cc-safe-setup 29.5.0 → 29.6.1

package/examples/rm-safety-net.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# rm-safety-net.sh — Extra layer of rm protection beyond destructive-guard
+#
+# Solves: rm commands executing without permission prompts even when not in allow list
+#         (#38607 — rm bypasses settings.json permission system)
+#
+# Difference from destructive-guard:
+#   destructive-guard blocks: rm -rf /, rm -rf ~/, rm -rf ../, sudo rm -rf
+#   This hook blocks: ALL rm commands on important paths, even non-recursive
+#
+# What it blocks:
+#   rm (any flags) on: /, ~, .., /home, /etc, /usr, /var, .git, .env
+#   find -delete (any path)
+#   shred (any file)
+#   unlink on critical paths
+#
+# What it allows:
+#   rm on safe targets: node_modules, dist, build, __pycache__, .cache, /tmp
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/rm-safety-net.sh" }]
+#     }]
+#   }
+# }
+#
+# Note: This hook checks rm, find -delete, and shred. Do NOT add an "if" field
+# (v2.1.85) because "if" only supports one pattern and would miss the others.
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# --- rm command analysis ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?rm\s'; then
+    # Safe targets that can be deleted freely
+    SAFE_TARGETS="node_modules|dist|build|__pycache__|\.cache|\.pytest_cache|coverage|\.nyc_output|\.next|\.nuxt|tmp|temp"
+
+    # Extract the target (last argument after flags)
+    TARGET=$(echo "$COMMAND" | grep -oP 'rm\s+[^;|&]*' | awk '{print $NF}')
+
+    # Block path traversal early
+    if echo "$TARGET" | grep -qF '..'; then
+        echo "BLOCKED: path traversal detected in rm target" >&2
+        exit 2
+    fi
+
+    # Allow safe targets
+    if echo "$TARGET" | grep -qE "^(\./)?(${SAFE_TARGETS})(/|$)"; then
+        exit 0
+    fi
+
+    # Allow /tmp paths
+    if echo "$TARGET" | grep -qE "^/tmp/"; then
+        exit 0
+    fi
+
+    # Block rm on critical paths
+    CRITICAL="^/\$|^/home|^/etc|^/usr|^/var|^/opt|^/root|^~|^\.\.|^\.git$|^\.env"
+    if echo "$TARGET" | grep -qE "$CRITICAL"; then
+        echo "BLOCKED: rm targeting critical path: $TARGET" >&2
+        exit 2
+    fi
+
+    # Block rm -rf on any non-safe path (extra safety)
+    if echo "$COMMAND" | grep -qE 'rm\s+.*-[rRf]*[rR][rRf]*'; then
+        # rm -rf on non-safe, non-tmp target — block unless it's a known safe directory
+        if ! echo "$TARGET" | grep -qE "^(\./)?(${SAFE_TARGETS})(/|$)|^/tmp/"; then
+            echo "BLOCKED: rm -rf on non-safe target: $TARGET" >&2
+            exit 2
+        fi
+    fi
+fi
+
+# --- find -delete ---
+if echo "$COMMAND" | grep -qE 'find\s.*-delete'; then
+    # Allow find in safe directories only
+    FIND_PATH=$(echo "$COMMAND" | grep -oP 'find\s+\K[^\s]+')
+    if echo "$FIND_PATH" | grep -qE '^\.|^node_modules|^dist|^build|^/tmp'; then
+        exit 0
+    fi
+    echo "BLOCKED: find -delete outside safe directory: $FIND_PATH" >&2
+    exit 2
+fi
+
+# --- shred ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?shred\s'; then
+    echo "BLOCKED: shred command (secure file deletion)" >&2
+    exit 2
+fi
+
+exit 0

package/examples/rust-clippy-after-edit.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# rust-clippy-after-edit.sh — Run cargo clippy after editing Rust files
+#
+# Prevents: Common Rust anti-patterns and potential bugs.
+#           Clippy catches: needless borrows, inefficient patterns,
+#           suspicious operations.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+case "$FILE" in
+  *.rs) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Find Cargo.toml
+DIR=$(dirname "$FILE")
+while [ "$DIR" != "/" ]; do
+  [ -f "$DIR/Cargo.toml" ] && break
+  DIR=$(dirname "$DIR")
+done
+
+if [ -f "$DIR/Cargo.toml" ] && command -v cargo >/dev/null 2>&1; then
+  WARNINGS=$(cd "$DIR" && cargo clippy --quiet 2>&1 | grep "^warning" | head -3)
+  if [ -n "$WARNINGS" ]; then
+    echo "Clippy warnings:" >&2
+    echo "$WARNINGS" | sed 's/^/  /' >&2
+  fi
+fi
+
+exit 0

