cc-safe-setup 29.6.0 → 29.6.1

package/examples/cwd-reminder.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# cwd-reminder.sh — Remind Claude of the current working directory
+#
+# Solves: Claude loses track of which directory it's in (#1669 — 71 reactions)
+#         Can lead to commands running in wrong directory, including
+#         destructive operations like git reset in the wrong repo.
+#
+# Emits the current working directory to stderr before every Bash command,
+# making it visible in the tool output so Claude always knows where it is.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/cwd-reminder.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+# Don't add noise to empty commands
+[ -z "$COMMAND" ] && exit 0
+
+# Get the working directory from the tool input if available,
+# otherwise use the process's cwd
+CWD=$(echo "$INPUT" | jq -r '.tool_input.working_directory // empty' 2>/dev/null)
+[ -z "$CWD" ] && CWD=$(pwd)
+
+echo "[cwd: $CWD]" >&2
+
+exit 0

package/examples/dependency-install-guard.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# dependency-install-guard.sh — PreToolUse hook
+# Trigger: PreToolUse
+# Matcher: Bash
+#
+# Blocks unintended dependency installations (npm install, pip install,
+# gem install, cargo add, go get). Prevents:
+# - Supply chain attacks from unknown packages
+# - Dependency bloat from unnecessary installations
+# - Breaking lockfiles with unplanned additions
+#
+# Allowed:
+# - npm install (no args) — installs from existing lockfile
+# - npm ci — clean install from lockfile
+# - pip install -r requirements.txt — from requirements file
+# - Packages in ALLOWLIST (customize below)
+#
+# Usage: Add to settings.json as a PreToolUse hook on "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Normalize: collapse whitespace, extract first logical command
+CMD=$(echo "$COMMAND" | tr '\n' ' ' | sed 's/  */ /g')
+
+# --- Allowlist: packages you trust ---
+# Customize this list for your project
+ALLOWLIST="typescript|eslint|prettier|jest|vitest|@types/"
+
+# npm install <package> — block unless allowlisted
+if echo "$CMD" | grep -qiE 'npm\s+(install|i|add)\s+[a-z@]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'npm\s+(install|i|add)\s+\S+' | awk '{print $NF}')
+    if echo "$PKG" | grep -qiE "^($ALLOWLIST)"; then
+        exit 0
+    fi
+    echo "🚫 Blocked: npm install $PKG (not in allowlist)" >&2
+    echo "Add to ALLOWLIST in dependency-install-guard.sh if intended." >&2
+    exit 2
+fi
+
+# npm install (no args) / npm ci — allowed (uses lockfile)
+if echo "$CMD" | grep -qiE 'npm\s+(install|i|ci)\s*($|[&|;])'; then
+    exit 0
+fi
+
+# pip install <package> — block unless from requirements
+if echo "$CMD" | grep -qiE 'pip3?\s+install\s+'; then
+    # Allow: pip install -r requirements.txt
+    if echo "$CMD" | grep -qiE 'pip3?\s+install\s+(-r|--requirement)\s+'; then
+        exit 0
+    fi
+    # Allow: pip install -e . (editable install)
+    if echo "$CMD" | grep -qiE 'pip3?\s+install\s+(-e|--editable)\s+'; then
+        exit 0
+    fi
+    PKG=$(echo "$CMD" | grep -oiE 'pip3?\s+install\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: pip install $PKG" >&2
+    echo "Use 'pip install -r requirements.txt' or add to allowlist." >&2
+    exit 2
+fi
+
+# gem install — block
+if echo "$CMD" | grep -qiE 'gem\s+install\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'gem\s+install\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: gem install $PKG" >&2
+    exit 2
+fi
+
+# cargo add — block
+if echo "$CMD" | grep -qiE 'cargo\s+add\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'cargo\s+add\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: cargo add $PKG" >&2
+    exit 2
+fi
+
+# go get — block
+if echo "$CMD" | grep -qiE 'go\s+get\s+[a-z]'; then
+    PKG=$(echo "$CMD" | grep -oiE 'go\s+get\s+\S+' | awk '{print $NF}')
+    echo "🚫 Blocked: go get $PKG" >&2
+    exit 2
+fi
+
+exit 0

package/examples/deploy-guard.sh

@@ -24,7 +24,7 @@ COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [[ -z "$COMMAND" ]] && exit 0
 
