cc-safe-setup 29.3.1 → 29.5.0

package/README.md

@@ -12,7 +12,7 @@ npx cc-safe-setup
 
 Installs 8 safety hooks in ~10 seconds. Blocks `rm -rf /`, prevents pushes to main, catches secret leaks, validates syntax after every edit. Zero dependencies.
 
-[**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**All Tools**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Validate your settings.json](https://yurukusa.github.io/cc-safe-setup/validator.html)
+[**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**All Tools**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Validate your settings.json](https://yurukusa.github.io/cc-safe-setup/validator.html) · [**Check your score**](https://yurukusa.github.io/cc-health-check/) (`npx cc-health-check`)
 
 ```
   cc-safe-setup
@@ -49,6 +49,8 @@ A Claude Code user [lost their entire C:\Users directory](https://github.com/ant
 
 Claude Code ships with no safety hooks by default. This tool fixes that.
 
+**Works with Auto Mode.** Claude Code's [Auto Mode sandboxing](https://www.anthropic.com/engineering/claude-code-sandboxing) provides container-level isolation. cc-safe-setup adds process-level hooks as defense-in-depth — catching destructive commands even outside sandboxed environments.
+
 ## What Gets Installed
 
 | Hook | Prevents | Related Issues |
@@ -87,7 +89,7 @@ Each hook exists because a real incident happened without it.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 338 examples |
+| `--install-example <name>` | Install from 335 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |
@@ -211,11 +213,11 @@ npx cc-health-check
 
 ## Full Kit
 
-cc-safe-setup gives you 8 essential hooks. For the complete autonomous operation toolkit:
+cc-safe-setup gives you 8 essential hooks. Want to know what else your setup needs?
 
-**[Claude Code Ops Kit](https://yurukusa.github.io/cc-ops-kit-landing/?utm_source=github&utm_medium=readme&utm_campaign=safe-setup)** — 16 hooks + 5 templates + 3 exclusive tools + install.sh. Production-ready in 15 minutes.
+Run `npx cc-health-check` (free, 20 checks) to see your current score. If it's below 80, the **[Claude Code Ops Kit](https://yurukusa.github.io/cc-ops-kit-landing/?utm_source=github&utm_medium=readme&utm_campaign=safe-setup)** fills the gaps — 16 hooks + 6 templates + 3 exclusive tools + install.sh. Pay What You Want.
 
-Or start with the free hooks: [claude-code-hooks](https://github.com/yurukusa/claude-code-hooks)
+Or browse the free hooks: [claude-code-hooks](https://github.com/yurukusa/claude-code-hooks)
 
 ## Examples
 
@@ -368,6 +370,9 @@ See [Issue #1](https://github.com/yurukusa/cc-safe-setup/issues/1) for details.
 - [Hooks Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/cheatsheet.html) — printable A4 quick reference
 - [Ecosystem Comparison](https://yurukusa.github.io/cc-safe-setup/ecosystem.html) — all Claude Code hook projects compared
 - [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf
+- [How to prevent rm -rf disasters](https://yurukusa.github.io/cc-safe-setup/prevent-rm-rf.html) — real incidents and the hook that stops them
+- [How to prevent force-push to main](https://yurukusa.github.io/cc-safe-setup/prevent-force-push.html) — branch protection via hooks
+- [How to prevent secret leaks](https://yurukusa.github.io/cc-safe-setup/prevent-secret-leaks.html) — stop git add . from committing .env
 
 ## FAQ
 
@@ -387,6 +392,8 @@ No. Each hook runs in ~10ms. They only fire on specific events (before tool use,
 
 Found a false positive? Open an [issue](https://github.com/yurukusa/cc-safe-setup/issues/new?template=false_positive.md). Want a new hook? Open a [feature request](https://github.com/yurukusa/cc-safe-setup/issues/new?template=bug_report.md).
 
+📘 **Want the full story?** [Production guide from 700+ hours of autonomous operation](https://zenn.dev/yurukusa/books/6076c23b1cb18b) — the incidents, fixes, and patterns behind every hook in this tool.
+
 If cc-safe-setup saved your project from a destructive command, consider giving it a star — it helps others find this tool.
 
 ## License

package/TROUBLESHOOTING.md

@@ -160,6 +160,19 @@ exit 0
 
 **Rule of thumb:** PreToolUse = block dangerous actions. PermissionRequest = allow trusted actions that trigger built-in prompts.
