cc-safe-setup 29.6.0 → 29.6.2

package/examples/output-token-env-check.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# output-token-env-check.sh — Warn if max output tokens is not configured
+#
+# Solves: "Response exceeded 32000 output token maximum" error
+#         (#24055 — 80 reactions)
+#
+# Claude Code defaults to 32,000 max output tokens. For complex tasks,
+# this is often not enough. Setting CLAUDE_CODE_MAX_OUTPUT_TOKENS
+# prevents the error, but many users don't know about this env var.
+#
+# This hook checks on session start (Notification/Stop) and warns
+# if the env var is not set or is set to the default 32000.
+#
+# TRIGGER: Notification
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/output-token-env-check.sh" }]
+#     }]
+#   }
+# }
+
+# Only run once per session (check if we already warned)
+MARKER="/tmp/cc-output-token-warned-$$"
+[ -f "$MARKER" ] && exit 0
+
+MAX_TOKENS="${CLAUDE_CODE_MAX_OUTPUT_TOKENS:-}"
+
+if [ -z "$MAX_TOKENS" ]; then
+  echo "TIP: CLAUDE_CODE_MAX_OUTPUT_TOKENS is not set (default: 32,000)." >&2
+  echo "  For complex tasks, set it higher to avoid truncated responses:" >&2
+  echo "  export CLAUDE_CODE_MAX_OUTPUT_TOKENS=128000" >&2
+  touch "$MARKER"
+elif [ "$MAX_TOKENS" -le 32000 ] 2>/dev/null; then
+  echo "TIP: CLAUDE_CODE_MAX_OUTPUT_TOKENS=$MAX_TOKENS (low for complex tasks)." >&2
+  echo "  Consider: export CLAUDE_CODE_MAX_OUTPUT_TOKENS=128000" >&2
+  touch "$MARKER"
+fi
+
+exit 0

package/examples/package-lock-frozen.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# package-lock-frozen.sh — Block modifications to lockfiles
+#
+# Prevents: Unintended lockfile changes that cause merge conflicts
+#           and dependency drift. Claude should use npm ci, not npm install.
+#
+# Blocks: Edit/Write to package-lock.json, yarn.lock, pnpm-lock.yaml
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+BASENAME=$(basename "$FILE")
+case "$BASENAME" in
+  package-lock.json|yarn.lock|pnpm-lock.yaml|Cargo.lock|poetry.lock|Gemfile.lock|composer.lock)
+    echo "BLOCKED: Direct modification of lockfile '$BASENAME'." >&2
+    echo "  Use the package manager to update dependencies instead." >&2
+    exit 2
+    ;;
+esac
+
+exit 0

package/examples/pip-venv-required.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# pip-venv-required.sh — Block pip install outside of a virtual environment
+#
+# Prevents: System-wide pip install that can break the OS Python.
+#           Only allows pip install when a virtualenv is active.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/pip-venv-required.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check pip install commands
+echo "$COMMAND" | grep -qE '^\s*(pip|pip3)\s+install' || exit 0
+
+# Allow if -r requirements.txt (deterministic install)
+echo "$COMMAND" | grep -qE 'pip3?\s+install\s+-r' && exit 0
+
+# Allow if --user flag (user-level, not system)
+echo "$COMMAND" | grep -qE 'pip3?\s+install\s+.*--user' && exit 0
+
+# Check if virtualenv is active
+if [ -z "$VIRTUAL_ENV" ] && [ -z "$CONDA_DEFAULT_ENV" ]; then
+  echo "BLOCKED: pip install outside of virtual environment." >&2
+  echo "  Activate a venv first: python3 -m venv .venv && source .venv/bin/activate" >&2
+  exit 2
+fi
+
+exit 0