 # Detect deploy commands
-if ! echo "$COMMAND" | grep -qiE '(rsync|scp|deploy|firebase\s+deploy|vercel|netlify\s+deploy|fly\s+deploy|railway\s+up|git\s+push\s+heroku)'; then
+if ! echo "$COMMAND" | grep -qiE '(rsync|scp|deploy|firebase\s+deploy|vercel|netlify\s+deploy|fly\s+deploy|railway\s+up|git\s+push\s+heroku|kubectl\s+(apply|create|delete|rollout)|terraform\s+(apply|destroy))'; then
     exit 0
 fi
 

package/examples/detect-mixed-indentation.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# detect-mixed-indentation.sh — Warn about mixed tabs/spaces
+#
+# Prevents: Indentation errors from mixing tabs and spaces.
+#           Common when Claude pastes code from different sources.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Skip binary files and makefiles (which require tabs)
+case "$(basename "$FILE")" in
+  Makefile|makefile|GNUmakefile) exit 0 ;;
+esac
+
+case "$FILE" in
+  *.py|*.js|*.ts|*.tsx|*.jsx|*.yaml|*.yml|*.rb|*.go) ;;
+  *) exit 0 ;;
+esac
+
+HAS_TABS=$(grep -cP '^\t' "$FILE" 2>/dev/null || echo 0)
+HAS_SPACES=$(grep -cP '^ {2,}' "$FILE" 2>/dev/null || echo 0)
+
+if [ "$HAS_TABS" -gt 0 ] && [ "$HAS_SPACES" -gt 0 ]; then
+  echo "WARNING: Mixed tabs and spaces in $FILE ($HAS_TABS tab-lines, $HAS_SPACES space-lines)." >&2
+  echo "  Standardize to one indentation style." >&2
+fi
+
+exit 0

package/examples/disk-space-check.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# disk-space-check.sh — Warn if disk space is low at session start
+#
+# Prevents: Autonomous sessions crashing due to disk full
+#           npm install, git operations, and file writes fail silently
+#           when disk space runs out during long-running sessions.
+#
+# Checks: root filesystem usage percentage
+# Warns at: 80% (yellow), 90% (red), 95% (critical)
+#
+# TRIGGER: Notification
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/disk-space-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run once per session
+MARKER="/tmp/cc-disk-check-$$"
+[ -f "$MARKER" ] && exit 0
+
+# Get disk usage percentage for root filesystem
+USAGE=$(df / 2>/dev/null | awk 'NR==2 {gsub(/%/,""); print $5}')
+[ -z "$USAGE" ] && exit 0
+
+if [ "$USAGE" -ge 95 ]; then
+  echo "CRITICAL: Disk usage at ${USAGE}%. Operations may fail." >&2
+  echo "  Free space immediately: docker system prune, rm tmp files" >&2
+elif [ "$USAGE" -ge 90 ]; then
+  echo "WARNING: Disk usage at ${USAGE}%. Consider freeing space." >&2
+elif [ "$USAGE" -ge 80 ]; then
+  echo "NOTE: Disk usage at ${USAGE}%." >&2
+fi
+
+touch "$MARKER"
+exit 0

package/examples/docker-dangerous-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# docker-dangerous-guard.sh — Block dangerous Docker operations
+#
+# Prevents: docker system prune -a, docker rm -f on running containers,
+#           docker run --privileged, docker exec as root on production containers.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/docker-dangerous-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block docker system prune -a (removes all images)
+if echo "$COMMAND" | grep -qE 'docker\s+system\s+prune\s+.*-a'; then
+  echo "BLOCKED: docker system prune -a removes all unused images." >&2
+  echo "  Use 'docker system prune' (without -a) to keep tagged images." >&2
+  exit 2
+fi
+
+# Block docker run --privileged
+if echo "$COMMAND" | grep -qE 'docker\s+run\s+.*--privileged'; then
+  echo "BLOCKED: --privileged gives full host access to the container." >&2
+  exit 2
+fi
+
+# Warn on docker rm -f (force remove)
+if echo "$COMMAND" | grep -qE 'docker\s+(rm|container\s+rm)\s+.*-f'; then
+  echo "WARNING: Force-removing container. Data in the container will be lost." >&2
+fi
+
+# Block docker run with host network and port 22/80/443
+if echo "$COMMAND" | grep -qE 'docker\s+run.*--network\s+host'; then
+  echo "WARNING: --network host exposes all container ports on the host." >&2
+fi
+
+exit 0

