cc-safe-setup 29.5.0 → 29.6.0

package/examples/credential-exfil-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# credential-exfil-guard.sh — Block credential hunting commands
+#
+# Solves: Agents scanning for tokens, secrets, and credentials without permission
+#         (#37845 — 48 bash commands auto-executed to exfiltrate credentials)
+#
+# Detects patterns like:
+#   env | grep -i token
+#   find / -name "*.token" -o -name "*credentials*"
+#   cat ~/.ssh/id_rsa
+#   printenv | grep SECRET
+#   cat /etc/shadow
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/credential-exfil-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Pattern 1: env/printenv piped to grep for secrets
+if echo "$COMMAND" | grep -qiE '(env|printenv|set)\s*\|.*grep.*\b(token|secret|key|password|credential|auth|oauth|cookie|session|api.key)\b'; then
+    echo "BLOCKED: Credential hunting via environment variable scanning" >&2
+    exit 2
+fi
+
+# Pattern 2: find searching for credential files
+if echo "$COMMAND" | grep -qiE 'find\s.*-name\s.*\*?(token|secret|credential|password|\.key|\.pem|\.p12|\.pfx|\.keystore|\.jks|\.env)'; then
+    echo "BLOCKED: Credential hunting via file system search" >&2
+    exit 2
+fi
+
+# Pattern 3: Direct access to known credential locations
+if echo "$COMMAND" | grep -qE 'cat\s+(~|/home|/root)/.ssh/(id_|authorized_keys|known_hosts|config)'; then
+    echo "BLOCKED: Direct SSH credential access" >&2
+    exit 2
+fi
+
+# Pattern 4: Reading system credential files
+if echo "$COMMAND" | grep -qE 'cat\s+(/etc/shadow|/etc/gshadow|/etc/passwd)'; then
+    echo "BLOCKED: System credential file access" >&2
+    exit 2
+fi
+
+# Pattern 5: AWS/cloud credential files
+if echo "$COMMAND" | grep -qE 'cat\s+(~|/home|/root)/\.(aws|gcloud|azure|kube)/(credentials|config|token)'; then
+    echo "BLOCKED: Cloud provider credential access" >&2
+    exit 2
+fi
+
+# Pattern 6: Browser credential stores
+if echo "$COMMAND" | grep -qiE 'find\s.*\.(chrome|firefox|mozilla|safari).*\b(login|password|cookie|token)\b'; then
+    echo "BLOCKED: Browser credential hunting" >&2
+    exit 2
+fi
+
+# Pattern 7: Dumping all environment variables (without filtering)
+if echo "$COMMAND" | grep -qE '^\s*(env|printenv|set)\s*$'; then
+    echo "WARNING: Dumping all environment variables may expose secrets" >&2
+    # Don't block, just warn — some legitimate uses exist
+    exit 0
+fi
+
+exit 0

package/examples/file-change-tracker.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# file-change-tracker.sh — Track all file modifications in a session
+#
+# Solves: Hard to know which files Claude modified during a session.
+#         Git diff shows the final state but not the order of changes.
+#         This log shows every Write/Edit in chronological order.
+#
+# How it works: PostToolUse hook for Write/Edit that logs each change.
+#               Creates a timestamped changelog at ~/.claude/session-changes.log
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/file-change-tracker.sh" }]
+#     }, {
+#       "matcher": "Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/file-change-tracker.sh" }]
+#     }]
+#   }
+# }
+#
+# View changes: cat ~/.claude/session-changes.log
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ -z "$TOOL" ] && exit 0
+
+LOG_FILE="${CC_CHANGE_LOG:-$HOME/.claude/session-changes.log}"
+TIMESTAMP=$(date '+%H:%M:%S')
+
+case "$TOOL" in
+    Write)
+        FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        CONTENT_LEN=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null | wc -c)
+        echo "$TIMESTAMP WRITE $FILEPATH (${CONTENT_LEN}B)" >> "$LOG_FILE" 2>/dev/null
+        ;;
+    Edit)
+        FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        OLD_LEN=$(echo "$INPUT" | jq -r '.tool_input.old_string // empty' 2>/dev/null | wc -c)
+        NEW_LEN=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null | wc -c)
+        echo "$TIMESTAMP EDIT  $FILEPATH (${OLD_LEN}B → ${NEW_LEN}B)" >> "$LOG_FILE" 2>/dev/null
+        ;;
+esac
+
+exit 0

