npm - cc-safe-setup - Versions diffs - 28.5.0 → 28.6.0 - Mend

cc-safe-setup 28.5.0 → 28.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/COOKBOOK.md +10 -0
package/README.md +1 -1
package/TROUBLESHOOTING.md +28 -0
package/examples/allow-git-hooks-dir.sh +29 -0
package/index.mjs +6 -3
package/package.json +2 -2

package/COOKBOOK.md CHANGED Viewed

@@ -135,6 +135,16 @@ All browser-based, nothing leaves your machine:
 - [Playground](https://yurukusa.github.io/cc-safe-setup/playground.html) — Write and test hooks
 - [Hook Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) — Generate hooks from English
+## 27. Bypass Protected Directory Prompts (PermissionRequest)
+PreToolUse hooks can't bypass built-in protected-directory checks — they run *before* those checks. Use PermissionRequest instead:
+```bash
+npx cc-safe-setup --install-example allow-git-hooks-dir
+```
+Or manually: create a PermissionRequest hook that outputs `permissionDecision: "allow"`. See [Troubleshooting](TROUBLESHOOTING.md#pretooluse-allow-doesnt-bypass-protected-directory-prompts) for details.
 ## Further Reading
 - [Getting Started](https://yurukusa.github.io/cc-safe-setup/getting-started.html)

package/README.md CHANGED Viewed

@@ -87,7 +87,7 @@ Each hook exists because a real incident happened without it.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 316 examples |
+| `--install-example <name>` | Install from 331 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |

package/TROUBLESHOOTING.md CHANGED Viewed

@@ -132,6 +132,34 @@ jq -n '...'
 Auto-approve JSON must go to stdout.
+## "PreToolUse allow doesn't bypass protected directory prompts"
+This is expected behavior, not a bug.
+**Execution order:**
+1. PreToolUse hooks run
+2. Built-in protected-directory checks run (`.claude/`, `.git/`, etc.)
+3. PermissionRequest hooks run
+PreToolUse's `permissionDecision: "allow"` gets overridden by the built-in checks in step 2. To bypass protected directory prompts, use **PermissionRequest** hooks instead:
+```bash
+#!/bin/bash
+# Save as: ~/.claude/hooks/allow-protected-dir.sh
+# Trigger: PermissionRequest (not PreToolUse)
+INPUT=$(cat)
+PATH_TARGET=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.command // empty')
+# Allow writes to a specific protected directory
+if echo "$PATH_TARGET" | grep -q '/my-project/.git/hooks'; then
+  jq -n '{hookSpecificOutput: {hookEventName: "PermissionRequest", permissionDecision: "allow", permissionDecisionReason: "Allowed: git hooks directory"}}'
+  exit 0
+fi
+exit 0
+```
+**Rule of thumb:** PreToolUse = block dangerous actions. PermissionRequest = allow trusted actions that trigger built-in prompts.
 ## "Permission prompts still appear for compound commands"
 This is a known Claude Code limitation, not a hook issue. `Bash(git:*)` doesn't match `cd /path && git log`.

package/examples/allow-git-hooks-dir.sh ADDED Viewed

@@ -0,0 +1,29 @@
+#!/bin/bash
+# allow-git-hooks-dir.sh — PermissionRequest hook
+# Trigger: PermissionRequest
+# Matcher: Edit|Write
+#
+# Bypasses the built-in protected-directory prompt for .git/hooks/.
+# PreToolUse hooks can't do this — they run before built-in checks.
+# PermissionRequest runs after, so it can override the prompt.
+#
+# WARNING: Only allow specific subdirectories you trust.
+# Never blanket-allow all of .git/ — that exposes HEAD, config, etc.
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE_PATH" ] && exit 0
+# Only allow .git/hooks/ writes (e.g., pre-commit, pre-push)
+if echo "$FILE_PATH" | grep -qE '\.git/hooks/[^/]+$'; then
+  jq -n '{
+    hookSpecificOutput: {
+      hookEventName: "PermissionRequest",
+      permissionDecision: "allow",
+      permissionDecisionReason: "Allowed: git hooks directory"
+    }
+  }'
+  exit 0
+fi
+exit 0

package/index.mjs CHANGED Viewed

@@ -601,9 +601,12 @@ async function installExample(name) {
   let matcher = 'Bash';
   // Detect trigger from header comments
-  if (content.includes('PostToolUse')) trigger = 'PostToolUse';
-  if (content.includes('Notification')) trigger = 'Notification';
-  if (content.includes('Stop')) trigger = 'Stop';
+  if (content.includes('TRIGGER: PostToolUse') || content.includes('PostToolUse')) trigger = 'PostToolUse';
+  if (content.includes('TRIGGER: Notification') || content.includes('Notification')) trigger = 'Notification';
+  if (content.includes('TRIGGER: Stop') || content.includes('Stop')) trigger = 'Stop';
+  if (content.includes('TRIGGER: SessionStart') || content.includes('SessionStart')) trigger = 'SessionStart';
+  if (content.includes('TRIGGER: PreCompact') || content.includes('PreCompact')) trigger = 'PreCompact';
+  if (content.includes('TRIGGER: SessionEnd') || content.includes('SessionEnd')) trigger = 'SessionEnd';
   // Detect matcher from header
   const matcherMatch = content.match(/"matcher":\s*"([^"]*)"/);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "28.5.0",
-  "description": "One command to make Claude Code safe. 336 hooks (8 built-in + 330 examples). 49 CLI commands. 988 tests. 5 languages.",
+  "version": "28.6.0",
+  "description": "One command to make Claude Code safe. 337 hooks (8 built-in + 331 examples). 49 CLI commands. 996 tests. 5 languages.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"