package/examples/session-quota-tracker.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# session-quota-tracker.sh — Track cumulative tool calls per session
+#
+# Solves: Token consumption spiraling without warning (#23706, #38335)
+#         Users hit Max plan limits unexpectedly. This hook tracks
+#         tool call count per session and warns at thresholds.
+#
+# Tracks: cumulative tool calls in a session file
+# Warns at: 50, 100, 200, 500 tool calls
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-quota-tracker.sh" }]
+#     }]
+#   }
+# }
+
+# Session tracking file
+SESSION_FILE="/tmp/cc-quota-tracker-$$"
+
+# Increment counter
+if [ -f "$SESSION_FILE" ]; then
+  COUNT=$(cat "$SESSION_FILE")
+  COUNT=$((COUNT + 1))
+else
+  COUNT=1
+fi
+echo "$COUNT" > "$SESSION_FILE"
+
+# Warn at thresholds
+case "$COUNT" in
+  50)  echo "[Session: 50 tool calls. Consider saving work.]" >&2 ;;
+  100) echo "[Session: 100 tool calls. Token usage may be high.]" >&2 ;;
+  200) echo "[Session: 200 tool calls. Check your usage dashboard.]" >&2 ;;
+  500) echo "[Session: 500 tool calls. Consider starting a new session.]" >&2 ;;
+esac
+
+exit 0

package/examples/session-start-safety-check.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# session-start-safety-check.sh — Warn about uncommitted changes on session start
+#
+# Solves: Claude Code running destructive git commands on session startup
+#         that destroy uncommitted work (#34327, #39394)
+#
+# How it works:
+#   On SessionStart, checks for:
+#   1. Uncommitted changes (modified/new files)
+#   2. Unpushed commits
+#   3. Stashed changes that may need attention
+#
+#   Prints warnings but does NOT block (exit 0 always).
+#   The goal is awareness, not prevention.
+#
+# TRIGGER: SessionStart
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "SessionStart": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-start-safety-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run in git repos
+git rev-parse --git-dir > /dev/null 2>&1 || exit 0
+
+WARNINGS=0
+
+# Check for uncommitted changes
+CHANGES=$(git status --porcelain 2>/dev/null | wc -l)
+if [ "$CHANGES" -gt 0 ]; then
+    echo "⚠ WARNING: $CHANGES uncommitted changes detected." >&2
+    echo "  Consider: git stash  (before destructive operations)" >&2
+    WARNINGS=$((WARNINGS + 1))
+fi
+
+# Check for unpushed commits
+UNPUSHED=$(git log --oneline @{upstream}..HEAD 2>/dev/null | wc -l)
+if [ "$UNPUSHED" -gt 0 ]; then
+    echo "⚠ WARNING: $UNPUSHED unpushed commits." >&2
+    echo "  Consider: git push  (to protect against local data loss)" >&2
+    WARNINGS=$((WARNINGS + 1))
+fi
+
+# Check for stashes
+STASHES=$(git stash list 2>/dev/null | wc -l)
+if [ "$STASHES" -gt 0 ]; then
+    echo "ℹ NOTE: $STASHES stashed changes exist." >&2
+    echo "  Review: git stash list" >&2
+fi
+
+if [ "$WARNINGS" -eq 0 ]; then
+    echo "✓ Working tree clean, all commits pushed." >&2
+fi
+
+exit 0