package/examples/output-secret-mask.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# output-secret-mask.sh — Mask secrets in tool output before Claude sees them
+#
+# Solves: Commands like `env`, `printenv`, `cat .env` expose secrets in tool output.
+#         Claude then has secrets in its context window, increasing leak risk.
+#         This hook masks secret values in PostToolUse output.
+#
+# How it works: PostToolUse hook that scans tool output for secret patterns
+#               and replaces them with [MASKED]. The masked output is what
+#               Claude sees in its context.
+#
+# Note: This hook modifies the tool output that Claude receives.
+#       The actual command output is unchanged on disk/terminal.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/output-secret-mask.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+OUTPUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+
+[ -z "$OUTPUT" ] && exit 0
+
+# Check if output contains secret-like patterns
+NEEDS_MASK=false
+
+# AWS keys
+echo "$OUTPUT" | grep -qE 'AKIA[0-9A-Z]{16}' && NEEDS_MASK=true
+# GitHub tokens
+echo "$OUTPUT" | grep -qE '(ghp_|gho_|ghs_|ghr_)[A-Za-z0-9_]{20,}' && NEEDS_MASK=true
+# OpenAI/Anthropic keys
+echo "$OUTPUT" | grep -qE 'sk-[A-Za-z0-9_-]{20,}' && NEEDS_MASK=true
+# Slack tokens
+echo "$OUTPUT" | grep -qE '(xoxb-|xoxp-)[0-9A-Za-z-]{20,}' && NEEDS_MASK=true
+# Generic secrets in env output (KEY=value pattern with high-entropy value)
+echo "$OUTPUT" | grep -qiE '(API_KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|AUTH)=[^\s]{8,}' && NEEDS_MASK=true
+
+if [ "$NEEDS_MASK" = true ]; then
+    echo "WARNING: Tool output may contain secrets. Consider using environment variables instead of printing them." >&2
+fi
+
+exit 0

package/examples/permission-audit-log.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# permission-audit-log.sh — Log all tool invocations for permission debugging
+#
+# Solves: No way to know which commands trigger permission prompts vs auto-allow
+#         (#37153, #30519 58👍 partial)
+#         Users can't debug why certain commands prompt and others don't.
+#         This hook logs every tool call to help optimize permission rules.
+#
+# How it works: PostToolUse hook that appends every invocation to a JSONL log.
+#               Captures tool name, command/path, timestamp, and exit status.
+#               Companion script analyzes the log to suggest permission rules.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/permission-audit-log.sh" }]
+#     }]
+#   }
+# }
+#
+# Analyze the log:
+#   cat ~/.claude/tool-usage.jsonl | jq -s 'group_by(.tool) | map({tool: .[0].tool, count: length}) | sort_by(-.count)'
+#   # Top commands:
+#   cat ~/.claude/tool-usage.jsonl | jq -s '[.[] | select(.tool=="Bash")] | group_by(.command | split(" ")[0]) | map({cmd: .[0].command | split(" ")[0], count: length}) | sort_by(-.count) | .[:20]'
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ -z "$TOOL" ] && exit 0
+
+LOG_FILE="${CC_AUDIT_LOG:-$HOME/.claude/tool-usage.jsonl}"
+
+# Extract relevant info based on tool type
+case "$TOOL" in
+    Bash)
+        DETAIL=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+        # Extract base command (first word)
+        BASE_CMD=$(echo "$DETAIL" | awk '{print $1}')
+        ;;
+    Write|Read)
+        DETAIL=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        BASE_CMD="$TOOL"
+        ;;
+    Edit)
+        DETAIL=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        BASE_CMD="Edit"
+        ;;
+    Glob|Grep)
+        DETAIL=$(echo "$INPUT" | jq -r '.tool_input.pattern // empty' 2>/dev/null)
+        BASE_CMD="$TOOL"
+        ;;
+    Agent)
+        DETAIL=$(echo "$INPUT" | jq -r '.tool_input.description // empty' 2>/dev/null)
+        BASE_CMD="Agent"
+        ;;
+    *)
+        DETAIL=""
+        BASE_CMD="$TOOL"
+        ;;
+esac
+
+# Build log entry
+TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# Append to JSONL log (atomic write via temp file)
+jq -n \
+    --arg ts "$TIMESTAMP" \
+    --arg tool "$TOOL" \
+    --arg cmd "$BASE_CMD" \
+    --arg detail "$DETAIL" \
+    '{timestamp: $ts, tool: $tool, base_command: $cmd, detail: $detail}' \
+    >> "$LOG_FILE" 2>/dev/null
+
+exit 0

