cc-safe-setup 29.5.0 → 29.6.1

package/examples/credential-exfil-guard.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# credential-exfil-guard.sh — Block credential hunting commands
+#
+# Solves: Agents scanning for tokens, secrets, and credentials without permission
+#         (#37845 — 48 bash commands auto-executed to exfiltrate credentials)
+#
+# Detects patterns like:
+#   env | grep -i token
+#   find / -name "*.token" -o -name "*credentials*"
+#   cat ~/.ssh/id_rsa
+#   printenv | grep SECRET
+#   cat /etc/shadow
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/credential-exfil-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Pattern 1: env/printenv piped to grep for secrets
+if echo "$COMMAND" | grep -qiE '(env|printenv|set)\s*\|.*grep.*\b(token|secret|key|password|credential|auth|oauth|cookie|session|api.key)\b'; then
+    echo "BLOCKED: Credential hunting via environment variable scanning" >&2
+    exit 2
+fi
+
+# Pattern 2: find searching for credential files
+if echo "$COMMAND" | grep -qiE 'find\s.*-name\s.*\*?(token|secret|credential|password|\.key|\.pem|\.p12|\.pfx|\.keystore|\.jks|\.env)'; then
+    echo "BLOCKED: Credential hunting via file system search" >&2
+    exit 2
+fi
+
+# Pattern 3: Direct access to known credential locations
+if echo "$COMMAND" | grep -qE 'cat\s+(~|/home|/root)/.ssh/(id_|authorized_keys|known_hosts|config)'; then
+    echo "BLOCKED: Direct SSH credential access" >&2
+    exit 2
+fi
+
+# Pattern 4: Reading system credential files
+if echo "$COMMAND" | grep -qE 'cat\s+(/etc/shadow|/etc/gshadow|/etc/passwd)'; then
+    echo "BLOCKED: System credential file access" >&2
+    exit 2
+fi
+
+# Pattern 5: AWS/cloud credential files
+if echo "$COMMAND" | grep -qE 'cat\s+(~|/home|/root)/\.(aws|gcloud|azure|kube)/(credentials|config|token)'; then
+    echo "BLOCKED: Cloud provider credential access" >&2
+    exit 2
+fi
+
+# Pattern 6: Browser credential stores
+if echo "$COMMAND" | grep -qiE 'find\s.*\.(chrome|firefox|mozilla|safari).*\b(login|password|cookie|token)\b'; then
+    echo "BLOCKED: Browser credential hunting" >&2
+    exit 2
+fi
+
+# Pattern 7: Dumping all environment variables (without filtering)
+if echo "$COMMAND" | grep -qE '^\s*(env|printenv|set)\s*$'; then
+    echo "WARNING: Dumping all environment variables may expose secrets" >&2
+    # Don't block, just warn — some legitimate uses exist
+    exit 0
+fi
+
+# Pattern 8: curl/wget posting credential files
+if echo "$COMMAND" | grep -qiP 'curl\s.*-d\s+@[^\s]*(\.env|\.pem|\.key|credentials|\.ssh/id_)|wget\s.*--post-file[= ][^\s]*(\.env|\.pem|\.key|credentials|\.ssh/id_)'; then
+    echo "BLOCKED: Credential file exfiltration via HTTP upload" >&2
+    exit 2
+fi
+
+# Pattern 9: Piping credential files to curl/wget
+if echo "$COMMAND" | grep -qiP 'cat\s+[^\s]*(\.env|\.pem|\.key|credentials|\.ssh/id_)\S*\s*\|.*curl|cat\s+[^\s]*(\.env|\.pem|\.key|credentials|\.ssh/id_)\S*\s*\|.*wget'; then
+    echo "BLOCKED: Credential file piped to HTTP client" >&2
+    exit 2
+fi
+
+exit 0

package/examples/cwd-reminder.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# cwd-reminder.sh — Remind Claude of the current working directory
+#
+# Solves: Claude loses track of which directory it's in (#1669 — 71 reactions)
+#         Can lead to commands running in wrong directory, including
+#         destructive operations like git reset in the wrong repo.
+#
+# Emits the current working directory to stderr before every Bash command,
+# making it visible in the tool output so Claude always knows where it is.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/cwd-reminder.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+# Don't add noise to empty commands
+[ -z "$COMMAND" ] && exit 0
+
+# Get the working directory from the tool input if available,
+# otherwise use the process's cwd
+CWD=$(echo "$INPUT" | jq -r '.tool_input.working_directory // empty' 2>/dev/null)
+[ -z "$CWD" ] && CWD=$(pwd)
+
+echo "[cwd: $CWD]" >&2
+
+exit 0

