cc-safe-setup 29.6.1 → 29.6.2

package/examples/bash-trace-guard.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# bash-trace-guard.sh — Block debug tracing that exposes secrets
+#
+# Solves: Claude running bash -x which traces all commands including
+# expanded secrets from .env files, and SQL queries for credential columns.
+# See: https://github.com/anthropics/claude-code/issues/37599
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/bash-trace-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block bash debug tracing (expands all variables including secrets)
+if echo "$COMMAND" | grep -qE 'bash\s+(-[a-z]*x|-x)|set\s+-x|set\s+-o\s+xtrace|bash\s+--debug'; then
+    echo "BLOCKED: Debug tracing exposes expanded variables including secrets" >&2
+    echo "Use 'echo' statements for debugging instead of bash -x." >&2
+    exit 2
+fi
+
+# Block source .env followed by echo/printenv (secret exfiltration)
+if echo "$COMMAND" | grep -qE '(source|\.)\s+\.env.*&&.*(echo|printenv|env|set\b)'; then
+    echo "BLOCKED: Sourcing .env and printing environment exposes secrets" >&2
+    exit 2
+fi
+
+# Block SQL queries targeting credential columns
+if echo "$COMMAND" | grep -qiE 'SELECT.*\b(password|secret|token|api_key|private_key|access_key)\b.*FROM'; then
+    echo "BLOCKED: SQL query targets credential columns" >&2
+    echo "Query non-sensitive columns, or use application-level access." >&2
+    exit 2
+fi
+
+exit 0

package/examples/post-compact-safety.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# post-compact-safety.sh — Guard against autonomous actions after compaction
+#
+# Solves: After context compaction, Claude interprets the summary as
+# authorization to push commits and make irreversible changes without
+# user approval.
+# See: https://github.com/anthropics/claude-code/issues/39912
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash
+#
+# After compaction, blocks git push and other irreversible commands
+# for the first N tool calls, requiring explicit user interaction first.
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/post-compact-safety.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config: CC_POST_COMPACT_GUARD=10 (block for first 10 calls after compact)
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+GUARD_CALLS=${CC_POST_COMPACT_GUARD:-10}
+MARKER="/tmp/cc-post-compact-$(whoami)"
+COUNTER="/tmp/cc-post-compact-count-$(whoami)"
+
+# Detect compaction (context_window field or session state change)
+# After compaction, the session summary often contains these patterns
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Check if we're in post-compact guard mode
+if [ -f "$MARKER" ]; then
+    COUNT=1
+    [ -f "$COUNTER" ] && COUNT=$(( $(cat "$COUNTER") + 1 ))
+    echo "$COUNT" > "$COUNTER"
+
+    if [ "$COUNT" -le "$GUARD_CALLS" ]; then
+        # Block irreversible commands during guard period
+        if echo "$COMMAND" | grep -qE '^\s*(git\s+push|git\s+reset|git\s+clean|npm\s+publish|docker\s+push)'; then
+            echo "BLOCKED: Irreversible command blocked (post-compaction safety)" >&2
+            echo "  $COUNT/$GUARD_CALLS guard calls remaining. Confirm with user first." >&2
+            exit 2
+        fi
+    else
+        # Guard period over
+        rm -f "$MARKER" "$COUNTER"
+    fi
+fi
+
+exit 0