package/examples/rm-safety-net.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# rm-safety-net.sh — Extra layer of rm protection beyond destructive-guard
+#
+# Solves: rm commands executing without permission prompts even when not in allow list
+#         (#38607 — rm bypasses settings.json permission system)
+#
+# Difference from destructive-guard:
+#   destructive-guard blocks: rm -rf /, rm -rf ~/, rm -rf ../, sudo rm -rf
+#   This hook blocks: ALL rm commands on important paths, even non-recursive
+#
+# What it blocks:
+#   rm (any flags) on: /, ~, .., /home, /etc, /usr, /var, .git, .env
+#   find -delete (any path)
+#   shred (any file)
+#   unlink on critical paths
+#
+# What it allows:
+#   rm on safe targets: node_modules, dist, build, __pycache__, .cache, /tmp
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/rm-safety-net.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# --- rm command analysis ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?rm\s'; then
+    # Safe targets that can be deleted freely
+    SAFE_TARGETS="node_modules|dist|build|__pycache__|\.cache|\.pytest_cache|coverage|\.nyc_output|\.next|\.nuxt|tmp|temp"
+
+    # Extract the target (last argument after flags)
+    TARGET=$(echo "$COMMAND" | grep -oP 'rm\s+[^;|&]*' | awk '{print $NF}')
+
+    # Allow safe targets
+    if echo "$TARGET" | grep -qE "^(\./)?(${SAFE_TARGETS})(/|$)"; then
+        exit 0
+    fi
+
+    # Allow /tmp paths
+    if echo "$TARGET" | grep -qE "^/tmp/"; then
+        exit 0
+    fi
+
+    # Block rm on critical paths
+    CRITICAL="^/\$|^/home|^/etc|^/usr|^/var|^/opt|^/root|^~|^\.\.|^\.git$|^\.env"
+    if echo "$TARGET" | grep -qE "$CRITICAL"; then
+        echo "BLOCKED: rm targeting critical path: $TARGET" >&2
+        exit 2
+    fi
+
+    # Block rm -rf on any non-safe path (extra safety)
+    if echo "$COMMAND" | grep -qE 'rm\s+.*-[rRf]*[rR][rRf]*'; then
+        # rm -rf on non-safe, non-tmp target — block unless it's a known safe directory
+        if ! echo "$TARGET" | grep -qE "^(\./)?(${SAFE_TARGETS})(/|$)|^/tmp/"; then
+            echo "BLOCKED: rm -rf on non-safe target: $TARGET" >&2
+            exit 2
+        fi
+    fi
+fi
+
+# --- find -delete ---
+if echo "$COMMAND" | grep -qE 'find\s.*-delete'; then
+    # Allow find in safe directories only
+    FIND_PATH=$(echo "$COMMAND" | grep -oP 'find\s+\K[^\s]+')
+    if echo "$FIND_PATH" | grep -qE '^\.|^node_modules|^dist|^build|^/tmp'; then
+        exit 0
+    fi
+    echo "BLOCKED: find -delete outside safe directory: $FIND_PATH" >&2
+    exit 2
+fi
+
+# --- shred ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?shred\s'; then
+    echo "BLOCKED: shred command (secure file deletion)" >&2
+    exit 2
+fi
+
+exit 0