 
+## "PermissionRequest hooks don't fire in `-p` mode"
+
+**Known limitation** ([#35646](https://github.com/anthropics/claude-code/issues/35646)): In headless/pipe mode (`claude -p`), the protected-directory check short-circuits *before* PermissionRequest hooks fire. This means:
+
+| Mode | PermissionRequest fires? | Hook workaround works? |
+|------|-------------------------|----------------------|
+| Interactive (`claude`) | ✅ Yes | ✅ Yes |
+| Interactive + bypassPermissions | ✅ Yes | ✅ Yes |
+| Pipe mode (`claude -p`) | ❌ No | ❌ No |
+| Pipe + `--dangerously-skip-permissions` | ❌ No | ❌ No |
+
+**Workaround:** Currently none for `-p` mode. If your automation needs to write to `.claude/`, use interactive mode with hooks instead. This is a Claude Code core issue — the fix requires the harness to route protected-dir checks through PermissionRequest in all modes.
+
 ## "Permission prompts still appear for compound commands"
 
 This is a known Claude Code limitation, not a hook issue. `Bash(git:*)` doesn't match `cd /path && git log`.

package/examples/auto-mode-safe-commands.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# auto-mode-safe-commands.sh — Fix Auto Mode false positives on safe commands
+#
+# Solves: Claude Code's safety classifier blocks legitimate commands in auto mode
+#         - $() command substitution flagged as dangerous (#38537, 49 reactions)
+#         - Pipe chains flagged unnecessarily (#30435, 29 reactions)
+#         - Read-only commands requiring manual approval
+#
+# How it works: Maintains a whitelist of known-safe command patterns.
+#               When the classifier wrongly blocks them, this hook approves.
+#               Only approves commands that are genuinely read-only or development-safe.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/auto-mode-safe-commands.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Strip the command to its base (first word after pipes, &&, etc.)
+# We check each component of compound commands
+APPROVE=false
+REASON=""
+
+# --- Read-only commands (never modify state) ---
+
+# File inspection
+if echo "$COMMAND" | grep -qE '^\s*(cat|head|tail|less|more|wc|file|stat|du|df|ls|tree|find|which|whereis|type|realpath|readlink)\s'; then
+    APPROVE=true
+    REASON="Read-only file inspection"
+fi
+
+# Text search
+if echo "$COMMAND" | grep -qE '^\s*(grep|rg|ag|ack|sed\s+-n|awk)\s'; then
+    APPROVE=true
+    REASON="Text search/extraction"
+fi
+
+# Git read-only
+if echo "$COMMAND" | grep -qE '^\s*git\s+(status|log|diff|show|branch|tag|remote|stash\s+list|ls-files|ls-tree|rev-parse|describe|shortlog|blame|config\s+--get)'; then
+    APPROVE=true
+    REASON="Git read-only operation"
+fi
+
+# Package info (read-only)
+if echo "$COMMAND" | grep -qE '^\s*(npm\s+(ls|list|info|view|outdated|audit)|pip\s+(list|show|freeze)|yarn\s+(list|info|why)|pnpm\s+(ls|list))\s*'; then
+    APPROVE=true
+    REASON="Package manager read-only"
+fi
+
+# Development tools (safe)
+if echo "$COMMAND" | grep -qE '^\s*(echo|printf|date|env|printenv|uname|hostname|whoami|id|pwd|tput)\s*'; then
+    APPROVE=true
+    REASON="Environment inspection"
+fi
+
+# --- Safe command substitution patterns ---
+# $() is flagged by classifier but usually wraps read-only commands
+
+# date/timestamp substitution
+if echo "$COMMAND" | grep -qE '\$\(date\s'; then
+    # Only approve if the outer command is also safe
+    OUTER=$(echo "$COMMAND" | sed 's/\$([^)]*)/SUBST/g')
+    if echo "$OUTER" | grep -qE '^\s*(echo|printf|mkdir|touch|cp|mv)\s'; then
+        APPROVE=true
+        REASON="Safe command with date substitution"
+    fi
+fi
+
+# --- JSON/YAML processing ---
+if echo "$COMMAND" | grep -qE '^\s*(jq|yq|python3?\s+-c\s|python3?\s+-m\s+json)\s'; then
+    APPROVE=true
+    REASON="JSON/YAML processing"
+fi
+
+# --- Curl (read-only GET requests) ---
+if echo "$COMMAND" | grep -qE '^\s*curl\s+-s' && ! echo "$COMMAND" | grep -qE '\s-X\s+(POST|PUT|PATCH|DELETE)'; then
+    APPROVE=true
+    REASON="HTTP GET request"
+fi
+
+# --- Node.js/Python one-liners ---
+if echo "$COMMAND" | grep -qE '^\s*(node|python3?)\s+-e\s'; then
+    # Only approve if no file system writes detected
+    if ! echo "$COMMAND" | grep -qE '(writeFile|fs\.write|open\(.*["\x27]w|unlink|rmdir)'; then
+        APPROVE=true
+        REASON="Script one-liner (no fs writes detected)"
+    fi
+fi
+
+# --- Output the decision ---
+if [ "$APPROVE" = true ]; then
+    jq -n --arg reason "$REASON" \
+        '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":$reason}}'
+    exit 0
+fi
+
+# No opinion — let the default classifier handle it
+exit 0

package/examples/checkpoint-tamper-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# checkpoint-tamper-guard.sh — Block manipulation of hook state/checkpoint files
+# Trigger: PreToolUse (Bash, Edit, Write)
+# Prevents the model from bypassing hooks by editing their state files
+# See: https://github.com/anthropics/claude-code/issues/38841
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Directories/files containing hook state (customize as needed)
+PROTECTED_PATTERNS=(
+    ".claude/checkpoints"
+    ".claude/hook-state"
+    ".claude/hooks-disabled"
+    "session-call-count"
+    "compact-prep-done"
+    "subagent-tracker"
+)
+
+check_path() {
+    local path="$1"
+    for pattern in "${PROTECTED_PATTERNS[@]}"; do
+        if [[ "$path" == *"$pattern"* ]]; then
+            echo "BLOCKED: Cannot manipulate hook state file: $path" >&2
+            echo "Hook state files are managed by hooks, not by the model." >&2
+            exit 2
+        fi
+    done
+}
+
+# Check Bash commands that write to protected paths
+if [ -n "$CMD" ]; then
+    for pattern in "${PROTECTED_PATTERNS[@]}"; do
+        if echo "$CMD" | grep -qE "(echo|cat|tee|cp|mv|rm|chmod|chown|touch|truncate|>).*${pattern}"; then
+            echo "BLOCKED: Cannot manipulate hook state via command" >&2
+            exit 2
+        fi
+    done
+fi
+
+# Check Edit/Write file paths
+if [ -n "$FILE" ]; then
+    check_path "$FILE"
+fi
+
+exit 0

package/examples/compound-command-allow.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+# compound-command-allow.sh — Auto-approve compound commands when all parts are safe
+#
+# Solves: Permission prompts fire for compound commands like:
+#         cd /path && git log    (#16561, 115 reactions)
+#         echo foo | grep bar    (#28240, 84 reactions)
+#         npm test && npm run build  (#30519, 58 reactions)
+#
+# How it works: Splits compound commands on &&, ||, ;, and |
+#               Checks each component against a safe-command whitelist.
+#               If ALL components are safe, auto-approves the entire command.
+#               If ANY component is unsafe, passes through (no opinion).
+#
+# This extends cd-git-allow to handle arbitrary compound commands.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/compound-command-allow.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Strip comments (lines starting with #) to avoid false matches
+CLEAN=$(echo "$COMMAND" | sed 's/#.*$//' | tr '\n' ' ')
+
+# Split on &&, ||, ;, and | (but not || inside [[ ]])
+# Simple approach: split on these operators and check each part
+IFS_ORIG="$IFS"
+
+# Replace compound operators with a delimiter
+PARTS=$(echo "$CLEAN" | sed 's/\s*&&\s*/\n/g; s/\s*||\s*/\n/g; s/\s*;\s*/\n/g; s/\s*|\s*/\n/g')
+
+ALL_SAFE=true
+
+while IFS= read -r part; do
+    # Trim whitespace
+    part=$(echo "$part" | sed 's/^\s*//;s/\s*$//')
+    [ -z "$part" ] && continue
+
+    # Extract the base command (first word)
+    BASE=$(echo "$part" | awk '{print $1}')
+
+    # Check against safe command list
+    case "$BASE" in
+        # Navigation
+        cd|pushd|popd|pwd)
+            ;;
+        # File reading
+        cat|head|tail|less|more|wc|file|stat|du|df|ls|tree|find|which|whereis|type|realpath|readlink|basename|dirname)
+            ;;
+        # Text processing (read-only)
+        grep|rg|ag|ack|sed|awk|sort|uniq|cut|tr|tee|xargs|column|fmt|fold|rev|nl|paste|join|comm)
