cc-safe-setup 29.6.0 → 29.6.1

package/examples/temp-file-cleanup.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# temp-file-cleanup.sh — Stop hook
+# Trigger: Stop
+# Matcher: (empty — runs on session end)
+#
+# Cleans up temporary files created by Claude Code sessions.
+# Claude Code creates /tmp/claude-*-cwd files for directory tracking
+# but never deletes them, accumulating 500+ files/day.
+#
+# See: https://github.com/anthropics/claude-code/issues/8856
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash /path/to/temp-file-cleanup.sh" }]
+#     }]
+#   }
+# }
+
+# Count before cleanup
+COUNT=$(find /tmp -maxdepth 1 -name "claude-*" -type f 2>/dev/null | wc -l)
+
+if [ "$COUNT" -eq 0 ]; then
+    exit 0
+fi
+
+# Clean up Claude Code temp files older than 1 hour
+find /tmp -maxdepth 1 -name "claude-*-cwd" -type f -mmin +60 -delete 2>/dev/null
+find /tmp -maxdepth 1 -name "claude-*" -type f -mmin +60 -delete 2>/dev/null
+
+REMAINING=$(find /tmp -maxdepth 1 -name "claude-*" -type f 2>/dev/null | wc -l)
+CLEANED=$((COUNT - REMAINING))
+
+if [ "$CLEANED" -gt 0 ]; then
+    echo "Cleaned $CLEANED Claude temp files (${REMAINING} recent files kept)" >&2
+fi
+
+exit 0

package/examples/test-before-push.sh

@@ -12,10 +12,17 @@
 #   "hooks": {
 #     "PreToolUse": [{
 #       "matcher": "Bash",
-#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/test-before-push.sh" }]
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Bash(git push *)",
+#         "command": "~/.claude/hooks/test-before-push.sh"
+#       }]
 #     }]
 #   }
 # }
+#
+# The "if" field (v2.1.85+) eliminates process spawning for non-push commands.
+# Without "if", the hook still works — it checks internally and exits early.
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/test-coverage-reminder.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# test-coverage-reminder.sh — Remind to run tests after code changes
+#
+# Prevents: Pushing untested code. Claude often edits files
+#           without running the test suite afterward.
+#
+# Tracks: number of Edit/Write calls since last test run.
+# Warns at: 5 edits without tests, blocks at 10.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit|Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit|Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/test-coverage-reminder.sh" }]
+#     }]
+#   }
+# }
+
+COUNTER_FILE="/tmp/cc-edit-since-test-$$"
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+  Write|Edit)
+    # Increment edit counter
+    COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+    COUNT=$((COUNT + 1))
+    echo "$COUNT" > "$COUNTER_FILE"
+
+    if [ "$COUNT" -eq 5 ]; then
+      echo "REMINDER: 5 files changed since last test run. Consider running tests." >&2
+    elif [ "$COUNT" -ge 10 ]; then
+      echo "WARNING: $COUNT files changed without running tests. Run tests now." >&2
+    fi
+    ;;
+  Bash)
+    # Reset counter if a test command was run
+    CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    if echo "$CMD" | grep -qiE '(npm\s+test|npx\s+jest|npx\s+vitest|pytest|go\s+test|cargo\s+test|make\s+test|bash\s+test)'; then
+      echo "0" > "$COUNTER_FILE"
+    fi
+    ;;
+esac
+
+exit 0