package/examples/dependency-install-guard.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# dependency-install-guard.sh — PreToolUse hook
+# Trigger: PreToolUse
+# Matcher: Bash
+#
+# Blocks unintended dependency installations (npm install, pip install,
+# gem install, cargo add, go get). Prevents:
+# - Supply chain attacks from unknown packages
+# - Dependency bloat from unnecessary installations
+# - Breaking lockfiles with unplanned additions
+#
+# Allowed:
+# - npm install (no args) — installs from existing lockfile
+# - npm ci — clean install from lockfile
+# - pip install -r requirements.txt — from requirements file
+# - Packages in ALLOWLIST (customize below)
+#
+# Usage: Add to settings.json as a PreToolUse hook on "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Normalize: collapse whitespace, extract first logical command
+CMD=$(echo "$COMMAND" | tr '\n' ' ' | sed 's/  */ /g')
+
+# --- Allowlist: packages you trust ---
+# Customize this list for your project
+ALLOWLIST="typescript|eslint|prettier|jest|vitest|@types/"
+
+# npm install <package> — block unless allowlisted
+if echo "$CMD" | grep -qiE 'npm\s+(install|i|add)\s+[a-z@]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'npm\s+(install|i|add)\s+\S+' | awk '{print $NF}')
+    if echo "$PKG" | grep -qiE "^($ALLOWLIST)"; then
+        exit 0
+    fi
+    echo "🚫 Blocked: npm install $PKG (not in allowlist)" >&2
+    echo "Add to ALLOWLIST in dependency-install-guard.sh if intended." >&2
+    exit 2
+fi
+
+# npm install (no args) / npm ci — allowed (uses lockfile)
+if echo "$CMD" | grep -qiE 'npm\s+(install|i|ci)\s*($|[&|;])'; then
+    exit 0
+fi
+
+# pip install <package> — block unless from requirements
+if echo "$CMD" | grep -qiE 'pip3?\s+install\s+'; then
+    # Allow: pip install -r requirements.txt
+    if echo "$CMD" | grep -qiE 'pip3?\s+install\s+(-r|--requirement)\s+'; then
+        exit 0
+    fi
+    # Allow: pip install -e . (editable install)
+    if echo "$CMD" | grep -qiE 'pip3?\s+install\s+(-e|--editable)\s+'; then
+        exit 0
+    fi
+    PKG=$(echo "$CMD" | grep -oiE 'pip3?\s+install\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: pip install $PKG" >&2
+    echo "Use 'pip install -r requirements.txt' or add to allowlist." >&2
+    exit 2
+fi
+
+# gem install — block
+if echo "$CMD" | grep -qiE 'gem\s+install\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'gem\s+install\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: gem install $PKG" >&2
+    exit 2
+fi
+
+# cargo add — block
+if echo "$CMD" | grep -qiE 'cargo\s+add\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'cargo\s+add\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: cargo add $PKG" >&2
+    exit 2
+fi
+
+# go get — block
+if echo "$CMD" | grep -qiE 'go\s+get\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'go\s+get\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: go get $PKG" >&2
+    exit 2
+fi
+
+exit 0

package/examples/deploy-guard.sh

@@ -24,7 +24,7 @@ COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [[ -z "$COMMAND" ]] && exit 0
 
