cc-safe-setup 29.6.13 → 29.6.15

package/examples/cloud-cli-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# cloud-cli-guard.sh — Block destructive GCP/Azure CLI operations
+#
+# Solves: Claude Code running destructive cloud operations via gcloud/az CLI.
+#         Deleting VMs, storage, or databases in cloud environments can
+#         cause irreversible data loss and significant costs.
+#
+# Note: AWS is covered by aws-production-guard.sh
+#
+# Detects:
+#   gcloud compute instances delete
+#   gcloud sql instances delete
+#   gcloud storage rm
+#   gcloud projects delete
+#   az vm delete
+#   az storage account delete
+#   az sql db delete
+#   az group delete
+#
+# Does NOT block:
+#   gcloud compute instances list/describe
+#   az vm list/show
+#   gcloud/az read-only operations
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block destructive gcloud operations
+if echo "$COMMAND" | grep -qE '\bgcloud\s+.*(delete|destroy|remove|reset)\b'; then
+    echo "BLOCKED: Destructive Google Cloud operation detected." >&2
+    echo "  Command: $COMMAND" >&2
+    echo "  Use 'gcloud ... describe' or 'gcloud ... list' to check first." >&2
+    exit 2
+fi
+
+# Block destructive az (Azure) operations
+if echo "$COMMAND" | grep -qE '\baz\s+.*(delete|destroy|remove)\b'; then
+    echo "BLOCKED: Destructive Azure operation detected." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/db-connect-guard.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# db-connect-guard.sh — Warn on direct database connections
+#
+# Solves: Claude Code connecting to databases directly via CLI clients
+#         and running queries without understanding the environment.
+#         Production database connections should go through application
+#         code, not direct CLI access.
+#
+# Real incidents:
+#   #36183 — prisma db push --force-reset on production
+#   #33183 — prisma db push against production database
+#   #27063 — destructive db command wiped production
+#
+# Detects:
+#   mysql -h <host>          (MySQL direct connection)
+#   psql -h <host>           (PostgreSQL direct connection)
+#   mongo <connection-string> (MongoDB direct connection)
+#   redis-cli -h <host>      (Redis direct connection)
+#   prisma db push           (Prisma schema push)
+#   prisma migrate deploy    (Prisma migration)
+#
+# Does NOT block:
+#   mysql (local, no -h flag — likely development)
+#   psql (local connection)
+#   prisma generate (code generation, not DB change)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block remote database connections
+if echo "$COMMAND" | grep -qE '\b(mysql|psql|mongo(sh)?)\s+.*(-h\s+|--host[= ])'; then
+    echo "BLOCKED: Direct remote database connection detected." >&2
+    echo "  Remote DB connections should use application code, not CLI." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Block redis remote connections
+if echo "$COMMAND" | grep -qE '\bredis-cli\s+.*(-h\s+|--host)'; then
+    echo "BLOCKED: Direct remote Redis connection detected." >&2
+    exit 2
+fi
+
+# Block Prisma destructive operations
+if echo "$COMMAND" | grep -qE '\bprisma\s+(db\s+push|migrate\s+deploy|migrate\s+reset)'; then
+    echo "BLOCKED: Prisma database modification detected." >&2
+    echo "  prisma db push/migrate can destroy production data." >&2
+    echo "  Verify DATABASE_URL points to the correct environment." >&2
+    exit 2
+fi
+
+exit 0

