cc-safe-setup 28.4.8 → 28.5.0

package/COOKBOOK.md

@@ -0,0 +1,143 @@
+# Cookbook — cc-safe-setup Recipes
+
+Real-world recipes for common safety scenarios. Each recipe is a single command.
+
+## Getting Started
+
+| I want to... | Command |
+|---|---|
+| Install basic safety | `npx cc-safe-setup` |
+| Maximum protection | `npx cc-safe-setup --shield` |
+| Check my setup | `npx cc-safe-setup --doctor` |
+| See my safety score | `npx cc-safe-setup --audit` |
+
+## Blocking Dangerous Commands
+
+### Block rm -rf on home/root
+Already included in the default install. To verify:
+```bash
+npx cc-safe-setup --simulate "rm -rf ~"
+# Expected: BLOCKED
+```
+
+### Block database wipes
+```bash
+npx cc-safe-setup --install-example block-database-wipe
+```
+Blocks: `prisma migrate reset`, `rails db:drop`, `DROP TABLE`, etc.
+
+### Block npm publish accidents
+```bash
+npx cc-safe-setup --install-example npm-publish-guard
+```
+
+## Auto-Approving Safe Commands
+
+### Approve read-only commands (cat, ls, grep)
+```bash
+npx cc-safe-setup --install-example auto-approve-readonly
+```
+
+### Approve test runners
+```bash
+npx cc-safe-setup --install-example auto-approve-test
+```
+Covers: `npm test`, `pytest`, `go test`, `cargo test`, `jest`, `vitest`
+
+### Approve git read commands (status, log, diff)
+```bash
+npx cc-safe-setup --install-example auto-approve-git-read
+```
+
+## File Protection
+
+### Protect .env files from edits
+```bash
+npx cc-safe-setup --protect .env
+```
+
+### Protect CLAUDE.md from unauthorized changes
+```bash
+npx cc-safe-setup --install-example protect-claudemd
+```
+
+### Protect dotfiles (~/.bashrc, ~/.aws/)
+```bash
+npx cc-safe-setup --install-example protect-dotfiles
+```
+
+## YAML Rules (No Coding)
+
+Write rules in YAML, compile to hooks:
+
+```yaml
+# rules.yaml
+- block: "rm -rf on root"
+  pattern: "rm\s+-rf\s+(\/$|~)"
+
+- approve: "read-only commands"
+  commands: [cat, ls, grep, head, tail]
+
+- protect: ".env"
+```
+
+```bash
+npx cc-safe-setup --rules rules.yaml
+```
+
+## Monitoring & Recovery
+
+### Auto-save checkpoint before compaction
+```bash
+npx cc-safe-setup --install-example auto-compact-prep
+```
+
+### Track context window usage
+```bash
+npx cc-safe-setup --install-example compact-reminder
+```
+
+### Fix hook permissions on Windows/plugins
+```bash
+npx cc-safe-setup --install-example hook-permission-fixer
+```
+
+### Prevent tool call loops
+```bash
+npx cc-safe-setup --install-example response-budget-guard
+```
+
+## Diagnosing Problems
+
+### Why isn't my hook working?
+```bash
+npx cc-safe-setup --doctor
+```
+Checks: jq, settings.json, file existence, permissions, shebangs, exit codes.
+
+### Test a specific hook
+```bash
+npx cc-safe-setup --test-hook destructive-guard
+```
+
+### Preview how hooks react to a command
+```bash
+npx cc-safe-setup --simulate "git push --force origin main"
+```
+
+## Web Tools
+
+All browser-based, nothing leaves your machine:
+
+- [Safety Hub](https://yurukusa.github.io/cc-safe-setup/hub.html) — All 23 tools
+- [Validator](https://yurukusa.github.io/cc-safe-setup/validator.html) — Paste settings.json, get score
+- [Permission Checker](https://yurukusa.github.io/cc-safe-setup/permission-checker.html) — Find broken paths
+- [Playground](https://yurukusa.github.io/cc-safe-setup/playground.html) — Write and test hooks
+- [Hook Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) — Generate hooks from English
+
+## Further Reading
+
+- [Getting Started](https://yurukusa.github.io/cc-safe-setup/getting-started.html)
+- [Common Mistakes](https://yurukusa.github.io/cc-safe-setup/common-mistakes.html)
+- [Troubleshooting](TROUBLESHOOTING.md)
+- [Settings Reference](SETTINGS_REFERENCE.md)

package/README.md

@@ -356,6 +356,7 @@ See [Issue #1](https://github.com/yurukusa/cc-safe-setup/issues/1) for details.
 