 # Detect deploy commands
-if ! echo "$COMMAND" | grep -qiE '(rsync|scp|deploy|firebase\s+deploy|vercel|netlify\s+deploy|fly\s+deploy|railway\s+up|git\s+push\s+heroku)'; then
+if ! echo "$COMMAND" | grep -qiE '(rsync|scp|deploy|firebase\s+deploy|vercel|netlify\s+deploy|fly\s+deploy|railway\s+up|git\s+push\s+heroku|kubectl\s+(apply|create|delete|rollout)|terraform\s+(apply|destroy))'; then
     exit 0
 fi
 

package/examples/detect-mixed-indentation.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# detect-mixed-indentation.sh — Warn about mixed tabs/spaces
+#
+# Prevents: Indentation errors from mixing tabs and spaces.
+#           Common when Claude pastes code from different sources.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Skip binary files and makefiles (which require tabs)
+case "$(basename "$FILE")" in
+  Makefile|makefile|GNUmakefile) exit 0 ;;
+esac
+
+case "$FILE" in
+  *.py|*.js|*.ts|*.tsx|*.jsx|*.yaml|*.yml|*.rb|*.go) ;;
+  *) exit 0 ;;
+esac
+
+HAS_TABS=$(grep -cP '^\t' "$FILE" 2>/dev/null || echo 0)
+HAS_SPACES=$(grep -cP '^ {2,}' "$FILE" 2>/dev/null || echo 0)
+
+if [ "$HAS_TABS" -gt 0 ] && [ "$HAS_SPACES" -gt 0 ]; then
+  echo "WARNING: Mixed tabs and spaces in $FILE ($HAS_TABS tab-lines, $HAS_SPACES space-lines)." >&2
+  echo "  Standardize to one indentation style." >&2
+fi
+
+exit 0

package/examples/disk-space-check.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# disk-space-check.sh — Warn if disk space is low at session start
+#
+# Prevents: Autonomous sessions crashing due to disk full
+#           npm install, git operations, and file writes fail silently
+#           when disk space runs out during long-running sessions.
+#
+# Checks: root filesystem usage percentage
+# Warns at: 80% (yellow), 90% (red), 95% (critical)
+#
+# TRIGGER: Notification
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/disk-space-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run once per session
+MARKER="/tmp/cc-disk-check-$$"
+[ -f "$MARKER" ] && exit 0
+
+# Get disk usage percentage for root filesystem
+USAGE=$(df / 2>/dev/null | awk 'NR==2 {gsub(/%/,""); print $5}')
+[ -z "$USAGE" ] && exit 0
+
+if [ "$USAGE" -ge 95 ]; then
+  echo "CRITICAL: Disk usage at ${USAGE}%. Operations may fail." >&2
+  echo "  Free space immediately: docker system prune, rm tmp files" >&2
+elif [ "$USAGE" -ge 90 ]; then
+  echo "WARNING: Disk usage at ${USAGE}%. Consider freeing space." >&2
+elif [ "$USAGE" -ge 80 ]; then
+  echo "NOTE: Disk usage at ${USAGE}%." >&2
+fi
+
+touch "$MARKER"
+exit 0

package/examples/docker-dangerous-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# docker-dangerous-guard.sh — Block dangerous Docker operations
+#
+# Prevents: docker system prune -a, docker rm -f on running containers,
+#           docker run --privileged, docker exec as root on production containers.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/docker-dangerous-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block docker system prune -a (removes all images)
+if echo "$COMMAND" | grep -qE 'docker\s+system\s+prune\s+.*-a'; then
+  echo "BLOCKED: docker system prune -a removes all unused images." >&2
+  echo "  Use 'docker system prune' (without -a) to keep tagged images." >&2
+  exit 2
+fi
+
+# Block docker run --privileged
+if echo "$COMMAND" | grep -qE 'docker\s+run\s+.*--privileged'; then
+  echo "BLOCKED: --privileged gives full host access to the container." >&2
+  exit 2
+fi
+
+# Warn on docker rm -f (force remove)
+if echo "$COMMAND" | grep -qE 'docker\s+(rm|container\s+rm)\s+.*-f'; then
+  echo "WARNING: Force-removing container. Data in the container will be lost." >&2
+fi
+
+# Block docker run with host network and port 22/80/443
+if echo "$COMMAND" | grep -qE 'docker\s+run.*--network\s+host'; then
+  echo "WARNING: --network host exposes all container ports on the host." >&2
+fi
+
+exit 0

