo "NOTE: TODO without issue reference" >&2
package/examples/no-unused-import.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "^import.*from" && echo "$CONTENT" | grep -cE "^import" | xargs -I{} test {} -gt 10 && echo "NOTE: Many imports — check for unused ones" >&2
package/examples/no-var-keyword.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "^\s*var\s" && echo "NOTE: var keyword — use const/let" >&2
package/examples/no-wildcard-cors.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "Access-Control.*\*" && echo "WARNING: Wildcard CORS origin" >&2
package/examples/no-wildcard-delete.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  # TRIGGER: PreToolUse MATCHER: "Bash"
2
3
  COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null)
3
4
  [ -z "$COMMAND" ] && exit 0
package/examples/no-wildcard-import.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
3
4
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
package/examples/no-with-statement.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "\bwith\s*\(" && echo "WARNING: with statement is deprecated" >&2
package/examples/no-write-outside-src.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
2
3
  [ -z "$FILE" ] && exit 0
3
4
  case "$FILE" in
package/examples/no-xml-external-entity.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "parseXML|xml2js|DOMParser|libxml" && echo "$CONTENT" | grep -q "ENTITY" && echo "WARNING: Possible XXE in XML parsing" >&2
package/examples/npm-audit-warn.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  echo "$COMMAND" | grep -qE "^\s*npm\s+install" && echo "NOTE: Run npm audit after install" >&2
package/examples/npm-publish-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE '^\s*npm\s+publish'; then
package/examples/npm-script-injection.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // empty' 2>/dev/null)
2
3
  FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
3
4
  [ -z "$CONTENT" ] && exit 0
package/examples/package-json-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE '\brm\b.*package\.json'; then
package/examples/pr-description-check.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
3
4
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
package/examples/prefer-const.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "^\s*let\s+\w+\s*=" && echo "NOTE: Consider const if not reassigned" >&2
package/examples/prefer-optional-chaining.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  echo "$CONTENT" | grep -qE "\w+\s*&&\s*\w+\.\w+" && echo "NOTE: Consider optional chaining (?.) instead" >&2
package/examples/rate-limit-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
3
4
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
package/examples/readme-exists-check.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
2
3
  [ -z "$CONTENT" ] && exit 0
3
4
  COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null); echo "$COMMAND" | grep -qE "git\s+commit" && [ ! -f "README.md" ] && echo "NOTE: No README.md in project" >&2
package/examples/session-state-saver.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
3
4
  STATE_DIR="${HOME}/.claude"
package/examples/session-summary.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  echo "" >&2
2
3
  echo "=== Session Summary ===" >&2
3
4
  BRANCH=$(git branch --show-current 2>/dev/null)
package/examples/skill-gate.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
3
4
  [[ "$TOOL" != "Skill" ]] && exit 0
package/examples/sql-injection-detect.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
3
4
  [ -z "$CONTENT" ] && exit 0
package/examples/subagent-budget-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  INPUT=$(cat)
2
3
  TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
3
4
  [[ "$TOOL" != "Agent" ]] && exit 0
package/examples/test-before-commit.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
package/examples/timezone-guard.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  if echo "$COMMAND" | grep -qE "TZ=|--timezone" && ! echo "$COMMAND" | grep -q "UTC"; then echo "NOTE: Non-UTC timezone in command" >&2; fi
package/examples/usage-warn.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COUNTER="${HOME}/.claude/session-tool-count"
2
3
  COUNT=$(cat "$COUNTER" 2>/dev/null || echo 0)
3
4
  COUNT=$((COUNT + 1))
package/examples/write-test-ratio.sh CHANGED
@@ -1,3 +1,4 @@
1
+ #!/bin/bash
1
2
  COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
2
3
  [ -z "$COMMAND" ] && exit 0
3
4
  echo "$COMMAND" | grep -qE "^\s*git\s+commit" || exit 0; S=$(git diff --cached --name-only 2>/dev/null | grep -cvE "test|spec" || echo 0); T=$(git diff --cached --name-only 2>/dev/null | grep -cE "test|spec" || echo 0); [ "$S" -gt 5 ] && [ "$T" -eq 0 ] && echo "WARNING: $S source files, 0 test files" >&2
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "cc-safe-setup",
3
- "version": "28.4.7",
4
- "description": "One command to make Claude Code safe. 336 hooks (8 built-in + 330 examples). 49 CLI commands. 987 tests. 5 languages.",
3
+ "version": "28.4.9",
4
+ "description": "One command to make Claude Code safe. 336 hooks (8 built-in + 330 examples). 49 CLI commands. 988 tests. 5 languages.",
5
5
  "main": "index.mjs",
6
6
  "bin": {
7
7
  "cc-safe-setup": "index.mjs"