package/examples/dockerfile-lint.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# dockerfile-lint.sh — Basic Dockerfile validation after editing
+#
+# Prevents: Common Dockerfile mistakes:
+#           - Missing FROM instruction
+#           - Using latest tag (non-reproducible builds)
+#           - Running as root without explicit USER
+#           - COPY/ADD before dependency install (cache invalidation)
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/dockerfile-lint.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check Dockerfiles
+BASENAME=$(basename "$FILE")
+case "$BASENAME" in
+  Dockerfile|Dockerfile.*|*.dockerfile) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+WARNINGS=""
+
+# Check for FROM instruction
+if ! grep -qE '^FROM\s' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Missing FROM instruction"
+fi
+
+# Check for :latest tag
+if grep -qE '^FROM\s+\S+:latest' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Using :latest tag (non-reproducible)"
+fi
+
+# Check for no USER instruction (running as root)
+if ! grep -qE '^USER\s' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  No USER instruction (container runs as root)"
+fi
+
+if [ -n "$WARNINGS" ]; then
+  echo "Dockerfile warnings in $FILE:" >&2
+  echo -e "$WARNINGS" >&2
+fi
+
+exit 0

package/examples/edit-always-allow.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# edit-always-allow.sh — Auto-approve all Edit prompts in configured directories
+#
+# Solves: --dangerously-skip-permissions doesn't bypass Edit prompts
+#         (#36192, #36168 — bypass permissions broken since v2.1.78)
+#
+# Claude Code v2.1.78+ prompts for Edit in .claude/, .git/, .vscode/
+# even with bypassPermissions enabled. This PermissionRequest hook
+# restores the pre-v2.1.78 behavior for specified directories.
+#
+# Configure allowed directories via CC_EDIT_ALLOW_DIRS env var:
+#   export CC_EDIT_ALLOW_DIRS=".claude/skills:.claude/commands"
+# Default: .claude/skills
+#
+# TRIGGER: PermissionRequest
+# MATCHER: "Edit|Write"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PermissionRequest": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/edit-always-allow.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Only handle Edit/Write
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Configurable allowed directories (colon-separated)
+ALLOW_DIRS="${CC_EDIT_ALLOW_DIRS:-.claude/skills}"
+
+# Check if file is in an allowed directory
+IFS=':' read -ra DIRS <<< "$ALLOW_DIRS"
+for dir in "${DIRS[@]}"; do
+  if echo "$FILE" | grep -q "$dir"; then
+    echo '{"permissionDecision":"allow"}'
+    exit 0
+  fi
+done
+
+# Not in allowed directories — let the prompt through
+exit 0

package/examples/env-file-gitignore-check.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# env-file-gitignore-check.sh — Warn if .env is not in .gitignore
+#
+# Prevents: Accidental commit of .env files containing secrets.
+#           Checks on session start if .env exists but .gitignore
+#           doesn't exclude it.
+#
+# TRIGGER: Notification
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/env-file-gitignore-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run once per session
+MARKER="/tmp/cc-env-gitignore-$$"
+[ -f "$MARKER" ] && exit 0
+
+# Check if we're in a git repo
+git rev-parse --git-dir >/dev/null 2>&1 || { touch "$MARKER"; exit 0; }
+
+# Check if .env exists
+[ -f ".env" ] || { touch "$MARKER"; exit 0; }
+
+# Check if .env is in .gitignore
+if ! git check-ignore -q .env 2>/dev/null; then
+  echo "WARNING: .env file exists but is not in .gitignore!" >&2
+  echo "  Add '.env' to .gitignore to prevent accidental commit." >&2
+  echo "  echo '.env' >> .gitignore" >&2
+fi
+
+touch "$MARKER"
+exit 0