package/examples/test-exit-code-verify.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# test-exit-code-verify.sh — Verify test command exit codes match results
+#
+# Problem: Claude reports "tests passed" even when they didn't run or failed.
+# This PostToolUse hook checks the actual exit code of test commands and
+# emits a warning if the exit code indicates failure.
+#
+# GitHub Issue: #1501 (Claude reports false test results)
+#
+# Usage: Add to settings.json as a PostToolUse hook on "Bash"
+#
+# How it works:
+# 1. Detects test-like commands (npm test, pytest, jest, go test, etc.)
+# 2. Checks the actual exit code from tool output
+# 3. If exit code != 0, warns Claude via stderr so it cannot claim success
+# 4. If no output was captured, warns about phantom test runs
+#
+# Why stderr: PostToolUse hook stderr is shown to Claude as feedback.
+# This forces Claude to acknowledge test failures instead of fabricating results.
+
+INPUT=$(cat)
+
+# Extract command and exit code
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_result.exitCode // .tool_result.exit_code // empty' 2>/dev/null)
+STDOUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Detect test commands
+is_test_command() {
+    local cmd="$1"
+    echo "$cmd" | grep -qiE '(npm\s+test|npx\s+jest|npx\s+vitest|pytest|python\s+-m\s+pytest|go\s+test|cargo\s+test|bundle\s+exec\s+rspec|mix\s+test|dotnet\s+test|mvn\s+test|gradle\s+test|make\s+test|bash\s+test\.sh)'
+}
+
+if ! is_test_command "$COMMAND"; then
+    exit 0
+fi
+
+# Check exit code
+if [ -n "$EXIT_CODE" ] && [ "$EXIT_CODE" != "0" ]; then
+    echo "⚠️ TEST FAILURE DETECTED" >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+    echo "Exit code: $EXIT_CODE" >&2
+    echo "Do NOT report these tests as passing. The exit code proves failure." >&2
+    echo "Re-read the output above and fix the failing tests." >&2
+    exit 0
+fi
+
+# Check for empty output (phantom test run)
+if [ -z "$STDOUT" ] || [ ${#STDOUT} -lt 10 ]; then
+    echo "⚠️ TEST OUTPUT SUSPICIOUSLY SHORT" >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+    echo "Output length: ${#STDOUT} chars" >&2
+    echo "Verify tests actually ran. Short output may indicate no tests executed." >&2
+    exit 0
+fi
+
+# Tests appear to have run and passed
+exit 0

package/examples/tool-file-logger.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# tool-file-logger.sh — Log file paths from Read/Write/Edit to stderr
+#
+# Solves: "No indication of WHICH file for READ tool" (#21151 — 180 reactions)
+#         Users must expand every Read/Write/Edit to see the file path.
+#         This hook shows the file path in the collapsed view.
+#
+# Output format:
+#   [Read: src/components/App.tsx]
+#   [Write: package.json]
+#   [Edit: src/utils/helpers.ts]
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Read|Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Read|Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/tool-file-logger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ -z "$TOOL" ] && exit 0
+
+# Extract file path from tool input
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Show just the filename for brevity, full path available in expanded view
+BASENAME=$(basename "$FILE")
+DIR=$(dirname "$FILE")
+
+# For paths inside home directory, show relative path
+if echo "$DIR" | grep -q "^$HOME"; then
+  RELDIR=$(echo "$DIR" | sed "s|^$HOME|~|")
+  echo "[$TOOL: $RELDIR/$BASENAME]" >&2
+else
+  echo "[$TOOL: $FILE]" >&2
+fi
+
+exit 0

package/examples/typescript-lint-on-edit.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# typescript-lint-on-edit.sh — Run TypeScript type check after editing .ts/.tsx files
+#
+# TRIGGER: PostToolUse
+# MATCHER: Edit
+#
+# Best with v2.1.85 "if" field:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Edit",
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Edit(*.ts)",
+#         "command": "~/.claude/hooks/typescript-lint-on-edit.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Without "if", the hook checks file extension internally.
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip non-TypeScript files
+case "$FILE" in
+    *.ts|*.tsx) ;;
+    *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Find tsconfig.json in parent directories
+DIR=$(dirname "$FILE")
+TSCONFIG=""
+while [ "$DIR" != "/" ]; do
+    if [ -f "$DIR/tsconfig.json" ]; then
+        TSCONFIG="$DIR/tsconfig.json"
+        break
+    fi
+    DIR=$(dirname "$DIR")
+done
+
+# No tsconfig = no type checking possible
+[ -z "$TSCONFIG" ] && exit 0
+
+# Run tsc --noEmit on the specific file
+PROJECT_DIR=$(dirname "$TSCONFIG")
+ISSUES=$(cd "$PROJECT_DIR" && npx tsc --noEmit --pretty false 2>&1 | grep "$(basename "$FILE")" | head -10)
+
+if [ -n "$ISSUES" ]; then
+    COUNT=$(echo "$ISSUES" | wc -l)
+    echo "⚠ TypeScript: $COUNT error(s) in $(basename "$FILE")" >&2
+    echo "$ISSUES" | head -5 >&2
+    if [ "$COUNT" -gt 5 ]; then
+        echo "  ... and $((COUNT - 5)) more" >&2
+    fi
+fi
+
+exit 0