package/examples/port-conflict-check.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# port-conflict-check.sh — Warn before starting a server on an occupied port
+#
+# Prevents: "EADDRINUSE" errors that confuse Claude into debugging
+#           phantom issues. Detects port conflicts before they happen.
+#
+# Detects: npm start, npm run dev, python -m http.server, node server.js,
+#          next dev, vite, etc.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/port-conflict-check.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Detect server-starting commands
+echo "$COMMAND" | grep -qiE '(npm\s+(start|run\s+dev)|npx\s+(next|vite|nuxt)|python.*http\.server|node\s+.*server|flask\s+run|uvicorn|gunicorn|rails\s+s)' || exit 0
+
+# Try to extract port from command
+PORT=""
+if echo "$COMMAND" | grep -qE '\-\-port[= ]+([0-9]+)'; then
+  PORT=$(echo "$COMMAND" | grep -oE '\-\-port[= ]+([0-9]+)' | grep -oE '[0-9]+')
+elif echo "$COMMAND" | grep -qE '\-p[= ]+([0-9]+)'; then
+  PORT=$(echo "$COMMAND" | grep -oE '\-p[= ]+([0-9]+)' | grep -oE '[0-9]+')
+fi
+
+# Common default ports
+if [ -z "$PORT" ]; then
+  if echo "$COMMAND" | grep -qiE 'next|vite|nuxt'; then PORT=3000
+  elif echo "$COMMAND" | grep -qiE 'flask|django'; then PORT=5000
+  elif echo "$COMMAND" | grep -qiE 'rails'; then PORT=3000
+  elif echo "$COMMAND" | grep -qiE 'http\.server'; then PORT=8000
+  else PORT=3000
+  fi
+fi
+
+# Check if port is in use
+if command -v ss >/dev/null 2>&1; then
+  if ss -tlnp 2>/dev/null | grep -q ":${PORT} "; then
+    PID=$(ss -tlnp 2>/dev/null | grep ":${PORT} " | grep -oP 'pid=\K[0-9]+' | head -1)
+    echo "WARNING: Port $PORT is already in use (PID: ${PID:-unknown})." >&2
+    echo "  Kill it: kill $PID  or use a different port." >&2
+  fi
+elif command -v lsof >/dev/null 2>&1; then
+  if lsof -i ":${PORT}" -sTCP:LISTEN >/dev/null 2>&1; then
+    echo "WARNING: Port $PORT is already in use." >&2
+    echo "  Check: lsof -i :$PORT" >&2
+  fi
+fi
+
+exit 0

package/examples/post-compact-safety.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# post-compact-safety.sh — Guard against autonomous actions after compaction
+#
+# Solves: After context compaction, Claude interprets the summary as
+# authorization to push commits and make irreversible changes without
+# user approval.
+# See: https://github.com/anthropics/claude-code/issues/39912
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash
+#
+# After compaction, blocks git push and other irreversible commands
+# for the first N tool calls, requiring explicit user interaction first.
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/post-compact-safety.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config: CC_POST_COMPACT_GUARD=10 (block for first 10 calls after compact)
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+GUARD_CALLS=${CC_POST_COMPACT_GUARD:-10}
+MARKER="/tmp/cc-post-compact-$(whoami)"
+COUNTER="/tmp/cc-post-compact-count-$(whoami)"
+
+# Detect compaction (context_window field or session state change)
+# After compaction, the session summary often contains these patterns
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Check if we're in post-compact guard mode
+if [ -f "$MARKER" ]; then
+    COUNT=1
+    [ -f "$COUNTER" ] && COUNT=$(( $(cat "$COUNTER") + 1 ))
+    echo "$COUNT" > "$COUNTER"
+
+    if [ "$COUNT" -le "$GUARD_CALLS" ]; then
+        # Block irreversible commands during guard period
+        if echo "$COMMAND" | grep -qE '^\s*(git\s+push|git\s+reset|git\s+clean|npm\s+publish|docker\s+push)'; then
+            echo "BLOCKED: Irreversible command blocked (post-compaction safety)" >&2
+            echo "  $COUNT/$GUARD_CALLS guard calls remaining. Confirm with user first." >&2
+            exit 2
+        fi
+    else
+        # Guard period over
+        rm -f "$MARKER" "$COUNTER"
+    fi
+fi
+
+exit 0