package/examples/env-source-guard.sh

@@ -32,7 +32,7 @@ if [[ -z "$COMMAND" ]]; then
 fi
 
 # Block direct sourcing of .env files
-if echo "$COMMAND" | grep -qE '(source|\.\s)\s+\.env'; then
+if echo "$COMMAND" | grep -qE '(source|\.)\s+\.env'; then
     echo "BLOCKED: Sourcing .env into shell environment." >&2
     echo "Command: $COMMAND" >&2
     echo "" >&2

package/examples/git-stash-before-danger.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# git-stash-before-danger.sh — Auto-stash before risky git operations
+#
+# Solves: Losing uncommitted work when Claude runs git checkout, git reset, or git pull
+#         Related: data loss incidents reported in #36339, #37331
+#
+# How it works: PreToolUse hook that auto-runs `git stash push -m "cc-auto-stash"`
+#               before destructive git operations. The stash can be recovered with
+#               `git stash pop`.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/git-stash-before-danger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Only act on risky git operations
+RISKY=false
+if echo "$COMMAND" | grep -qE 'git\s+(checkout|reset|pull|merge|rebase|cherry-pick)\s'; then
+    RISKY=true
+fi
+
+if [ "$RISKY" = false ]; then
+    exit 0
+fi
+
+# Check if we're in a git repo with uncommitted changes
+if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then
+    exit 0
+fi
+
+# Check for uncommitted changes
+if git diff --quiet HEAD 2>/dev/null && git diff --cached --quiet 2>/dev/null; then
+    # No changes — nothing to stash
+    exit 0
+fi
+
+# Auto-stash
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+git stash push -m "cc-auto-stash-$TIMESTAMP (before: $COMMAND)" > /dev/null 2>&1
+
+if [ $? -eq 0 ]; then
+    echo "INFO: Auto-stashed uncommitted changes before risky operation" >&2
+    echo "Recovery: git stash pop" >&2
+fi
+
+# Don't block — just stash and let the command proceed
+exit 0

package/examples/github-actions-guard.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# github-actions-guard.sh — Validate GitHub Actions workflow changes
+#
+# Prevents: Broken CI/CD pipelines from workflow syntax errors.
+#           Claude sometimes generates invalid workflow YAML.
+#
+# Checks:
+#   - Workflow must have 'on' trigger
+#   - Job names must exist
+#   - 'uses' actions should have version pins
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check GitHub Actions workflow files
+echo "$FILE" | grep -qE '\.github/workflows/.*\.ya?ml$' || exit 0
+[ ! -f "$FILE" ] && exit 0
+
+WARNINGS=""
+
+# Check for 'on' trigger
+if ! grep -qE '^on:' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Missing 'on:' trigger definition"
+fi
+
+# Check for unpinned actions (uses: without @sha or @v)
+UNPINNED=$(grep -E '^\s*uses:\s+\S+' "$FILE" | grep -v '@' | head -3)
+if [ -n "$UNPINNED" ]; then
+  WARNINGS="${WARNINGS}\n  Unpinned action versions (use @v or @sha):"
+  echo "$UNPINNED" | while read -r line; do
+    WARNINGS="${WARNINGS}\n    $line"
+  done
+fi
+
+# Check for 'runs-on' in jobs
+if grep -qE '^\s+jobs:' "$FILE" && ! grep -qE 'runs-on:' "$FILE"; then
+  WARNINGS="${WARNINGS}\n  Jobs missing 'runs-on' runner specification"
+fi
+
+if [ -n "$WARNINGS" ]; then
+  echo "GitHub Actions warnings in $FILE:" >&2
+  echo -e "$WARNINGS" >&2
+fi
+
+exit 0