+            # sed with -i is NOT read-only
+            if echo "$part" | grep -qE 'sed\s+.*-i'; then
+                ALL_SAFE=false
+                break
+            fi
+            ;;
+        # Git (read-only operations)
+        git)
+            SUBCMD=$(echo "$part" | awk '{print $2}')
+            case "$SUBCMD" in
+                status|log|diff|show|branch|tag|remote|stash|ls-files|ls-tree|rev-parse|describe|shortlog|blame|config|worktree)
+                    # git stash with push/pop/drop is not read-only
+                    if echo "$part" | grep -qE 'git\s+stash\s+(push|pop|drop|apply|clear)'; then
+                        ALL_SAFE=false
+                        break
+                    fi
+                    ;;
+                *)
+                    ALL_SAFE=false
+                    break
+                    ;;
+            esac
+            ;;
+        # Node.js/npm (read-only)
+        node|npm|npx|yarn|pnpm)
+            SUBCMD=$(echo "$part" | awk '{print $2}')
+            case "$BASE" in
+                npm)
+                    case "$SUBCMD" in
+                        ls|list|info|view|outdated|audit|explain|why|help|config|prefix|root)
+                            ;;
+                        test|run)
+                            ;; # npm test/run are generally safe
+                        *)
+                            ALL_SAFE=false
+                            break
+                            ;;
+                    esac
+                    ;;
+                node)
+                    if echo "$part" | grep -qE 'node\s+-e\s'; then
+                        if echo "$part" | grep -qE '(writeFile|fs\.write|unlink|rmdir|mkdirSync)'; then
+                            ALL_SAFE=false
+                            break
+                        fi
+                    elif echo "$part" | grep -qE 'node\s+-p\s'; then
+                        : # node -p is safe (eval + print)
+                    fi
+                    ;;
+                *)
+                    ;; # npx, yarn, pnpm — allow for now
+            esac
+            ;;
+        # Python (read-only)
+        python|python3)
+            if echo "$part" | grep -qE 'python3?\s+(-c|-m\s+(json|py_compile|compileall|ast|tokenize|dis|inspect))'; then
+                : # Safe one-liners
+            elif echo "$part" | grep -qE 'python3?\s+-m\s+pytest'; then
+                : # pytest is safe
+            else
+                ALL_SAFE=false
+                break
+            fi
+            ;;
+        # Shell builtins (safe)
+        echo|printf|true|false|test|\[|export|set|env|printenv|date|sleep|read|source|\.)
+            ;;
+        # System info
+        uname|hostname|whoami|id|groups|uptime|free|top|ps|lsb_release|arch|nproc|getconf)
+            ;;
+        # JSON/YAML processing
+        jq|yq)
+            ;;
+        # curl (GET only)
+        curl)
+            if echo "$part" | grep -qE '\s-X\s+(POST|PUT|PATCH|DELETE)'; then
+                ALL_SAFE=false
+                break
+            fi
+            ;;
+        # mkdir is generally safe
+        mkdir)
+            ;;
+        # touch is generally safe
+        touch)
+            ;;
+        *)
+            ALL_SAFE=false
+            break
+            ;;
+    esac
+done <<< "$PARTS"
+
+IFS="$IFS_ORIG"
+
+if [ "$ALL_SAFE" = true ]; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"All components of compound command are safe"}}'
+    exit 0
+fi
+
+# Unsafe component found — no opinion, let default handler decide
+exit 0

package/examples/write-secret-guard.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# write-secret-guard.sh — Block secrets from being written to files
+#
+# Solves: Claude writes API keys, tokens, and passwords directly into source files
+#         instead of using environment variables (#29910, 14 reactions)
+#         Existing secret-guard only covers Bash (git add .env).
+#         This hook covers Write and Edit tools.
