cc-safe-setup 29.6.12 → 29.6.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -117,7 +117,7 @@ Install any of these: `npx cc-safe-setup --install-example <name>`
|
|
|
117
117
|
| `--scan [--apply]` | Tech stack detection |
|
|
118
118
|
| `--export / --import` | Team config sharing |
|
|
119
119
|
| `--verify` | Test each hook |
|
|
120
|
-
| `--install-example <name>` | Install from
|
|
120
|
+
| `--install-example <name>` | Install from 425 examples |
|
|
121
121
|
| `--examples [filter]` | Browse examples by keyword |
|
|
122
122
|
| `--full` | All-in-one setup |
|
|
123
123
|
| `--status` | Check installed hooks |
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# api-key-in-url-guard.sh — Block API keys embedded in URLs
|
|
3
|
+
#
|
|
4
|
+
# Solves: Claude Code embedding API keys directly in curl/wget URLs
|
|
5
|
+
# instead of using headers or environment variables.
|
|
6
|
+
# Keys in URLs appear in shell history, server logs, proxy logs,
|
|
7
|
+
# and error messages — all places where secrets shouldn't be.
|
|
8
|
+
#
|
|
9
|
+
# Detects:
|
|
10
|
+
# curl https://api.example.com?key=abc123
|
|
11
|
+
# curl https://api.example.com?api_key=abc123
|
|
12
|
+
# curl https://api.example.com?token=abc123
|
|
13
|
+
# wget "https://...?secret=..."
|
|
14
|
+
#
|
|
15
|
+
# Does NOT block:
|
|
16
|
+
# curl -H "Authorization: Bearer $TOKEN" https://...
|
|
17
|
+
# curl with env vars: $API_KEY in header
|
|
18
|
+
#
|
|
19
|
+
# TRIGGER: PreToolUse MATCHER: "Bash"
|
|
20
|
+
|
|
21
|
+
INPUT=$(cat)
|
|
22
|
+
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
23
|
+
|
|
24
|
+
[ -z "$COMMAND" ] && exit 0
|
|
25
|
+
|
|
26
|
+
# Only check commands that make HTTP requests
|
|
27
|
+
echo "$COMMAND" | grep -qE '\b(curl|wget|http|fetch)\b' || exit 0
|
|
28
|
+
|
|
29
|
+
# Check for API key patterns in URLs
|
|
30
|
+
if echo "$COMMAND" | grep -qiP '[?&](api[_-]?key|token|secret|password|auth|access[_-]?key|client[_-]?secret)=[^$\s&"'\'']{8,}'; then
|
|
31
|
+
echo "BLOCKED: API key detected in URL query parameter." >&2
|
|
32
|
+
echo "" >&2
|
|
33
|
+
echo "Command: $(echo "$COMMAND" | head -1)" >&2
|
|
34
|
+
echo "" >&2
|
|
35
|
+
echo "API keys in URLs appear in:" >&2
|
|
36
|
+
echo " - Shell history (~/.bash_history)" >&2
|
|
37
|
+
echo " - Server access logs" >&2
|
|
38
|
+
echo " - Proxy/CDN logs" >&2
|
|
39
|
+
echo "" >&2
|
|
40
|
+
echo "Use headers instead:" >&2
|
|
41
|
+
echo " curl -H 'Authorization: Bearer \$TOKEN' https://..." >&2
|
|
42
|
+
echo " curl -H 'X-API-Key: \$API_KEY' https://..." >&2
|
|
43
|
+
exit 2
|
|
44
|
+
fi
|
|
45
|
+
|
|
46
|
+
exit 0
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# gh-cli-destructive-guard.sh — Block destructive GitHub CLI operations
|
|
3
|
+
#
|
|
4
|
+
# Solves: Claude Code running dangerous gh commands without confirmation:
|
|
5
|
+
# - Closing/deleting issues or PRs
|
|
6
|
+
# - Deleting repos, releases, or branches
|
|
7
|
+
# - Merging PRs without review
|
|
8
|
+
# - Modifying repo settings
|
|
9
|
+
#
|
|
10
|
+
# The gh CLI is powerful but destructive operations should require
|
|
11
|
+
# explicit human approval, not AI autonomy.
|
|
12
|
+
#
|
|
13
|
+
# TRIGGER: PreToolUse MATCHER: "Bash"
|
|
14
|
+
|
|
15
|
+
INPUT=$(cat)
|
|
16
|
+
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
17
|
+
|
|
18
|
+
[ -z "$COMMAND" ] && exit 0
|
|
19
|
+
|
|
20
|
+
# Only check gh commands
|
|
21
|
+
echo "$COMMAND" | grep -qE '\bgh\s' || exit 0
|
|
22
|
+
|
|
23
|
+
# Block destructive issue operations
|
|
24
|
+
if echo "$COMMAND" | grep -qE 'gh\s+issue\s+(close|delete|lock|transfer)'; then
|
|
25
|
+
echo "BLOCKED: Destructive GitHub Issue operation." >&2
|
|
26
|
+
echo "Command: $COMMAND" >&2
|
|
27
|
+
exit 2
|
|
28
|
+
fi
|
|
29
|
+
|
|
30
|
+
# Block destructive PR operations
|
|
31
|
+
if echo "$COMMAND" | grep -qE 'gh\s+pr\s+(close|merge|ready)'; then
|
|
32
|
+
echo "BLOCKED: Destructive GitHub PR operation." >&2
|
|
33
|
+
echo " gh pr merge/close requires human review." >&2
|
|
34
|
+
echo "Command: $COMMAND" >&2
|
|
35
|
+
exit 2
|
|
36
|
+
fi
|
|
37
|
+
|
|
38
|
+
# Block repo deletion
|
|
39
|
+
if echo "$COMMAND" | grep -qE 'gh\s+repo\s+delete'; then
|
|
40
|
+
echo "BLOCKED: Repository deletion." >&2
|
|
41
|
+
exit 2
|
|
42
|
+
fi
|
|
43
|
+
|
|
44
|
+
# Block release deletion
|
|
45
|
+
if echo "$COMMAND" | grep -qE 'gh\s+release\s+delete'; then
|
|
46
|
+
echo "BLOCKED: Release deletion." >&2
|
|
47
|
+
exit 2
|
|
48
|
+
fi
|
|
49
|
+
|
|
50
|
+
# Block branch deletion via gh
|
|
51
|
+
if echo "$COMMAND" | grep -qE 'gh\s+api\s+.*DELETE'; then
|
|
52
|
+
echo "BLOCKED: Destructive GitHub API call (DELETE method)." >&2
|
|
53
|
+
echo "Command: $COMMAND" >&2
|
|
54
|
+
exit 2
|
|
55
|
+
fi
|
|
56
|
+
|
|
57
|
+
exit 0
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cc-safe-setup",
|
|
3
|
-
"version": "29.6.
|
|
4
|
-
"description": "One command to make Claude Code safe.
|
|
3
|
+
"version": "29.6.13",
|
|
4
|
+
"description": "One command to make Claude Code safe. 427 example hooks + 8 built-in. 52 CLI commands. 5718 tests. Works with Auto Mode.",
|
|
5
5
|
"main": "index.mjs",
|
|
6
6
|
"bin": {
|
|
7
7
|
"cc-safe-setup": "index.mjs"
|