package/examples/prefer-builtin-tools.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# prefer-builtin-tools.sh — Deny bash commands that have dedicated built-in tool equivalents
+# PreToolUse hook (matcher: Bash)
+# Solves: https://github.com/anthropics/claude-code/issues/19649 (48+ reactions)
+#
+# Claude Code has built-in Read, Edit, Grep, Glob tools that are faster and safer
+# than bash equivalents. But Claude often reaches for sed, grep, cat instead.
+# This hook denies those commands with a pointer to the correct built-in tool.
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Check all segments of piped/chained commands
+while IFS= read -r segment; do
+  cmd=$(echo "$segment" | sed 's/^[[:space:]]*//' | sed 's/^[A-Za-z_][A-Za-z_0-9]*=[^ ]* //')
+  base=$(basename "$(echo "$cmd" | awk '{print $1}')" 2>/dev/null)
+  case "$base" in
+    cat)      msg="Use the Read tool to read files, or Write to create them" ;;
+    head|tail) msg="Use the Read tool with offset/limit parameters" ;;
+    sed)      msg="Use the Edit tool for modifications, or Read for viewing line ranges" ;;
+    awk)      msg="Use Read, Grep, or Edit tools instead" ;;
+    grep|rg)  msg="Use the built-in Grep tool (supports -A/-B/-C context, glob filters, output_mode)" ;;
+    find)     msg="Use the built-in Glob tool for file pattern matching" ;;
+    *)        continue ;;
+  esac
+  cat <<EOF
+{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"Do not use \`$base\`. $msg"}}
+EOF
+  exit 0
+done < <(echo "$COMMAND" | tr '|' '\n' | sed 's/[;&]\{1,2\}/\n/g')
+
+exit 0

package/examples/python-import-check.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# python-import-check.sh — Detect unused imports in Python files
+#
+# Prevents: Unused imports that trigger linter warnings and add
+#           unnecessary dependencies. Claude often adds imports
+#           during development and forgets to clean up.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+case "$FILE" in
+  *.py) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Quick check: find import lines and see if the imported name appears elsewhere
+python3 -c "
+import re, sys
+
+with open('$FILE') as f:
+    content = f.read()
+    lines = content.split('\n')
+
+imports = []
+for line in lines:
+    m = re.match(r'^import\s+(\w+)', line)
+    if m: imports.append(m.group(1))
+    m = re.match(r'^from\s+\S+\s+import\s+(.+)', line)
+    if m:
+        for name in m.group(1).split(','):
+            name = name.strip().split(' as ')[-1].strip()
+            if name and name != '*':
+                imports.append(name)
+
+unused = []
+for imp in imports:
+    # Count occurrences (excluding the import line itself)
+    count = len(re.findall(r'\b' + re.escape(imp) + r'\b', content))
+    if count <= 1:  # Only appears in the import line
+        unused.append(imp)
+
+if unused:
+    print(f'Possibly unused imports in $FILE: {', '.join(unused[:5])}', file=sys.stderr)
+" 2>&1
+
+exit 0

package/examples/python-ruff-on-edit.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# python-ruff-on-edit.sh — Run ruff lint after editing Python files
+#
+# TRIGGER: PostToolUse
+# MATCHER: Edit
+#
+# Best with the v2.1.85 "if" field to avoid running on non-Python edits:
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Edit",
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Edit(*.py)",
+#         "command": "~/.claude/hooks/python-ruff-on-edit.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Without "if", the hook runs after every Edit and checks internally.
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip non-Python files (redundant with "if" field, kept for backward compat)
+[[ "$FILE" != *.py ]] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Prefer ruff, fall back to flake8, then pylint
+if command -v ruff &>/dev/null; then
+    ISSUES=$(ruff check "$FILE" --quiet 2>/dev/null)
+elif command -v flake8 &>/dev/null; then
+    ISSUES=$(flake8 "$FILE" --max-line-length=120 2>/dev/null)
+elif command -v pylint &>/dev/null; then
+    ISSUES=$(pylint "$FILE" --errors-only --score=no 2>/dev/null)
+else
+    exit 0  # No linter available
+fi
+
+if [ -n "$ISSUES" ]; then
+    COUNT=$(echo "$ISSUES" | wc -l)
+    echo "⚠ Lint: $COUNT issue(s) in $(basename "$FILE")" >&2
+    echo "$ISSUES" | head -5 >&2
+    if [ "$COUNT" -gt 5 ]; then
+        echo "  ... and $((COUNT - 5)) more" >&2
+    fi
+fi
+
+exit 0