 ## Learn More
 
+- [Cookbook](COOKBOOK.md) — 26 practical recipes (block, approve, protect, monitor, diagnose)
 - [Official Hooks Reference](https://docs.anthropic.com/en/docs/claude-code/hooks) — Claude Code hooks documentation
 - [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 25 recipes from real GitHub Issues ([interactive version](https://yurukusa.github.io/claude-code-hooks/))
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説

package/examples/auto-approve-docker.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 [ "$TOOL" != "Bash" ] && exit 0

package/examples/auto-approve-test.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '^\s*(npm\s+test|npm\s+run\s+test|npx\s+(jest|vitest|mocha|ava|tap|playwright\s+test|cypress\s+run)|yarn\s+test|pnpm\s+test|bun\s+test)\b'; then

package/examples/auto-compact-prep.sh

@@ -1,3 +1,18 @@
+#!/bin/bash
+# ================================================================
+# auto-compact-prep.sh — Save checkpoint before context compaction
+# ================================================================
+# PURPOSE:
+#   Tracks tool call count per session. When threshold is reached,
+#   saves a checkpoint file with git state so Claude can recover
+#   context after automatic compaction.
+#
+# TRIGGER: PreToolUse  MATCHER: ""
+#
+# CONFIG:
+#   CC_COMPACT_PREP_THRESHOLD=200  (save checkpoint after N tool calls)
+# ================================================================
+
 INPUT=$(cat)
 STATE_DIR="${HOME}/.claude"
 COUNTER_FILE="${STATE_DIR}/session-call-count"
@@ -5,15 +20,11 @@ PREP_FLAG="${STATE_DIR}/compact-prep-done"
 CHECKPOINT=".claude/pre-compact-checkpoint.md"
 COUNT=0
 [ -f "$COUNTER_FILE" ] && COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
-if [ "$COUNT" -eq 0 ]; then
-    COUNT=1
-    echo "$COUNT" > "$COUNTER_FILE"
-else
-    COUNT=$((COUNT + 1))
-    echo "$COUNT" > "$COUNTER_FILE"
-fi
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
 THRESHOLD=${CC_COMPACT_PREP_THRESHOLD:-200}
-if (( COUNT >= THRESHOLD )) && [ ! -f "$PREP_FLAG" ]; then
+if [ "$COUNT" -ge "$THRESHOLD" ] && [ ! -f "$PREP_FLAG" ]; then
     mkdir -p "$(dirname "$CHECKPOINT")" 2>/dev/null
     BRANCH=$(git branch --show-current 2>/dev/null || echo "?")
     DIRTY=$(git status --porcelain 2>/dev/null | wc -l)

package/examples/auto-git-checkpoint.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/backup-before-refactor.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)

package/examples/branch-naming-convention.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)

package/examples/check-accessibility.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "<img[^>]+(?!alt=)" && echo "NOTE: img without alt attribute" >&2

package/examples/check-aria-labels.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "<(button|a|input)[^>]*>" && ! echo "$CONTENT" | grep -q "aria-" && echo "NOTE: Interactive element without ARIA" >&2

package/examples/check-charset-meta.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -q "<head" && ! echo "$CONTENT" | grep -q "charset" && echo "NOTE: Missing charset meta" >&2

package/examples/check-cookie-flags.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "setCookie|res\.cookie" && ! echo "$CONTENT" | grep -q "secure" && echo "NOTE: Cookie without secure flag" >&2

package/examples/check-cors-config.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "cors\(\{.*origin.*true" && echo "NOTE: Permissive CORS config" >&2

package/examples/check-csp-headers.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "Content-Security-Policy" || (echo "$CONTENT" | grep -q "helmet" && echo "NOTE: Consider adding CSP headers" >&2)

package/examples/check-csrf-protection.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "<form.*method.*POST" && ! echo "$CONTENT" | grep -qE "csrf|_token|csrfmiddleware" && echo "NOTE: Form without CSRF protection" >&2

package/examples/check-dependency-age.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Run npm outdated to check dependency age" >&2

package/examples/check-dependency-license.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null); echo "$COMMAND" | grep -qE "npm\s+install\s+\w" && echo "NOTE: Check dependency license before adding" >&2