+#
+# Detects: AWS keys (AKIA...), GitHub tokens (ghp_/gho_/ghs_),
+#          OpenAI keys (sk-), Anthropic keys (sk-ant-),
+#          Slack tokens (xoxb-/xoxp-), Stripe keys (sk_live_/pk_live_),
+#          Generic Bearer tokens, private keys, high-entropy strings
+#
+# Usage: Add to settings.json as a PreToolUse hook for Write AND Edit
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/write-secret-guard.sh" }]
+#     }, {
+#       "matcher": "Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/write-secret-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Get the content being written
+if [ "$TOOL" = "Write" ]; then
+    CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
+    FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+elif [ "$TOOL" = "Edit" ]; then
+    CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+    FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+else
+    exit 0
+fi
+
+[ -z "$CONTENT" ] && exit 0
+
+# --- Allow known safe patterns ---
+
+# Allow .env.example / .env.template (these contain placeholders)
+if echo "$FILEPATH" | grep -qE '\.(example|template|sample)$'; then
+    exit 0
+fi
+
+# Allow test files
+if echo "$FILEPATH" | grep -qE '(test|spec|mock|fixture|__test__|\.test\.)'; then
+    exit 0
+fi
+
+# --- Detect secret patterns ---
+
+BLOCKED=""
+
+# AWS Access Key ID (AKIA followed by 16 uppercase alphanumeric)
+if echo "$CONTENT" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+    BLOCKED="AWS Access Key ID (AKIA...)"
+fi
+
+# AWS Secret Access Key (40 char base64-like after specific prefixes)
+if echo "$CONTENT" | grep -qE '(aws_secret_access_key|AWS_SECRET)\s*[=:]\s*[A-Za-z0-9/+=]{40}'; then
+    BLOCKED="AWS Secret Access Key"
+fi
+
+# GitHub tokens
+if echo "$CONTENT" | grep -qE '(ghp_|gho_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{20,}'; then
+    BLOCKED="GitHub token"
+fi
+
+# OpenAI API key (sk-... or sk-proj-...)
+if echo "$CONTENT" | grep -qE 'sk-[A-Za-z0-9_-]{20,}' && ! echo "$CONTENT" | grep -qE 'sk-ant-'; then
+    # Exclude Anthropic keys (handled separately)
+    BLOCKED="OpenAI API key (sk-...)"
+fi
+
+# Anthropic API key
+if echo "$CONTENT" | grep -qE 'sk-ant-[A-Za-z0-9-]{20,}'; then
+    BLOCKED="Anthropic API key (sk-ant-...)"
+fi
+
+# Slack tokens
+if echo "$CONTENT" | grep -qE '(xoxb-|xoxp-|xoxs-|xoxa-)[0-9A-Za-z-]{20,}'; then
+    BLOCKED="Slack token"
+fi
+
+# Stripe keys
+if echo "$CONTENT" | grep -qE '(sk_live_|pk_live_|rk_live_)[A-Za-z0-9]{20,}'; then
+    BLOCKED="Stripe API key"
+fi
+
+# Google API key
+if echo "$CONTENT" | grep -qE 'AIza[0-9A-Za-z_-]{35}'; then
+    BLOCKED="Google API key"
+fi
+
+# Private keys (PEM format)
+if echo "$CONTENT" | grep -qE -- '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'; then
+    BLOCKED="Private key (PEM format)"
+fi
+
+# Bearer token assignment (not in comments or docs)
+if echo "$CONTENT" | grep -qE '(Authorization|Bearer|token)\s*[=:]\s*["\x27][A-Za-z0-9._-]{30,}["\x27]' \
+   && ! echo "$FILEPATH" | grep -qiE '\.(md|txt|rst|adoc)$'; then
+    BLOCKED="Hardcoded Bearer/auth token"
+fi
+
+# Generic database connection strings with credentials
+if echo "$CONTENT" | grep -qE '(mysql|postgres|mongodb|redis)://[^:]+:[^@]+@'; then
+    BLOCKED="Database connection string with credentials"
+fi
+
+# --- Block if secret detected ---
+
+if [ -n "$BLOCKED" ]; then
+    echo "BLOCKED: Secret detected in file write — $BLOCKED" >&2
+    echo "Use environment variables instead: process.env.KEY or os.environ['KEY']" >&2
+    exit 2
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.3.1",
-  "description": "One command to make Claude Code safe. 346 hooks (8 built-in + 338 examples). 49 CLI commands. 1030 tests. 5 languages.",
+  "version": "29.5.0",
+  "description": "One command to make Claude Code safe. 335 example hooks + 8 built-in. 52 CLI commands. 1,760 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"
@@ -24,7 +24,14 @@
     "syntax-check",
     "context-window",
     "wsl",
-    "wsl2"
+    "wsl2",
+    "auto-mode",
+    "defense-in-depth",
+    "force-push",
+    "secret-leak",
+    "destructive-command",
+    "claude-code-hooks",
+    "claude-code-safety"
   ],
   "scripts": {
     "test": "bash test.sh"