package/examples/typescript-strict-check.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# typescript-strict-check.sh — Warn when TypeScript strict mode is disabled
+#
+# Prevents: Claude silently setting "strict": false in tsconfig.json
+#           to bypass type errors instead of fixing them.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+BASENAME=$(basename "$FILE")
+[ "$BASENAME" != "tsconfig.json" ] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Check if strict is explicitly set to false
+if python3 -c "
+import json
+with open('$FILE') as f:
+    config = json.load(f)
+opts = config.get('compilerOptions', {})
+if opts.get('strict') == False:
+    exit(1)
+if opts.get('noImplicitAny') == False:
+    exit(1)
+" 2>/dev/null; then
+  : # OK
+else
+  echo "WARNING: TypeScript strict mode is disabled in $FILE." >&2
+  echo "  Consider enabling 'strict: true' for better type safety." >&2
+fi
+
+exit 0

package/examples/uncommitted-changes-stop.sh

@@ -0,0 +1,16 @@
+INPUT=$(cat)
+if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then
+    exit 0
+fi
+MODIFIED=$(git diff --name-only 2>/dev/null | wc -l)
+STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+UNTRACKED=$(git ls-files --others --exclude-standard 2>/dev/null | wc -l)
+TOTAL=$((MODIFIED + STAGED + UNTRACKED))
+if [ "$TOTAL" -gt 0 ]; then
+    echo "⚠ WARNING: $TOTAL uncommitted changes:" >&2
+    [ "$MODIFIED" -gt 0 ] && echo "  Modified: $MODIFIED files" >&2
+    [ "$STAGED" -gt 0 ] && echo "  Staged: $STAGED files" >&2
+    [ "$UNTRACKED" -gt 0 ] && echo "  Untracked: $UNTRACKED files" >&2
+    echo "  Consider: git add -A && git commit -m 'session checkpoint'" >&2
+fi
+exit 0

package/examples/uncommitted-discard-guard.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# uncommitted-discard-guard.sh — Block commands that discard uncommitted changes
+#
+# Solves: Claude running "git checkout -- ." or "git restore ." to discard
+#         hours of uncommitted work. Real incident: #37888 — 30+ files of
+#         manual edits destroyed twice in one session.
+#
+# Detects:
+#   git checkout -- <files>   (discards working tree changes)
+#   git checkout .            (discards all changes)
+#   git restore <files>       (same effect as checkout --)
+#   git restore .             (discards all working tree changes)
+#   git stash drop            (permanently deletes stashed changes)
+#
+# Does NOT block:
+#   git checkout <branch>     (switching branches — safe)
+#   git checkout -b <branch>  (creating branches — safe)
+#   git restore --staged      (unstaging — non-destructive)
+#   git stash                 (saving changes — safe)
+#   git stash pop             (restoring changes — safe)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block: git checkout -- <files> (discard working tree changes)
+# The "--" separator followed by paths means "discard changes to these files"
+if echo "$COMMAND" | grep -qE 'git\s+checkout\s+--\s+\S'; then
+    echo "BLOCKED: git checkout -- <files> discards uncommitted changes permanently." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "If you need to discard changes, commit or stash first:" >&2
+    echo "  git stash        # save changes for later" >&2
+    echo "  git stash pop    # restore saved changes" >&2
+    exit 2
+fi
+
+# Block: git checkout . (discard ALL changes)
+if echo "$COMMAND" | grep -qE 'git\s+checkout\s+\.\s*$'; then
+    echo "BLOCKED: git checkout . discards ALL uncommitted changes." >&2
+    echo "" >&2
+    echo "This would destroy every uncommitted modification in the working tree." >&2
+    echo "Commit or stash your changes first." >&2
+    exit 2
+fi
+
+# Block: git restore <files> without --staged (discards working tree changes)
+if echo "$COMMAND" | grep -qE 'git\s+restore\s+' && ! echo "$COMMAND" | grep -qE 'git\s+restore\s+--staged'; then
+    # Allow "git restore --staged" (just unstages, non-destructive)
+    # Block "git restore <files>" and "git restore ."
+    echo "BLOCKED: git restore discards uncommitted changes." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "Use 'git restore --staged <file>' to unstage without losing changes." >&2
+    echo "Use 'git stash' to save changes for later." >&2
+    exit 2
+fi
+
+# Block: git stash drop (permanently deletes stashed changes)
+if echo "$COMMAND" | grep -qE 'git\s+stash\s+drop'; then
+    echo "BLOCKED: git stash drop permanently deletes stashed changes." >&2
+    echo "" >&2
+    echo "If you're sure, use 'git stash pop' to apply and remove in one step." >&2
+    exit 2
+fi
+
+exit 0