package/examples/dockerfile-lint.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# dockerfile-lint.sh — Basic Dockerfile validation after editing
+#
+# Prevents: Common Dockerfile mistakes:
+#           - Missing FROM instruction
+#           - Using latest tag (non-reproducible builds)
+#           - Running as root without explicit USER
+#           - COPY/ADD before dependency install (cache invalidation)
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/dockerfile-lint.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check Dockerfiles
+BASENAME=$(basename "$FILE")
+case "$BASENAME" in
+  Dockerfile|Dockerfile.*|*.dockerfile) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+WARNINGS=""
+
+# Check for FROM instruction
+if ! grep -qE '^FROM\s' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Missing FROM instruction"
+fi
+
+# Check for :latest tag
+if grep -qE '^FROM\s+\S+:latest' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Using :latest tag (non-reproducible)"
+fi
+
+# Check for no USER instruction (running as root)
+if ! grep -qE '^USER\s' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  No USER instruction (container runs as root)"
+fi
+
+if [ -n "$WARNINGS" ]; then
+  echo "Dockerfile warnings in $FILE:" >&2
+  echo -e "$WARNINGS" >&2
+fi
+
+exit 0

package/examples/edit-always-allow.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# edit-always-allow.sh — Auto-approve all Edit prompts in configured directories
+#
+# Solves: --dangerously-skip-permissions doesn't bypass Edit prompts
+#         (#36192, #36168 — bypass permissions broken since v2.1.78)
+#
+# Claude Code v2.1.78+ prompts for Edit in .claude/, .git/, .vscode/
+# even with bypassPermissions enabled. This PermissionRequest hook
+# restores the pre-v2.1.78 behavior for specified directories.
+#
+# Configure allowed directories via CC_EDIT_ALLOW_DIRS env var:
+#   export CC_EDIT_ALLOW_DIRS=".claude/skills:.claude/commands"
+# Default: .claude/skills
+#
+# TRIGGER: PermissionRequest
+# MATCHER: "Edit|Write"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PermissionRequest": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/edit-always-allow.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Only handle Edit/Write
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Configurable allowed directories (colon-separated)
+ALLOW_DIRS="${CC_EDIT_ALLOW_DIRS:-.claude/skills}"
+
+# Check if file is in an allowed directory
+IFS=':' read -ra DIRS <<< "$ALLOW_DIRS"
+for dir in "${DIRS[@]}"; do
+  if echo "$FILE" | grep -q "$dir"; then
+    echo '{"permissionDecision":"allow"}'
+    exit 0
+  fi
+done
+
+# Not in allowed directories — let the prompt through
+exit 0

package/examples/env-file-gitignore-check.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# env-file-gitignore-check.sh — Warn if .env is not in .gitignore
+#
+# Prevents: Accidental commit of .env files containing secrets.
+#           Checks on session start if .env exists but .gitignore
+#           doesn't exclude it.
+#
+# TRIGGER: Notification
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/env-file-gitignore-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run once per session
+MARKER="/tmp/cc-env-gitignore-$$"
+[ -f "$MARKER" ] && exit 0
+
+# Check if we're in a git repo
+git rev-parse --git-dir >/dev/null 2>&1 || { touch "$MARKER"; exit 0; }
+
+# Check if .env exists
+[ -f ".env" ] || { touch "$MARKER"; exit 0; }
+
+# Check if .env is in .gitignore
+if ! git check-ignore -q .env 2>/dev/null; then
+  echo "WARNING: .env file exists but is not in .gitignore!" >&2
+  echo "  Add '.env' to .gitignore to prevent accidental commit." >&2
+  echo "  echo '.env' >> .gitignore" >&2
+fi
+
+touch "$MARKER"
+exit 0

package/examples/env-source-guard.sh

@@ -32,7 +32,7 @@ if [[ -z "$COMMAND" ]]; then
 fi
 
 # Block direct sourcing of .env files
-if echo "$COMMAND" | grep -qE '(source|\.\s)\s+\.env'; then
+if echo "$COMMAND" | grep -qE '(source|\.)\s+\.env'; then
     echo "BLOCKED: Sourcing .env into shell environment." >&2
     echo "Command: $COMMAND" >&2
     echo "" >&2