package/examples/read-budget-guard.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# read-budget-guard.sh — Limit excessive file reading to prevent token waste
+#
+# Solves: Claude reading far more files than necessary, consuming 25% of
+# quota before any real work begins. Prevents duplicate reads.
+# See: https://github.com/anthropics/claude-code/issues/38733
+#
+# TRIGGER: PreToolUse
+# MATCHER: Read
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Read",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/read-budget-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config via env vars:
+#   CC_READ_BUDGET=100    — max unique files per session (default: 100)
+#   CC_READ_WARN=50       — warn threshold (default: 50)
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+BUDGET=${CC_READ_BUDGET:-100}
+WARN=${CC_READ_WARN:-50}
+TRACKER="/tmp/cc-read-budget-$$"
+
+# Create tracker if needed
+[ -f "$TRACKER" ] || touch "$TRACKER"
+
+# Check for duplicate read
+if grep -qxF "$FILE" "$TRACKER" 2>/dev/null; then
+    echo "⚠ Duplicate read: $(basename "$FILE") was already read this session" >&2
+    echo "  Consider using the cached content instead of re-reading." >&2
+    # Allow but warn (don't block duplicate reads, just flag them)
+fi
+
+# Track this read
+echo "$FILE" >> "$TRACKER"
+COUNT=$(wc -l < "$TRACKER")
+
+# Check budget
+if [ "$COUNT" -gt "$BUDGET" ]; then
+    echo "BLOCKED: Read budget exceeded ($COUNT/$BUDGET files)" >&2
+    echo "You've read $COUNT unique files this session." >&2
+    echo "Start working with what you have, or increase CC_READ_BUDGET." >&2
+    exit 2
+fi
+
+if [ "$COUNT" -eq "$WARN" ]; then
+    echo "⚠ Read budget warning: $COUNT/$BUDGET files read" >&2
+    echo "  Focus on implementation rather than reading more files." >&2
+fi
+
+exit 0

package/examples/session-drift-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# session-drift-guard.sh — Progressive safety as session ages
+#
+# Solves: After ~6 hours, Claude starts ignoring CLAUDE.md rules,
+# acting autonomously, creating duplicates, corrupting files.
+# See: https://github.com/anthropics/claude-code/issues/32963
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash,Edit,Write
+#
+# As tool call count grows, the hook progressively tightens:
+#   0-200:   Normal (no action)
+#   200-500: Warn every 50 calls about drift risk
+#   500+:    Block destructive commands (rm, git push, git reset)
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash,Edit,Write",
+#       "hooks": [{
+#         "type": "command",
+#         "command": "~/.claude/hooks/session-drift-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config: CC_DRIFT_WARN=200  CC_DRIFT_BLOCK=500
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+WARN_THRESHOLD=${CC_DRIFT_WARN:-200}
+BLOCK_THRESHOLD=${CC_DRIFT_BLOCK:-500}
+COUNTER="/tmp/cc-drift-counter-$(whoami)"
+
+# Increment counter
+COUNT=1
+if [ -f "$COUNTER" ]; then
+    COUNT=$(( $(cat "$COUNTER") + 1 ))
+fi
+echo "$COUNT" > "$COUNTER"
+
+# Phase 1: Normal (no action)
+if [ "$COUNT" -lt "$WARN_THRESHOLD" ]; then
+    exit 0
+fi
+
+# Phase 2: Warn periodically
+if [ "$COUNT" -lt "$BLOCK_THRESHOLD" ]; then
+    if [ $(( COUNT % 50 )) -eq 0 ]; then
+        echo "⚠ Session drift warning: $COUNT tool calls" >&2
+        echo "  Long sessions degrade AI judgment. Consider /compact or restarting." >&2
+    fi
+    exit 0
+fi
+
+# Phase 3: Block destructive commands
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(rm|git\s+push|git\s+reset|git\s+clean|git\s+checkout\s+--)\b'; then
+    echo "BLOCKED: Destructive command after $COUNT tool calls (drift risk)" >&2
+    echo "Session has exceeded $BLOCK_THRESHOLD tool calls." >&2
+    echo "Restart the session or use /compact before destructive operations." >&2
+    exit 2
+fi
+
+# Non-destructive commands still pass with warning
+if [ $(( COUNT % 100 )) -eq 0 ]; then
+    echo "⚠ High drift risk: $COUNT tool calls. Consider restarting." >&2
+fi
+
+exit 0

package/examples/strip-coauthored-by.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# strip-coauthored-by.sh — Remove or warn about Co-Authored-By trailers
+#
+# Solves: Claude auto-appending Co-Authored-By to every commit without
+# user consent. 489 commits branded without the user wanting it.
+# See: https://github.com/anthropics/claude-code/issues/29999
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Bash(git commit *)",
+#         "command": "~/.claude/hooks/strip-coauthored-by.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# Config: CC_ALLOW_COAUTHOR=1 to allow (default: 0 = block/warn)
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check git commit commands
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+# Check if Co-Authored-By is in the commit message
+if echo "$COMMAND" | grep -qiE 'Co-Authored-By.*Claude\|Co-Authored-By.*Anthropic\|Co-Authored-By.*noreply@anthropic'; then
+    if [ "${CC_ALLOW_COAUTHOR:-0}" = "1" ]; then
+        exit 0  # User explicitly allows
+    fi
+    echo "⚠ Co-Authored-By trailer detected in commit message" >&2
+    echo "  Set CC_ALLOW_COAUTHOR=1 to allow, or remove the trailer." >&2
+    echo "  See: https://github.com/anthropics/claude-code/issues/29999" >&2
+    # Warn but don't block — user can decide
+    exit 0
+fi
+
+exit 0

package/examples/variable-expansion-guard.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# variable-expansion-guard.sh — Block destructive commands with shell variable expansion
+#
+# Solves: Claude running rm -rf "${LOCALAPPDATA}/" where Bash expands the
+# variable to a real system path, deleting 50+ app folders.
+# See: https://github.com/anthropics/claude-code/issues/39460
+#
+# TRIGGER: PreToolUse
+# MATCHER: Bash
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{
+#         "type": "command",
+#         "if": "Bash(rm *)",
+#         "command": "~/.claude/hooks/variable-expansion-guard.sh"
+#       }]
+#     }]
+#   }
+# }
+#
+# The "if" field (v2.1.85+) limits this to rm commands only.
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check destructive commands
+echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(rm|mv|cp|chmod|chown)\b' || exit 0
+
+# Detect shell variable patterns in arguments
+# $VAR, ${VAR}, $(command), `command`
+if echo "$COMMAND" | grep -qE '\$\{[A-Z_]+\}|\$[A-Z_]{2,}'; then
+    VAR=$(echo "$COMMAND" | grep -oE '\$\{[A-Z_]+\}|\$[A-Z_]{2,}' | head -1)
+    echo "BLOCKED: Destructive command uses shell variable $VAR" >&2
+    echo "Variables may expand to system paths (e.g., \$LOCALAPPDATA → C:/Users/.../AppData/Local)" >&2
+    echo "Use explicit paths instead of variables in destructive commands." >&2
+    exit 2
+fi
+
+# Detect command substitution in rm arguments
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?rm\b.*(\$\(|`)'; then
+    echo "BLOCKED: rm with command substitution detected" >&2
+    echo "The substituted path could expand to a system directory." >&2
+    exit 2
+fi
+
+exit 0

package/index.mjs

@@ -405,6 +405,12 @@ function examples() {
       'pip-venv-guard.sh': 'Warn on pip install outside venv',
       'no-git-amend-push.sh': 'Warn on amending pushed commits',
       'typosquat-guard.sh': 'Detect npm/pip typosquatting attacks',
+      'variable-expansion-guard.sh': 'Block rm/mv with unexpanded shell variables (prevents system path deletion)',
+      'bash-trace-guard.sh': 'Block bash -x debug tracing that exposes secrets',
+      'strip-coauthored-by.sh': 'Warn on Co-Authored-By trailers in commit messages',
+      'session-drift-guard.sh': 'Progressive safety as session ages (warn at 200, block at 500 calls)',
+      'post-compact-safety.sh': 'Block irreversible commands after context compaction',
+      'read-budget-guard.sh': 'Limit excessive file reading to prevent token waste',
       'hook-permission-fixer.sh': 'Auto-fix missing execute permissions on hooks (SessionStart)',
       'response-budget-guard.sh': 'Track and limit tool calls per response (anti-loop)',
     },

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.1",
-  "description": "One command to make Claude Code safe. 406 example hooks + 8 built-in. 52 CLI commands. 5564 tests. Works with Auto Mode.",
+  "version": "29.6.2",
+  "description": "One command to make Claude Code safe. 412 example hooks + 8 built-in. 52 CLI commands. 5601 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"