package/examples/gitignore-auto-add.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# gitignore-auto-add.sh — Suggest .gitignore entries for common patterns
+#
+# Prevents: Committing build artifacts, cache dirs, env files.
+#           When Claude creates new directories or files that should
+#           be gitignored, this hook warns.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check mkdir and touch commands
+echo "$COMMAND" | grep -qE '^\s*(mkdir|touch)\s' || exit 0
+
+# Patterns that should typically be gitignored
+GITIGNORE_PATTERNS="node_modules|__pycache__|\.cache|dist/|build/|\.next|\.nuxt|\.env\.|coverage|\.pytest_cache|\.mypy_cache|\.tox|\.venv|venv|\.eggs"
+
+# Extract the target path
+TARGET=$(echo "$COMMAND" | awk '{print $NF}')
+
+if echo "$TARGET" | grep -qiE "$GITIGNORE_PATTERNS"; then
+  if ! git check-ignore -q "$TARGET" 2>/dev/null; then
+    echo "TIP: '$TARGET' should probably be in .gitignore." >&2
+  fi
+fi
+
+exit 0

package/examples/go-vet-after-edit.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# go-vet-after-edit.sh — Run go vet after editing Go files
+#
+# Prevents: Common Go mistakes that compile but fail at runtime.
+#           go vet catches: printf format mismatches, unreachable code,
+#           struct tag errors, and more.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+case "$FILE" in
+  *.go) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Run go vet on the package containing the file
+DIR=$(dirname "$FILE")
+if command -v go >/dev/null 2>&1; then
+  ERRORS=$(cd "$DIR" && go vet ./... 2>&1)
+  if [ $? -ne 0 ]; then
+    echo "go vet found issues:" >&2
+    echo "$ERRORS" | head -5 | sed 's/^/  /' >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/examples/hook-tamper-guard.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# hook-tamper-guard.sh — Prevent Claude from modifying its own hooks
+#
+# Solves: Claude can rewrite its own hooks to weaken enforcement
+#         (#32376 — "Who watches the watchmen?")
+#
+# Blocks Edit/Write to:
+#   ~/.claude/hooks/     (hook scripts)
+#   ~/.claude/settings.json  (hook registration)
+#   .claude/hooks/       (project-level hooks)
+#
+# Also blocks Bash commands that modify these paths:
+#   mv/cp/rm on hook files
+#   sed/awk that edit hook files
+#   echo/cat/tee that overwrite hook files
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write|Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Edit|Write|Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/hook-tamper-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# --- Check Edit/Write tools ---
+if [ "$TOOL" = "Edit" ] || [ "$TOOL" = "Write" ]; then
+    FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+    [ -z "$FILE" ] && exit 0
+
+    # Expand ~ to $HOME
+    FILE=$(echo "$FILE" | sed "s|^~|$HOME|")
+
+    # Block writes to hook directories and settings
+    if echo "$FILE" | grep -qE '\.claude/hooks/|\.claude/settings\.json|\.claude/settings\.local\.json'; then
+        echo "BLOCKED: Cannot modify hook files or settings. This protects the integrity of your safety hooks." >&2
+        echo "If you need to modify hooks, do it manually outside Claude Code." >&2
+        exit 2
+    fi
+fi
+
+# --- Check Bash commands ---
+if [ "$TOOL" = "Bash" ]; then
+    CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$CMD" ] && exit 0
+
+    # Block commands that modify hook files
+    if echo "$CMD" | grep -qE '(mv|cp|rm|sed|awk|tee|cat\s*>)\s.*\.claude/(hooks/|settings\.json|settings\.local\.json)'; then
+        echo "BLOCKED: Cannot modify hook files via shell commands." >&2
+        exit 2
+    fi
+
+    # Block chmod on hook files (could remove execute permission)
+    if echo "$CMD" | grep -qE 'chmod\s.*\.claude/hooks/'; then
+        echo "BLOCKED: Cannot change hook file permissions." >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/examples/kubernetes-guard.sh

@@ -8,6 +8,7 @@ if echo "$COMMAND" | grep -qE '\bkubectl\s+delete\s+(namespace|ns|node)\b'; then
     exit 2
 fi
 if echo "$COMMAND" | grep -qE '\bkubectl\s+delete\s+.*--all\b'; then
-    echo "WARNING: kubectl delete --all affects all resources in scope" >&2
+    echo "BLOCKED: kubectl delete --all affects all resources in scope" >&2
+    exit 2
 fi
 exit 0