cc-safe-setup 28.6.0 → 28.8.0

package/README.md

@@ -87,7 +87,7 @@ Each hook exists because a real incident happened without it.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 331 examples |
+| `--install-example <name>` | Install from 336 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |

package/TROUBLESHOOTING.md

@@ -232,6 +232,22 @@ echo "[$(date -Iseconds)] BLOCKED: reason | cmd: $COMMAND" >> "$LOG"
 
 Then view with: `npx cc-safe-setup --watch` or `npx cc-safe-setup --stats`
 
+## "claude -p returns empty output when Stop hook is configured"
+
+This is a known Claude Code v2.1.83 bug ([#38651](https://github.com/anthropics/claude-code/issues/38651)), not a cc-safe-setup issue. Any Stop hook — even `true` — causes `-p` (print mode) to return empty stdout.
+
+**Workaround:** Temporarily remove Stop hooks when using `-p` mode:
+
+```bash
+# Quick toggle: comment out Stop hooks before -p commands
+npx cc-safe-setup --status  # See which hooks are active
+# Manually comment out Stop hooks in ~/.claude/settings.json
+# Run your -p command
+# Uncomment Stop hooks after
+```
+
+This should be fixed in a future Claude Code release.
+
 ## Still Stuck?
 
 1. Wrap the hook with debug wrapper: `npx cc-safe-setup --install-example hook-debug-wrapper`

package/examples/allow-claude-settings.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# allow-claude-settings.sh — PermissionRequest hook
+# Trigger: PermissionRequest
+# Matcher: Edit|Write
+#
+# Auto-approves writes to .claude/ configuration files.
+# Use this in isolated environments (containers, VMs) where
+# bypassPermissions is enabled but .claude/ writes still prompt.
+#
+# See: https://github.com/anthropics/claude-code/issues/36044
+# See: https://github.com/anthropics/claude-code/issues/37765
+#
+# WARNING: Only use in environments where you trust Claude's edits
+# to your configuration. In shared or production environments,
+# keep the default prompts.
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE_PATH" ] && exit 0
+
+# Allow .claude/ writes (settings, rules, agents, skills, hooks)
+if echo "$FILE_PATH" | grep -qE '\.claude/'; then
+  jq -n '{
+    hookSpecificOutput: {
+      hookEventName: "PermissionRequest",
+      permissionDecision: "allow",
+      permissionDecisionReason: "Allowed: .claude/ directory (isolated environment)"
+    }
+  }'
+  exit 0
+fi
+
+exit 0

package/examples/allow-protected-dirs.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# allow-protected-dirs.sh — PermissionRequest hook
+# Trigger: PermissionRequest
+# Matcher: Edit|Write
+#
+# Auto-approves writes to ALL protected directories (.claude/, .git/,
+# .vscode/, .idea/). Equivalent to full bypassPermissions for file edits.
+#
+# USE CASE: Docker containers, CI/CD, disposable VMs where you want
+# zero prompts and understand the risks.
+#
+# WARNING: This is the most permissive PermissionRequest hook possible.
+# It bypasses ALL built-in file protection. Do NOT use in shared or
+# production environments. Prefer allow-git-hooks-dir.sh or
+# allow-claude-settings.sh for targeted bypass.
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE_PATH" ] && exit 0
+
+if echo "$FILE_PATH" | grep -qE '\.(claude|git|vscode|idea)/'; then
+  jq -n '{
+    hookSpecificOutput: {
+      hookEventName: "PermissionRequest",
+      permissionDecision: "allow",
+      permissionDecisionReason: "Allowed: protected directory (full bypass)"
+    }
+  }'
+  exit 0
+fi
+
+exit 0

package/examples/auto-approve-compound-git.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# auto-approve-compound-git.sh — PermissionRequest hook
+# Trigger: PermissionRequest
+# Matcher: Bash
+#
+# Auto-approves compound git commands that the built-in permission
+# system fails to match. The wildcard pattern Bash(git:*) only matches
+# simple commands like "git status" but not "cd src && git log" or
+# "git add file.txt && git commit -m 'fix'".
+#
+# This hook runs AFTER the built-in permission check fails (because
+# compound commands don't match Bash(git:*)), and approves if ALL
+# individual commands in the chain are safe git operations.
+#
+# See: https://github.com/anthropics/claude-code/issues/30519
+# See: https://github.com/anthropics/claude-code/issues/16561
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Split on && ; || and check each part
+# Only approve if EVERY component is a safe git command or cd
+SAFE=true
+while IFS= read -r part; do
+  # Trim whitespace
+  part=$(echo "$part" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+  [ -z "$part" ] && continue
+
+  # Allow: cd, git (read ops), git add, git commit, git stash, git branch
+  if echo "$part" | grep -qE '^(cd |git (status|log|diff|show|branch|tag|stash|add|commit|fetch|pull|checkout|switch|restore|rebase|merge|cherry-pick|remote|config) )'; then
+    continue
+  fi
+  # Allow simple git commands without args
+  if echo "$part" | grep -qE '^git (status|log|diff|show|branch|tag|stash|fetch|pull)$'; then
+    continue
+  fi
+  # Any non-git command = not safe
+  SAFE=false
+  break
+done < <(echo "$COMMAND" | tr '&' '\n' | tr ';' '\n' | tr '|' '\n')
+
+if [ "$SAFE" = "true" ]; then
+  jq -n '{
+    hookSpecificOutput: {
+      hookEventName: "PermissionRequest",
+      permissionDecision: "allow",
+      permissionDecisionReason: "Allowed: compound git command (all parts are safe git ops)"
+    }
+  }'
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "28.6.0",
-  "description": "One command to make Claude Code safe. 337 hooks (8 built-in + 331 examples). 49 CLI commands. 996 tests. 5 languages.",
+  "version": "28.8.0",
+  "description": "One command to make Claude Code safe. 344 hooks (8 built-in + 336 examples). 49 CLI commands. 1018 tests. 5 languages.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"