package/examples/quoted-flag-approver.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# quoted-flag-approver.sh — Auto-approve commands with quoted flag values
+#
+# Solves: "Command contains quoted characters in flag names" false positives
+#         (#27957 — 70 reactions, breaks agentic workflows)
+#
+# After a Claude Code update, normal commands like:
+#   git commit -m "fix bug"
+#   bun run build --flag "value"
+# trigger a confirmation prompt even when they match allowlist patterns.
+#
+# This PermissionRequest hook auto-approves these prompts when:
+# 1. The base command is in a safe list
+# 2. The only "issue" is quoted characters in flag values
+#
+# TRIGGER: PermissionRequest
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PermissionRequest": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/quoted-flag-approver.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+
+# Only handle "quoted characters in flag names" prompts
+MESSAGE=$(echo "$INPUT" | jq -r '.message // empty' 2>/dev/null)
+echo "$MESSAGE" | grep -qi "quoted characters in flag" || exit 0
+
+# Extract the command being checked
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Safe base commands — customize for your project
+SAFE_COMMANDS="git|npm|npx|bun|yarn|pnpm|docker|make|cargo|go|pip|python3|node|tsc|eslint|prettier|jest|vitest|pytest|curl|wget|rsync|tar|zip|unzip|cp|mv|mkdir|cat|echo|grep|find|ls|chmod|sed|awk"
+
+# Extract base command (first word, ignoring env vars and path)
+BASE_CMD=$(echo "$COMMAND" | sed 's/^[A-Z_]*=[^ ]* //' | awk '{print $1}' | sed 's|.*/||')
+
+if echo "$BASE_CMD" | grep -qE "^($SAFE_COMMANDS)$"; then
+  echo '{"permissionDecision":"allow"}'
+  exit 0
+fi
+
+# Unknown command — let the prompt through
+exit 0

package/examples/react-key-warn.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# react-key-warn.sh — Warn about missing key props in JSX lists
+#
+# Prevents: "Each child in a list should have a unique key prop" errors.
+#           Claude often generates .map() without key props.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+case "$FILE" in
+  *.jsx|*.tsx) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Check for .map( without key= in the return
+if grep -qE '\.map\s*\(' "$FILE"; then
+  # Count map calls and key props
+  MAPS=$(grep -c '\.map\s*(' "$FILE" 2>/dev/null || echo 0)
+  KEYS=$(grep -c 'key=' "$FILE" 2>/dev/null || echo 0)
+  if [ "$MAPS" -gt "$KEYS" ]; then
+    echo "WARNING: $FILE has $MAPS .map() calls but only $KEYS key= props." >&2
+    echo "  Add key props to list items to avoid React warnings." >&2
+  fi
+fi
+
+exit 0

package/examples/read-budget-guard.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# read-budget-guard.sh — Limit excessive file reading to prevent token waste
+#
+# Solves: Claude reading far more files than necessary, consuming 25% of
+# quota before any real work begins. Prevents duplicate reads.
+# See: https://github.com/anthropics/claude-code/issues/38733
+#
+# TRIGGER: PreToolUse
+# MATCHER: Read
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Read",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/read-budget-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config via env vars:
+#   CC_READ_BUDGET=100    — max unique files per session (default: 100)
+#   CC_READ_WARN=50       — warn threshold (default: 50)
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+BUDGET=${CC_READ_BUDGET:-100}
+WARN=${CC_READ_WARN:-50}
+TRACKER="/tmp/cc-read-budget-$$"
+
+# Create tracker if needed
+[ -f "$TRACKER" ] || touch "$TRACKER"
+
+# Check for duplicate read
+if grep -qxF "$FILE" "$TRACKER" 2>/dev/null; then
+    echo "⚠ Duplicate read: $(basename "$FILE") was already read this session" >&2
+    echo "  Consider using the cached content instead of re-reading." >&2
+    # Allow but warn (don't block duplicate reads, just flag them)
+fi
+
+# Track this read
+echo "$FILE" >> "$TRACKER"
+COUNT=$(wc -l < "$TRACKER")
+
+# Check budget
+if [ "$COUNT" -gt "$BUDGET" ]; then
+    echo "BLOCKED: Read budget exceeded ($COUNT/$BUDGET files)" >&2
+    echo "You've read $COUNT unique files this session." >&2
+    echo "Start working with what you have, or increase CC_READ_BUDGET." >&2
+    exit 2
+fi
+
+if [ "$COUNT" -eq "$WARN" ]; then
+    echo "⚠ Read budget warning: $COUNT/$BUDGET files read" >&2
+    echo "  Focus on implementation rather than reading more files." >&2
+fi
+
+exit 0

package/examples/rm-safety-net.sh

@@ -27,6 +27,9 @@
 #     }]
 #   }
 # }
+#
+# Note: This hook checks rm, find -delete, and shred. Do NOT add an "if" field
+# (v2.1.85) because "if" only supports one pattern and would miss the others.
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
@@ -41,6 +44,12 @@ if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?rm\s'; then
     # Extract the target (last argument after flags)
     TARGET=$(echo "$COMMAND" | grep -oP 'rm\s+[^;|&]*' | awk '{print $NF}')
 