package/examples/check-dockerfile-best-practice.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 case "$FILE" in *Dockerfile*) ;; *) exit 0;; esac
 CONTENT=$(cat | jq -r '.tool_input.new_string // empty' 2>/dev/null)

package/examples/check-error-boundaries.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "class.*extends.*Component|function.*\(\)" && echo "$CONTENT" | grep -q "render" && ! echo "$CONTENT" | grep -q "ErrorBoundary" && echo "NOTE: Consider adding ErrorBoundary" >&2

package/examples/check-error-handling.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "\.then\(" && ! echo "$CONTENT" | grep -q "\.catch" && echo "NOTE: Promise without .catch()" >&2

package/examples/check-error-message.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "throw new Error\(['\"](error|Error|something went wrong)" && echo "NOTE: Generic error message — be specific" >&2

package/examples/check-error-stack.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "res\.(send|json)\(.*err\.(stack|message)" && echo "WARNING: Exposing error details to client" >&2

package/examples/check-favicon.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -q "<head" && ! echo "$CONTENT" | grep -q "favicon" && echo "NOTE: Missing favicon link" >&2

package/examples/check-git-hooks-compat.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0

package/examples/check-gitattributes.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 # TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null)
 echo "$COMMAND" | grep -qE "git\s+add.*\.(zip|tar|bin|exe)" && [ ! -f ".gitattributes" ] && echo "NOTE: Binary file without .gitattributes LFS config" >&2

package/examples/check-https-redirect.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "http://" && echo "$CONTENT" | grep -q "redirect" && ! echo "$CONTENT" | grep -q "https" && echo "NOTE: HTTP redirect without HTTPS" >&2

package/examples/check-input-validation.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "req\.(body|query|params)\.\w+" && ! echo "$CONTENT" | grep -qE "validate|sanitize|Joi|zod|yup" && echo "NOTE: User input without validation" >&2

package/examples/check-lang-attribute.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "<html[^>]*>" && ! echo "$CONTENT" | grep -q "lang=" && echo "NOTE: Missing lang attribute" >&2

package/examples/check-npm-scripts-exist.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 FILE=$(cat | jq -r ".tool_input.file_path // empty" 2>/dev/null); case "$FILE" in *package.json) ;; *) exit 0;; esac; echo "$CONTENT" | grep -qE "npm run [a-z]+" && echo "NOTE: Verify referenced npm scripts exist" >&2

package/examples/check-package-size.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 case "$FILE" in *package.json) ;; *) exit 0;; esac
 CONTENT=$(cat | jq -r '.tool_input.new_string // empty' 2>/dev/null)

package/examples/check-port-availability.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null); echo "$COMMAND" | grep -qE "listen\(|--port|:3000|:8080" && echo "NOTE: Check port availability before starting server" >&2

package/examples/check-rate-limiting.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "app\.(get|post|put|delete)\(" && ! echo "$CONTENT" | grep -q "rateLimit" && echo "NOTE: API endpoint without rate limiting" >&2

package/examples/check-return-types.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "function\s+\w+\([^)]*\)\s*{" && ! echo "$CONTENT" | grep -q ": " && echo "NOTE: Missing return type annotation" >&2

package/examples/check-semantic-versioning.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "\"version\":\s*\"[^0-9]" && echo "NOTE: Non-semver version string" >&2

package/examples/check-test-naming.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "it\(['\"](test|check|should)\s" && echo "NOTE: Non-descriptive test name" >&2

package/examples/check-tls-version.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "TLSv1[^.]|SSLv3" && echo "WARNING: Weak TLS version" >&2

package/examples/check-viewport-meta.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -q "<head" && ! echo "$CONTENT" | grep -q "viewport" && echo "NOTE: Missing viewport meta" >&2

package/examples/claudemd-enforcer.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/cors-star-warn.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 # PostToolUse matcher: Edit|Write

package/examples/docker-volume-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '\bdocker\s+volume\s+(rm|prune)\b'; then

package/examples/edit-verify.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/env-naming-convention.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 # TRIGGER: PostToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r ".tool_input.new_string // empty" 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/env-prod-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qiE "(NODE_ENV|RAILS_ENV|FLASK_ENV)=production"; then echo "WARNING: Production env detected in command" >&2; fi

package/examples/env-required-check.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "process\.env\.\w+\s*\|\|" || echo "$CONTENT" | grep -qE "process\.env\.\w+!" && echo "NOTE: Env var without default — add fallback" >&2