package/examples/session-summary-stop.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# session-summary-stop.sh — Print session change summary on stop
+#
+# Solves: No quick way to see what Claude changed during a session.
+#         Git diff shows code changes but not the full picture.
+#
+# How it works: Stop hook that runs `git diff --stat` and outputs
+#               a summary of all modified files since the session started.
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-summary-stop.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+
+# Only run if in a git repo
+if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then
+    exit 0
+fi
+
+# Get change summary
+CHANGES=$(git diff --stat HEAD 2>/dev/null)
+STAGED=$(git diff --cached --stat 2>/dev/null)
+UNTRACKED=$(git ls-files --others --exclude-standard 2>/dev/null | wc -l)
+
+if [ -n "$CHANGES" ] || [ -n "$STAGED" ] || [ "$UNTRACKED" -gt 0 ]; then
+    echo "--- Session Change Summary ---" >&2
+    if [ -n "$CHANGES" ]; then
+        echo "Modified:" >&2
+        echo "$CHANGES" | head -20 >&2
+    fi
+    if [ -n "$STAGED" ]; then
+        echo "Staged:" >&2
+        echo "$STAGED" | head -10 >&2
+    fi
+    if [ "$UNTRACKED" -gt 0 ]; then
+        echo "Untracked files: $UNTRACKED" >&2
+    fi
+    echo "---" >&2
+fi
+
+exit 0

package/examples/session-time-limit.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# session-time-limit.sh — Warn when session exceeds time limit
+#
+# Prevents: Unbounded autonomous sessions that consume excessive tokens.
+#           Default: warn at 2 hours, configurable via CC_SESSION_LIMIT_HOURS.
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+
+INPUT=$(cat)
+
+# Track session start
+MARKER="/tmp/cc-session-start-$$"
+NOW=$(date +%s)
+
+if [ ! -f "$MARKER" ]; then
+  echo "$NOW" > "$MARKER"
+  exit 0
+fi
+
+START=$(cat "$MARKER")
+ELAPSED=$(( (NOW - START) / 60 ))  # minutes
+LIMIT_HOURS="${CC_SESSION_LIMIT_HOURS:-2}"
+LIMIT_MIN=$((LIMIT_HOURS * 60))
+WARN_MIN=$((LIMIT_MIN * 3 / 4))  # warn at 75%
+
+if [ "$ELAPSED" -ge "$LIMIT_MIN" ]; then
+  echo "SESSION TIME LIMIT: ${ELAPSED}min elapsed (limit: ${LIMIT_HOURS}h)." >&2
+  echo "  Consider saving work and starting a new session." >&2
+elif [ "$ELAPSED" -ge "$WARN_MIN" ]; then
+  echo "[Session: ${ELAPSED}min / ${LIMIT_HOURS}h limit]" >&2
+fi
+
+exit 0

package/examples/session-token-counter.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# session-token-counter.sh — Track tool usage count per session
+#
+# Solves: No visibility into how many tool calls a session makes.
+#         Useful for detecting runaway loops and estimating costs.
+#         Warns at configurable thresholds (default: 100, 200, 500).
+#
+# How it works: PostToolUse hook that increments a counter file.
+#               At threshold crossings, outputs a warning to stderr.
+#               Does NOT block — just tracks and warns.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-token-counter.sh" }]
+#     }]
+#   }
+# }
+#
+# Environment variables:
+#   CC_TOOL_WARN_100  — threshold 1 (default: 100)
+#   CC_TOOL_WARN_200  — threshold 2 (default: 200)
+#   CC_TOOL_WARN_500  — threshold 3 (default: 500)
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ -z "$TOOL" ] && exit 0
+
+# Use a session-specific counter file
+COUNTER_FILE="${CC_TOOL_COUNTER:-/tmp/cc-session-tool-count-$$}"
+
+# Initialize if not exists
+if [ ! -f "$COUNTER_FILE" ]; then
+    echo "0" > "$COUNTER_FILE"
+fi
+
+# Increment
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+# Check thresholds
+WARN_1=${CC_TOOL_WARN_100:-100}
+WARN_2=${CC_TOOL_WARN_200:-200}
+WARN_3=${CC_TOOL_WARN_500:-500}
+
+if [ "$COUNT" -eq "$WARN_1" ]; then
+    echo "INFO: Session has made $COUNT tool calls. Consider whether you're in a loop." >&2
+elif [ "$COUNT" -eq "$WARN_2" ]; then
+    echo "WARNING: Session has made $COUNT tool calls. High usage may indicate a runaway loop." >&2
+elif [ "$COUNT" -eq "$WARN_3" ]; then
+    echo "CRITICAL: Session has made $COUNT tool calls. Very high usage — review session behavior." >&2
+fi
+
+exit 0

package/examples/temp-file-cleanup.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# temp-file-cleanup.sh — Stop hook
+# Trigger: Stop
+# Matcher: (empty — runs on session end)
+#
+# Cleans up temporary files created by Claude Code sessions.
+# Claude Code creates /tmp/claude-*-cwd files for directory tracking
+# but never deletes them, accumulating 500+ files/day.
+#
+# See: https://github.com/anthropics/claude-code/issues/8856
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash /path/to/temp-file-cleanup.sh" }]
+#     }]
+#   }
+# }
+
+# Count before cleanup
+COUNT=$(find /tmp -maxdepth 1 -name "claude-*" -type f 2>/dev/null | wc -l)
+
+if [ "$COUNT" -eq 0 ]; then
+    exit 0
+fi
+
+# Clean up Claude Code temp files older than 1 hour
+find /tmp -maxdepth 1 -name "claude-*-cwd" -type f -mmin +60 -delete 2>/dev/null
+find /tmp -maxdepth 1 -name "claude-*" -type f -mmin +60 -delete 2>/dev/null
+
+REMAINING=$(find /tmp -maxdepth 1 -name "claude-*" -type f 2>/dev/null | wc -l)
+CLEANED=$((COUNT - REMAINING))
+
+if [ "$CLEANED" -gt 0 ]; then
+    echo "Cleaned $CLEANED Claude temp files (${REMAINING} recent files kept)" >&2
+fi
+
+exit 0

package/examples/test-before-push.sh

@@ -12,10 +12,17 @@
 #   "hooks": {
 #     "PreToolUse": [{
 #       "matcher": "Bash",
-#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/test-before-push.sh" }]
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Bash(git push *)",
+#         "command": "~/.claude/hooks/test-before-push.sh"
+#       }]
 #     }]
 #   }
 # }
+#
+# The "if" field (v2.1.85+) eliminates process spawning for non-push commands.
+# Without "if", the hook still works — it checks internally and exits early.
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/test-coverage-reminder.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# test-coverage-reminder.sh — Remind to run tests after code changes
+#
+# Prevents: Pushing untested code. Claude often edits files
+#           without running the test suite afterward.
+#
+# Tracks: number of Edit/Write calls since last test run.
+# Warns at: 5 edits without tests, blocks at 10.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit|Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit|Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/test-coverage-reminder.sh" }]
+#     }]
+#   }
+# }
+
+COUNTER_FILE="/tmp/cc-edit-since-test-$$"
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+  Write|Edit)
+    # Increment edit counter
+    COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+    COUNT=$((COUNT + 1))
+    echo "$COUNT" > "$COUNTER_FILE"
+
+    if [ "$COUNT" -eq 5 ]; then
+      echo "REMINDER: 5 files changed since last test run. Consider running tests." >&2
+    elif [ "$COUNT" -ge 10 ]; then
+      echo "WARNING: $COUNT files changed without running tests. Run tests now." >&2
+    fi
+    ;;
+  Bash)
+    # Reset counter if a test command was run
+    CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    if echo "$CMD" | grep -qiE '(npm\s+test|npx\s+jest|npx\s+vitest|pytest|go\s+test|cargo\s+test|make\s+test|bash\s+test)'; then
+      echo "0" > "$COUNTER_FILE"
+    fi
+    ;;
+esac
+
+exit 0

package/examples/test-exit-code-verify.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# test-exit-code-verify.sh — Verify test command exit codes match results
+#
+# Problem: Claude reports "tests passed" even when they didn't run or failed.
+# This PostToolUse hook checks the actual exit code of test commands and
+# emits a warning if the exit code indicates failure.
+#
+# GitHub Issue: #1501 (Claude reports false test results)
+#
+# Usage: Add to settings.json as a PostToolUse hook on "Bash"
+#
+# How it works:
+# 1. Detects test-like commands (npm test, pytest, jest, go test, etc.)
+# 2. Checks the actual exit code from tool output
+# 3. If exit code != 0, warns Claude via stderr so it cannot claim success
+# 4. If no output was captured, warns about phantom test runs
+#
+# Why stderr: PostToolUse hook stderr is shown to Claude as feedback.
+# This forces Claude to acknowledge test failures instead of fabricating results.
+
+INPUT=$(cat)
+
+# Extract command and exit code
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_result.exitCode // .tool_result.exit_code // empty' 2>/dev/null)
+STDOUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Detect test commands
+is_test_command() {
+    local cmd="$1"
+    echo "$cmd" | grep -qiE '(npm\s+test|npx\s+jest|npx\s+vitest|pytest|python\s+-m\s+pytest|go\s+test|cargo\s+test|bundle\s+exec\s+rspec|mix\s+test|dotnet\s+test|mvn\s+test|gradle\s+test|make\s+test|bash\s+test\.sh)'
+}
+
+if ! is_test_command "$COMMAND"; then
+    exit 0
+fi
+
+# Check exit code
+if [ -n "$EXIT_CODE" ] && [ "$EXIT_CODE" != "0" ]; then
+    echo "⚠️ TEST FAILURE DETECTED" >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+    echo "Exit code: $EXIT_CODE" >&2
+    echo "Do NOT report these tests as passing. The exit code proves failure." >&2
+    echo "Re-read the output above and fix the failing tests." >&2
+    exit 0
+fi
+
+# Check for empty output (phantom test run)
+if [ -z "$STDOUT" ] || [ ${#STDOUT} -lt 10 ]; then
+    echo "⚠️ TEST OUTPUT SUSPICIOUSLY SHORT" >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+    echo "Output length: ${#STDOUT} chars" >&2
+    echo "Verify tests actually ran. Short output may indicate no tests executed." >&2
+    exit 0
+fi
+
+# Tests appear to have run and passed
+exit 0

package/examples/tool-file-logger.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# tool-file-logger.sh — Log file paths from Read/Write/Edit to stderr
+#
+# Solves: "No indication of WHICH file for READ tool" (#21151 — 180 reactions)
+#         Users must expand every Read/Write/Edit to see the file path.
+#         This hook shows the file path in the collapsed view.
+#
+# Output format:
+#   [Read: src/components/App.tsx]
+#   [Write: package.json]
+#   [Edit: src/utils/helpers.ts]
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Read|Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Read|Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/tool-file-logger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ -z "$TOOL" ] && exit 0
+
+# Extract file path from tool input
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Show just the filename for brevity, full path available in expanded view
+BASENAME=$(basename "$FILE")
+DIR=$(dirname "$FILE")
+
+# For paths inside home directory, show relative path
+if echo "$DIR" | grep -q "^$HOME"; then
+  RELDIR=$(echo "$DIR" | sed "s|^$HOME|~|")
+  echo "[$TOOL: $RELDIR/$BASENAME]" >&2
+else
+  echo "[$TOOL: $FILE]" >&2
+fi
+
+exit 0

package/examples/typescript-lint-on-edit.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# typescript-lint-on-edit.sh — Run TypeScript type check after editing .ts/.tsx files
+#
+# TRIGGER: PostToolUse
+# MATCHER: Edit
+#
+# Best with v2.1.85 "if" field:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Edit",
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Edit(*.ts)",
+#         "command": "~/.claude/hooks/typescript-lint-on-edit.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Without "if", the hook checks file extension internally.
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip non-TypeScript files
+case "$FILE" in
+    *.ts|*.tsx) ;;
+    *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Find tsconfig.json in parent directories
+DIR=$(dirname "$FILE")
+TSCONFIG=""
+while [ "$DIR" != "/" ]; do
+    if [ -f "$DIR/tsconfig.json" ]; then
+        TSCONFIG="$DIR/tsconfig.json"
+        break
+    fi
+    DIR=$(dirname "$DIR")
+done
+
+# No tsconfig = no type checking possible
+[ -z "$TSCONFIG" ] && exit 0
+
+# Run tsc --noEmit on the specific file
+PROJECT_DIR=$(dirname "$TSCONFIG")
+ISSUES=$(cd "$PROJECT_DIR" && npx tsc --noEmit --pretty false 2>&1 | grep "$(basename "$FILE")" | head -10)
+
+if [ -n "$ISSUES" ]; then
+    COUNT=$(echo "$ISSUES" | wc -l)
+    echo "⚠ TypeScript: $COUNT error(s) in $(basename "$FILE")" >&2
+    echo "$ISSUES" | head -5 >&2
+    if [ "$COUNT" -gt 5 ]; then
+        echo "  ... and $((COUNT - 5)) more" >&2
+    fi
+fi
+
+exit 0