package/examples/worktree-unmerged-guard.sh

@@ -19,7 +19,12 @@
 # }
 
 INPUT=$(cat)
-COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+# jq with python3 fallback (macOS may not have jq)
+if command -v jq &>/dev/null; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+else
+    COMMAND=$(echo "$INPUT" | python3 -c "import sys,json;d=json.load(sys.stdin);print(d.get('tool_input',{}).get('command',''))" 2>/dev/null)
+fi
 
 [ -z "$COMMAND" ] && exit 0
 
@@ -48,9 +53,14 @@ if [ -z "$BRANCH" ] || [ "$BRANCH" = "HEAD" ]; then
     exit 0
 fi
 
-# Find the default branch
+# Find the default branch (portable: checks symbolic ref, then tries main/master)
 DEFAULT_BRANCH=$(git -C "$WORKTREE_PATH" symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||')
-[ -z "$DEFAULT_BRANCH" ] && DEFAULT_BRANCH="main"
+if [ -z "$DEFAULT_BRANCH" ]; then
+    for candidate in main master; do
+        git -C "$WORKTREE_PATH" rev-parse --verify "$candidate" &>/dev/null && DEFAULT_BRANCH="$candidate" && break
+    done
+fi
+[ -z "$DEFAULT_BRANCH" ] && exit 0
 
 # Count unmerged commits
 UNMERGED=$(git -C "$WORKTREE_PATH" log --oneline "$DEFAULT_BRANCH..$BRANCH" 2>/dev/null | wc -l)

package/examples/yaml-syntax-check.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# yaml-syntax-check.sh — Validate YAML after editing
+#
+# Prevents: Broken YAML configs (docker-compose, CI pipelines, k8s manifests).
+#           YAML indentation errors are invisible until deployment fails.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write|Edit",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/yaml-syntax-check.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check YAML files
+case "$FILE" in
+  *.yml|*.yaml) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Try python yaml parser
+if command -v python3 >/dev/null 2>&1; then
+  ERROR=$(python3 -c "
+import yaml, sys
+try:
+    with open('$FILE') as f:
+        yaml.safe_load(f)
+except yaml.YAMLError as e:
+    print(str(e)[:200])
+    sys.exit(1)
+" 2>&1)
+  if [ $? -ne 0 ]; then
+    echo "YAML SYNTAX ERROR in $FILE:" >&2
+    echo "  $ERROR" >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/index.mjs

@@ -456,6 +456,8 @@ function examples() {
       'package-script-guard.sh': 'Warn when package.json scripts change',
       'lockfile-guard.sh': 'Warn when lockfiles modified in commits',
       'git-lfs-guard.sh': 'Suggest Git LFS for large files',
+      'python-ruff-on-edit.sh': 'PostToolUse: lint Python files after edit (ruff/flake8/pylint)',
+      'typescript-lint-on-edit.sh': 'PostToolUse: type check TypeScript files after edit (tsc --noEmit)',
     },
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
@@ -465,6 +467,7 @@ function examples() {
     'UX': {
       'prompt-length-guard.sh': 'UserPromptSubmit: warn on long prompts (>5000 chars)',
       'prompt-injection-detector.sh': 'UserPromptSubmit: detect prompt injection patterns',
+      'auto-answer-question.sh': 'PreToolUse: auto-answer AskUserQuestion for headless mode (v2.1.85)',
       'notify-waiting.sh': 'Desktop notification when Claude waits for input',
       'tmp-cleanup.sh': 'Clean up /tmp/claude-*-cwd files on session end',
       'hook-debug-wrapper.sh': 'Wrap any hook to log input/output/exit/timing',

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.0",
-  "description": "One command to make Claude Code safe. 335 example hooks + 8 built-in. 52 CLI commands. 1,760 tests. Works with Auto Mode.",
+  "version": "29.6.1",
+  "description": "One command to make Claude Code safe. 406 example hooks + 8 built-in. 52 CLI commands. 5564 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"