package/examples/file-change-tracker.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# file-change-tracker.sh — Track all file modifications in a session
+#
+# Solves: Hard to know which files Claude modified during a session.
+#         Git diff shows the final state but not the order of changes.
+#         This log shows every Write/Edit in chronological order.
+#
+# How it works: PostToolUse hook for Write/Edit that logs each change.
+#               Creates a timestamped changelog at ~/.claude/session-changes.log
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/file-change-tracker.sh" }]
+#     }, {
+#       "matcher": "Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/file-change-tracker.sh" }]
+#     }]
+#   }
+# }
+#
+# View changes: cat ~/.claude/session-changes.log
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ -z "$TOOL" ] && exit 0
+
+LOG_FILE="${CC_CHANGE_LOG:-$HOME/.claude/session-changes.log}"
+TIMESTAMP=$(date '+%H:%M:%S')
+
+case "$TOOL" in
+    Write)
+        FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        CONTENT_LEN=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null | wc -c)
+        echo "$TIMESTAMP WRITE $FILEPATH (${CONTENT_LEN}B)" >> "$LOG_FILE" 2>/dev/null
+        ;;
+    Edit)
+        FILEPATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        OLD_LEN=$(echo "$INPUT" | jq -r '.tool_input.old_string // empty' 2>/dev/null | wc -c)
+        NEW_LEN=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null | wc -c)
+        echo "$TIMESTAMP EDIT  $FILEPATH (${OLD_LEN}B → ${NEW_LEN}B)" >> "$LOG_FILE" 2>/dev/null
+        ;;
+esac
+
+exit 0

package/examples/git-stash-before-danger.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# git-stash-before-danger.sh — Auto-stash before risky git operations
+#
+# Solves: Losing uncommitted work when Claude runs git checkout, git reset, or git pull
+#         Related: data loss incidents reported in #36339, #37331
+#
+# How it works: PreToolUse hook that auto-runs `git stash push -m "cc-auto-stash"`
+#               before destructive git operations. The stash can be recovered with
+#               `git stash pop`.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/git-stash-before-danger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Only act on risky git operations
+RISKY=false
+if echo "$COMMAND" | grep -qE 'git\s+(checkout|reset|pull|merge|rebase|cherry-pick)\s'; then
+    RISKY=true
+fi
+
+if [ "$RISKY" = false ]; then
+    exit 0
+fi
+
+# Check if we're in a git repo with uncommitted changes
+if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then
+    exit 0
+fi
+
+# Check for uncommitted changes
+if git diff --quiet HEAD 2>/dev/null && git diff --cached --quiet 2>/dev/null; then
+    # No changes — nothing to stash
+    exit 0
+fi
+
+# Auto-stash
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+git stash push -m "cc-auto-stash-$TIMESTAMP (before: $COMMAND)" > /dev/null 2>&1
+
+if [ $? -eq 0 ]; then
+    echo "INFO: Auto-stashed uncommitted changes before risky operation" >&2
+    echo "Recovery: git stash pop" >&2
+fi
+
+# Don't block — just stash and let the command proceed
+exit 0

package/examples/github-actions-guard.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# github-actions-guard.sh — Validate GitHub Actions workflow changes
+#
+# Prevents: Broken CI/CD pipelines from workflow syntax errors.
+#           Claude sometimes generates invalid workflow YAML.
+#
+# Checks:
+#   - Workflow must have 'on' trigger
+#   - Job names must exist
+#   - 'uses' actions should have version pins
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check GitHub Actions workflow files
+echo "$FILE" | grep -qE '\.github/workflows/.*\.ya?ml$' || exit 0
+[ ! -f "$FILE" ] && exit 0
+
+WARNINGS=""
+
+# Check for 'on' trigger
+if ! grep -qE '^on:' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Missing 'on:' trigger definition"
+fi
+
+# Check for unpinned actions (uses: without @sha or @v)
+UNPINNED=$(grep -E '^\s*uses:\s+\S+' "$FILE" | grep -v '@' | head -3)
+if [ -n "$UNPINNED" ]; then
+  WARNINGS="${WARNINGS}\n  Unpinned action versions (use @v or @sha):"
+  echo "$UNPINNED" | while read -r line; do
+    WARNINGS="${WARNINGS}\n    $line"
+  done
+fi
+
+# Check for 'runs-on' in jobs
+if grep -qE '^\s+jobs:' "$FILE" && ! grep -qE 'runs-on:' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Jobs missing 'runs-on' runner specification"
+fi
+
+if [ -n "$WARNINGS" ]; then
+  echo "GitHub Actions warnings in $FILE:" >&2
+  echo -e "$WARNINGS" >&2
+fi
+
+exit 0