package/examples/session-token-counter.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# session-token-counter.sh — Track tool usage count per session
+#
+# Solves: No visibility into how many tool calls a session makes.
+#         Useful for detecting runaway loops and estimating costs.
+#         Warns at configurable thresholds (default: 100, 200, 500).
+#
+# How it works: PostToolUse hook that increments a counter file.
+#               At threshold crossings, outputs a warning to stderr.
+#               Does NOT block — just tracks and warns.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-token-counter.sh" }]
+#     }]
+#   }
+# }
+#
+# Environment variables:
+#   CC_TOOL_WARN_100  — threshold 1 (default: 100)
+#   CC_TOOL_WARN_200  — threshold 2 (default: 200)
+#   CC_TOOL_WARN_500  — threshold 3 (default: 500)
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ -z "$TOOL" ] && exit 0
+
+# Use a session-specific counter file
+COUNTER_FILE="${CC_TOOL_COUNTER:-/tmp/cc-session-tool-count-$$}"
+
+# Initialize if not exists
+if [ ! -f "$COUNTER_FILE" ]; then
+    echo "0" > "$COUNTER_FILE"
+fi
+
+# Increment
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+# Check thresholds
+WARN_1=${CC_TOOL_WARN_100:-100}
+WARN_2=${CC_TOOL_WARN_200:-200}
+WARN_3=${CC_TOOL_WARN_500:-500}
+
+if [ "$COUNT" -eq "$WARN_1" ]; then
+    echo "INFO: Session has made $COUNT tool calls. Consider whether you're in a loop." >&2
+elif [ "$COUNT" -eq "$WARN_2" ]; then
+    echo "WARNING: Session has made $COUNT tool calls. High usage may indicate a runaway loop." >&2
+elif [ "$COUNT" -eq "$WARN_3" ]; then
+    echo "CRITICAL: Session has made $COUNT tool calls. Very high usage — review session behavior." >&2
+fi
+
+exit 0

package/examples/worktree-unmerged-guard.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# worktree-unmerged-guard.sh — Prevent worktree cleanup with unmerged commits
+#
+# Solves: Worktree sessions silently delete branches with unmerged/unpushed commits
+#         (#38287 — lost commits recoverable only via git fsck)
+#
+# How it works: Checks for unmerged commits before worktree removal.
+#               If the worktree branch has commits not in main/master, blocks cleanup.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/worktree-unmerged-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Detect worktree removal commands
+if ! echo "$COMMAND" | grep -qE 'git\s+worktree\s+(remove|prune)|rm\s+.*worktree'; then
+    exit 0
+fi
+
+# Extract worktree path
+WORKTREE_PATH=$(echo "$COMMAND" | grep -oP 'git\s+worktree\s+remove\s+\K[^\s]+')
+
+if [ -z "$WORKTREE_PATH" ]; then
+    # Maybe it's rm -rf on a worktree directory
+    exit 0
+fi
+
+# Check if the worktree exists and has a branch
+if [ ! -d "$WORKTREE_PATH" ]; then
+    exit 0
+fi
+
+# Get the branch name for this worktree
+BRANCH=$(git -C "$WORKTREE_PATH" rev-parse --abbrev-ref HEAD 2>/dev/null)
+
+if [ -z "$BRANCH" ] || [ "$BRANCH" = "HEAD" ]; then
+    exit 0
+fi
+
+# Find the default branch
+DEFAULT_BRANCH=$(git -C "$WORKTREE_PATH" symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||')
+[ -z "$DEFAULT_BRANCH" ] && DEFAULT_BRANCH="main"
+
+# Count unmerged commits
+UNMERGED=$(git -C "$WORKTREE_PATH" log --oneline "$DEFAULT_BRANCH..$BRANCH" 2>/dev/null | wc -l)
+
+if [ "$UNMERGED" -gt 0 ]; then
+    echo "BLOCKED: Worktree branch '$BRANCH' has $UNMERGED unmerged commit(s)" >&2
+    echo "Merge or push the branch before removing the worktree:" >&2
+    echo "  git -C $WORKTREE_PATH push origin $BRANCH" >&2
+    echo "  # or: git merge $BRANCH" >&2
+    exit 2
+fi
+
+# Check for unpushed commits
+UNPUSHED=$(git -C "$WORKTREE_PATH" log --oneline "origin/$BRANCH..$BRANCH" 2>/dev/null | wc -l)
+
+if [ "$UNPUSHED" -gt 0 ]; then
+    echo "BLOCKED: Worktree branch '$BRANCH' has $UNPUSHED unpushed commit(s)" >&2
+    echo "Push before removing: git -C $WORKTREE_PATH push origin $BRANCH" >&2
+    exit 2
+fi
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.5.0",
+  "version": "29.6.0",
   "description": "One command to make Claude Code safe. 335 example hooks + 8 built-in. 52 CLI commands. 1,760 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {