cc-safe-setup 29.5.0 → 29.6.1

package/examples/typescript-strict-check.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# typescript-strict-check.sh — Warn when TypeScript strict mode is disabled
+#
+# Prevents: Claude silently setting "strict": false in tsconfig.json
+#           to bypass type errors instead of fixing them.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+BASENAME=$(basename "$FILE")
+[ "$BASENAME" != "tsconfig.json" ] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Check if strict is explicitly set to false
+if python3 -c "
+import json
+with open('$FILE') as f:
+    config = json.load(f)
+opts = config.get('compilerOptions', {})
+if opts.get('strict') == False:
+    exit(1)
+if opts.get('noImplicitAny') == False:
+    exit(1)
+" 2>/dev/null; then
+  : # OK
+else
+  echo "WARNING: TypeScript strict mode is disabled in $FILE." >&2
+  echo "  Consider enabling 'strict: true' for better type safety." >&2
+fi
+
+exit 0

package/examples/uncommitted-changes-stop.sh

@@ -0,0 +1,16 @@
+INPUT=$(cat)
+if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then
+    exit 0
+fi
+MODIFIED=$(git diff --name-only 2>/dev/null | wc -l)
+STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+UNTRACKED=$(git ls-files --others --exclude-standard 2>/dev/null | wc -l)
+TOTAL=$((MODIFIED + STAGED + UNTRACKED))
+if [ "$TOTAL" -gt 0 ]; then
+    echo "⚠ WARNING: $TOTAL uncommitted changes:" >&2
+    [ "$MODIFIED" -gt 0 ] && echo "  Modified: $MODIFIED files" >&2
+    [ "$STAGED" -gt 0 ] && echo "  Staged: $STAGED files" >&2
+    [ "$UNTRACKED" -gt 0 ] && echo "  Untracked: $UNTRACKED files" >&2
+    echo "  Consider: git add -A && git commit -m 'session checkpoint'" >&2
+fi
+exit 0

package/examples/uncommitted-discard-guard.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# uncommitted-discard-guard.sh — Block commands that discard uncommitted changes
+#
+# Solves: Claude running "git checkout -- ." or "git restore ." to discard
+#         hours of uncommitted work. Real incident: #37888 — 30+ files of
+#         manual edits destroyed twice in one session.
+#
+# Detects:
+#   git checkout -- <files>   (discards working tree changes)
+#   git checkout .            (discards all changes)
+#   git restore <files>       (same effect as checkout --)
+#   git restore .             (discards all working tree changes)
+#   git stash drop            (permanently deletes stashed changes)
+#
+# Does NOT block:
+#   git checkout <branch>     (switching branches — safe)
+#   git checkout -b <branch>  (creating branches — safe)
+#   git restore --staged      (unstaging — non-destructive)
+#   git stash                 (saving changes — safe)
+#   git stash pop             (restoring changes — safe)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block: git checkout -- <files> (discard working tree changes)
+# The "--" separator followed by paths means "discard changes to these files"
+if echo "$COMMAND" | grep -qE 'git\s+checkout\s+--\s+\S'; then
+    echo "BLOCKED: git checkout -- <files> discards uncommitted changes permanently." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "If you need to discard changes, commit or stash first:" >&2
+    echo "  git stash        # save changes for later" >&2
+    echo "  git stash pop    # restore saved changes" >&2
+    exit 2
+fi
+
+# Block: git checkout . (discard ALL changes)
+if echo "$COMMAND" | grep -qE 'git\s+checkout\s+\.\s*$'; then
+    echo "BLOCKED: git checkout . discards ALL uncommitted changes." >&2
+    echo "" >&2
+    echo "This would destroy every uncommitted modification in the working tree." >&2
+    echo "Commit or stash your changes first." >&2
+    exit 2
+fi
+
+# Block: git restore <files> without --staged (discards working tree changes)
+if echo "$COMMAND" | grep -qE 'git\s+restore\s+' && ! echo "$COMMAND" | grep -qE 'git\s+restore\s+--staged'; then
+    # Allow "git restore --staged" (just unstages, non-destructive)
+    # Block "git restore <files>" and "git restore ."
+    echo "BLOCKED: git restore discards uncommitted changes." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "Use 'git restore --staged <file>' to unstage without losing changes." >&2
+    echo "Use 'git stash' to save changes for later." >&2
+    exit 2
+fi
+
+# Block: git stash drop (permanently deletes stashed changes)
+if echo "$COMMAND" | grep -qE 'git\s+stash\s+drop'; then
+    echo "BLOCKED: git stash drop permanently deletes stashed changes." >&2
+    echo "" >&2
+    echo "If you're sure, use 'git stash pop' to apply and remove in one step." >&2
+    exit 2
+fi
+
+exit 0

package/examples/worktree-unmerged-guard.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# worktree-unmerged-guard.sh — Prevent worktree cleanup with unmerged commits
+#
+# Solves: Worktree sessions silently delete branches with unmerged/unpushed commits
+#         (#38287 — lost commits recoverable only via git fsck)
+#
+# How it works: Checks for unmerged commits before worktree removal.
+#               If the worktree branch has commits not in main/master, blocks cleanup.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/worktree-unmerged-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+# jq with python3 fallback (macOS may not have jq)
+if command -v jq &>/dev/null; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+else
+    COMMAND=$(echo "$INPUT" | python3 -c "import sys,json;d=json.load(sys.stdin);print(d.get('tool_input',{}).get('command',''))" 2>/dev/null)
+fi
+
+[ -z "$COMMAND" ] && exit 0
+
+# Detect worktree removal commands
+if ! echo "$COMMAND" | grep -qE 'git\s+worktree\s+(remove|prune)|rm\s+.*worktree'; then
+    exit 0
+fi
+
+# Extract worktree path
+WORKTREE_PATH=$(echo "$COMMAND" | grep -oP 'git\s+worktree\s+remove\s+\K[^\s]+')
+
+if [ -z "$WORKTREE_PATH" ]; then
+    # Maybe it's rm -rf on a worktree directory
+    exit 0
+fi
+
+# Check if the worktree exists and has a branch
+if [ ! -d "$WORKTREE_PATH" ]; then
+    exit 0
+fi
+
+# Get the branch name for this worktree
+BRANCH=$(git -C "$WORKTREE_PATH" rev-parse --abbrev-ref HEAD 2>/dev/null)
+
+if [ -z "$BRANCH" ] || [ "$BRANCH" = "HEAD" ]; then
+    exit 0
+fi
+
+# Find the default branch (portable: checks symbolic ref, then tries main/master)
+DEFAULT_BRANCH=$(git -C "$WORKTREE_PATH" symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||')
+if [ -z "$DEFAULT_BRANCH" ]; then
+    for candidate in main master; do
+        git -C "$WORKTREE_PATH" rev-parse --verify "$candidate" &>/dev/null && DEFAULT_BRANCH="$candidate" && break
+    done
+fi
+[ -z "$DEFAULT_BRANCH" ] && exit 0
+
+# Count unmerged commits
+UNMERGED=$(git -C "$WORKTREE_PATH" log --oneline "$DEFAULT_BRANCH..$BRANCH" 2>/dev/null | wc -l)
+
+if [ "$UNMERGED" -gt 0 ]; then
+    echo "BLOCKED: Worktree branch '$BRANCH' has $UNMERGED unmerged commit(s)" >&2
+    echo "Merge or push the branch before removing the worktree:" >&2
+    echo "  git -C $WORKTREE_PATH push origin $BRANCH" >&2
+    echo "  # or: git merge $BRANCH" >&2
+    exit 2
+fi
+
+# Check for unpushed commits
+UNPUSHED=$(git -C "$WORKTREE_PATH" log --oneline "origin/$BRANCH..$BRANCH" 2>/dev/null | wc -l)
+
+if [ "$UNPUSHED" -gt 0 ]; then
+    echo "BLOCKED: Worktree branch '$BRANCH' has $UNPUSHED unpushed commit(s)" >&2
+    echo "Push before removing: git -C $WORKTREE_PATH push origin $BRANCH" >&2
+    exit 2
+fi
+
+exit 0

package/examples/yaml-syntax-check.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# yaml-syntax-check.sh — Validate YAML after editing
+#
+# Prevents: Broken YAML configs (docker-compose, CI pipelines, k8s manifests).
+#           YAML indentation errors are invisible until deployment fails.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/yaml-syntax-check.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check YAML files
+case "$FILE" in
+  *.yml|*.yaml) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Try python yaml parser
+if command -v python3 >/dev/null 2>&1; then
+  ERROR=$(python3 -c "
+import yaml, sys
+try:
+    with open('$FILE') as f:
+        yaml.safe_load(f)
+except yaml.YAMLError as e:
+    print(str(e)[:200])
+    sys.exit(1)
+" 2>&1)
+  if [ $? -ne 0 ]; then
+    echo "YAML SYNTAX ERROR in $FILE:" >&2
+    echo "  $ERROR" >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/index.mjs

@@ -456,6 +456,8 @@ function examples() {
       'package-script-guard.sh': 'Warn when package.json scripts change',
       'lockfile-guard.sh': 'Warn when lockfiles modified in commits',
       'git-lfs-guard.sh': 'Suggest Git LFS for large files',
+      'python-ruff-on-edit.sh': 'PostToolUse: lint Python files after edit (ruff/flake8/pylint)',
+      'typescript-lint-on-edit.sh': 'PostToolUse: type check TypeScript files after edit (tsc --noEmit)',
     },
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
@@ -465,6 +467,7 @@ function examples() {
     'UX': {
       'prompt-length-guard.sh': 'UserPromptSubmit: warn on long prompts (>5000 chars)',
       'prompt-injection-detector.sh': 'UserPromptSubmit: detect prompt injection patterns',
+      'auto-answer-question.sh': 'PreToolUse: auto-answer AskUserQuestion for headless mode (v2.1.85)',
       'notify-waiting.sh': 'Desktop notification when Claude waits for input',
       'tmp-cleanup.sh': 'Clean up /tmp/claude-*-cwd files on session end',
       'hook-debug-wrapper.sh': 'Wrap any hook to log input/output/exit/timing',

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.5.0",
-  "description": "One command to make Claude Code safe. 335 example hooks + 8 built-in. 52 CLI commands. 1,760 tests. Works with Auto Mode.",
+  "version": "29.6.1",
+  "description": "One command to make Claude Code safe. 406 example hooks + 8 built-in. 52 CLI commands. 5564 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"