+    # Block path traversal early
+    if echo "$TARGET" | grep -qF '..'; then
+        echo "BLOCKED: path traversal detected in rm target" >&2
+        exit 2
+    fi
+
     # Allow safe targets
     if echo "$TARGET" | grep -qE "^(\./)?(${SAFE_TARGETS})(/|$)"; then
         exit 0

package/examples/rust-clippy-after-edit.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# rust-clippy-after-edit.sh — Run cargo clippy after editing Rust files
+#
+# Prevents: Common Rust anti-patterns and potential bugs.
+#           Clippy catches: needless borrows, inefficient patterns,
+#           suspicious operations.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+case "$FILE" in
+  *.rs) ;;
+  *) exit 0 ;;
+esac
+
+[ ! -f "$FILE" ] && exit 0
+
+# Find Cargo.toml
+DIR=$(dirname "$FILE")
+while [ "$DIR" != "/" ]; do
+  [ -f "$DIR/Cargo.toml" ] && break
+  DIR=$(dirname "$DIR")
+done
+
+if [ -f "$DIR/Cargo.toml" ] && command -v cargo >/dev/null 2>&1; then
+  WARNINGS=$(cd "$DIR" && cargo clippy --quiet 2>&1 | grep "^warning" | head -3)
+  if [ -n "$WARNINGS" ]; then
+    echo "Clippy warnings:" >&2
+    echo "$WARNINGS" | sed 's/^/  /' >&2
+  fi
+fi
+
+exit 0

package/examples/session-drift-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# session-drift-guard.sh — Progressive safety as session ages
+#
+# Solves: After ~6 hours, Claude starts ignoring CLAUDE.md rules,
+# acting autonomously, creating duplicates, corrupting files.
+# See: https://github.com/anthropics/claude-code/issues/32963
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash,Edit,Write
+#
+# As tool call count grows, the hook progressively tightens:
+#   0-200:   Normal (no action)
+#   200-500: Warn every 50 calls about drift risk
+#   500+:    Block destructive commands (rm, git push, git reset)
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash,Edit,Write",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/session-drift-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config: CC_DRIFT_WARN=200  CC_DRIFT_BLOCK=500
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+WARN_THRESHOLD=${CC_DRIFT_WARN:-200}
+BLOCK_THRESHOLD=${CC_DRIFT_BLOCK:-500}
+COUNTER="/tmp/cc-drift-counter-$(whoami)"
+
+# Increment counter
+COUNT=1
+if [ -f "$COUNTER" ]; then
+    COUNT=$(( $(cat "$COUNTER") + 1 ))
+fi
+echo "$COUNT" > "$COUNTER"
+
+# Phase 1: Normal (no action)
+if [ "$COUNT" -lt "$WARN_THRESHOLD" ]; then
+    exit 0
+fi
+
+# Phase 2: Warn periodically
+if [ "$COUNT" -lt "$BLOCK_THRESHOLD" ]; then
+    if [ $(( COUNT % 50 )) -eq 0 ]; then
+        echo "⚠ Session drift warning: $COUNT tool calls" >&2
+        echo "  Long sessions degrade AI judgment. Consider /compact or restarting." >&2
+    fi
+    exit 0
+fi
+
+# Phase 3: Block destructive commands
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(rm|git\s+push|git\s+reset|git\s+clean|git\s+checkout\s+--)\b'; then
+    echo "BLOCKED: Destructive command after $COUNT tool calls (drift risk)" >&2
+    echo "Session has exceeded $BLOCK_THRESHOLD tool calls." >&2
+    echo "Restart the session or use /compact before destructive operations." >&2
+    exit 2
+fi
+
+# Non-destructive commands still pass with warning
+if [ $(( COUNT % 100 )) -eq 0 ]; then
+    echo "⚠ High drift risk: $COUNT tool calls. Consider restarting." >&2
+fi
+
+exit 0