package/examples/file-size-limit.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)

package/examples/git-hook-bypass-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE "git\s+(commit|push|merge).*--no-verify"; then echo "WARNING: --no-verify bypasses git hooks" >&2; fi

package/examples/git-merge-conflict-prevent.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/git-message-length.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 echo "$COMMAND" | grep -qE "git\s+commit\s+-m" || exit 0; MSG=$(echo "$COMMAND" | grep -oP "(?<=-m\s[\x27\x22])[^\x27\x22]+"); [ ${#MSG} -lt 10 ] && echo "WARNING: Commit message too short (${#MSG} chars)" >&2

package/examples/git-submodule-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '\bgit\s+submodule\s+(deinit|rm)\b'; then

package/examples/git-tag-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE 'git\s+tag\s+(-a\s+|-d\s+)?v'; then

package/examples/gitignore-check.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 echo "$COMMAND" | grep -qE '^\s*git\s+add' || exit 0

package/examples/log-level-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/max-file-count-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [ -z "$FILE" ] && exit 0

package/examples/max-file-delete-count.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE "^\s*rm\b"; then COUNT=$(echo "$COMMAND" | tr " " "\n" | grep -cvE "^-" | head -1); [ "$COUNT" -gt 5 ] && echo "WARNING: Deleting $COUNT files at once" >&2; fi

package/examples/max-function-length.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 LINES=$(echo "$CONTENT" | wc -l); [ "$LINES" -gt 100 ] && echo "NOTE: Edit adds 100+ lines — consider splitting" >&2

package/examples/max-import-count.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 IMPORTS=$(echo "$CONTENT" | grep -cE "^(import|from|require)" || echo 0); [ "$IMPORTS" -gt 20 ] && echo "NOTE: $IMPORTS imports — consider splitting module" >&2

package/examples/max-subagent-count.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 STATE="/tmp/cc-subagent-count"; C=$(cat "$STATE" 2>/dev/null || echo 0); echo $((C+1)) > "$STATE"; [ "$C" -gt 5 ] && echo "WARNING: $C subagents spawned this session" >&2

package/examples/mcp-tool-guard.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 echo "$TOOL" | grep -q '^mcp__' || exit 0

package/examples/no-absolute-import.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 if echo "$CONTENT" | grep -qE "from ['\"]/|require\(['\"]/"; then echo "NOTE: Absolute import path detected" >&2; fi

package/examples/no-alert-confirm-prompt.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "\balert\(|\bconfirm\(|\bprompt\(" && echo "WARNING: alert/confirm/prompt in code" >&2

package/examples/no-anonymous-default-export.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 # TRIGGER: PostToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r ".tool_input.new_string // empty" 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/no-any-type.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE ": any\b|<any>" && echo "NOTE: TypeScript any detected — add proper types" >&2

package/examples/no-assignment-in-condition.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "if\s*\([^=]*=[^=]" && echo "NOTE: Assignment in condition (use ===)" >&2

package/examples/no-callback-hell.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 DEPTH=$(echo "$CONTENT" | grep -c "function\s*("); [ "$DEPTH" -gt 3 ] && echo "NOTE: Possible callback hell ($DEPTH levels)" >&2

package/examples/no-circular-dependency.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 case "$FILE" in *package.json) ;; *) exit 0;; esac
 CONTENT=$(cat | jq -r '.tool_input.new_string // empty' 2>/dev/null)

package/examples/no-cleartext-storage.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "localStorage\.setItem.*password|sessionStorage.*token" && echo "WARNING: Storing secrets in browser storage" >&2

package/examples/no-commented-code.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 COMMENTED=$(echo "$CONTENT" | grep -cE "^\s*(//|#)\s*(if|for|while|function|const|let|var|import|class)" || echo 0); [ "$COMMENTED" -gt 5 ] && echo "NOTE: Large block of commented code — delete or uncomment" >&2

package/examples/no-commit-fixup.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0

package/examples/no-console-assert.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -q "console.assert" && echo "NOTE: console.assert in code" >&2

package/examples/no-console-error-swallow.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 if echo "$CONTENT" | grep -qE "catch\s*\([^)]*\)\s*\{[\s\n]*\}|except:[\s\n]*pass"; then echo "WARNING: Empty catch/except block swallows errors" >&2; fi