package/examples/firewall-guard.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# firewall-guard.sh — Block firewall rule modifications
+#
+# Solves: Claude Code modifying firewall rules (iptables, ufw, nftables)
+#         which can lock users out of servers or expose services.
+#         A single wrong iptables rule can make a remote server
+#         permanently inaccessible.
+#
+# Detects:
+#   iptables -A/-D/-I/-F    (add/delete/insert/flush rules)
+#   ufw allow/deny/delete   (uncomplicated firewall changes)
+#   nft add/delete/flush    (nftables changes)
+#   firewall-cmd --add/--remove  (firewalld changes)
+#
+# Does NOT block:
+#   iptables -L/-S          (listing rules — read-only)
+#   ufw status              (checking status)
+#   nft list                (listing rules)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block iptables modifications
+if echo "$COMMAND" | grep -qE '\biptables\s+(-A|-D|-I|-F|-X|-P|--append|--delete|--insert|--flush)'; then
+    echo "BLOCKED: iptables modification can lock you out of the server." >&2
+    echo "  Use 'iptables -L' to view rules safely." >&2
+    exit 2
+fi
+
+# Block ufw modifications
+if echo "$COMMAND" | grep -qE '\bufw\s+(allow|deny|delete|disable|reset|route)'; then
+    echo "BLOCKED: ufw firewall modification." >&2
+    echo "  Use 'ufw status' to view rules safely." >&2
+    exit 2
+fi
+
+# Block nftables modifications
+if echo "$COMMAND" | grep -qE '\bnft\s+(add|delete|flush|insert)'; then
+    echo "BLOCKED: nftables modification." >&2
+    exit 2
+fi
+
+# Block firewalld modifications
+if echo "$COMMAND" | grep -qE '\bfirewall-cmd\s+--(add|remove|set|reload)'; then
+    echo "BLOCKED: firewalld modification." >&2
+    exit 2
+fi
+
+exit 0

package/examples/kill-process-guard.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# kill-process-guard.sh — Block dangerous process termination commands
+#
+# Solves: Claude Code killing important system processes or user processes
+#         without understanding their purpose. kill -9 is especially dangerous
+#         as it prevents graceful shutdown and can cause data corruption.
+#
+# Detects:
+#   kill -9 <pid>        (forced termination, no cleanup)
+#   killall <name>       (kills ALL matching processes)
+#   pkill <pattern>      (pattern-based kill, can be too broad)
+#   kill -KILL           (same as -9)
+#
+# Does NOT block:
+#   kill <pid>           (graceful SIGTERM, allows cleanup)
+#   kill -15 <pid>       (explicit SIGTERM)
+#   kill -INT            (Ctrl+C equivalent)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block kill -9 (SIGKILL — no cleanup, potential data corruption)
+if echo "$COMMAND" | grep -qE '\bkill\s+-(9|KILL)\b'; then
+    echo "BLOCKED: kill -9 forces immediate termination without cleanup." >&2
+    echo "  Data corruption is possible. Use 'kill <pid>' (SIGTERM) instead." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Block killall (kills ALL matching processes)
+if echo "$COMMAND" | grep -qE '\bkillall\s'; then
+    echo "BLOCKED: killall terminates ALL processes matching the name." >&2
+    echo "  This may kill unrelated processes. Use 'kill <specific-pid>' instead." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Block pkill (pattern-based, can be overly broad)
+if echo "$COMMAND" | grep -qE '\bpkill\s'; then
+    echo "BLOCKED: pkill uses pattern matching which may kill unintended processes." >&2
+    echo "  Find the specific PID with 'pgrep' first, then use 'kill <pid>'." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/registry-publish-guard.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# registry-publish-guard.sh — Block publishing to package registries
+#
+# Solves: Claude Code accidentally publishing packages to npm, PyPI,
+#         RubyGems, crates.io, or other registries. Publishing is
+#         irreversible for many registries (npm unpublish has a 72h limit).
+#
+# Note: npm-publish-guard.sh covers npm specifically.
+#       This hook covers ALL package registries.
+#
+# Detects:
+#   gem push              (RubyGems)
+#   twine upload          (PyPI)
+#   pip upload            (PyPI alternative)
+#   cargo publish         (crates.io)
+#   dotnet nuget push     (.NET NuGet)
+#   docker push           (Docker Hub)
+#   helm push             (Helm charts)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block gem push (RubyGems)
+if echo "$COMMAND" | grep -qE '\bgem\s+push\b'; then
+    echo "BLOCKED: RubyGems publish detected." >&2
+    echo "  Publishing to RubyGems is irreversible. Verify version and credentials." >&2
+    exit 2
+fi
+
+# Block PyPI upload (twine/pip)
+if echo "$COMMAND" | grep -qE '\b(twine|pip)\s+upload\b'; then
+    echo "BLOCKED: PyPI upload detected." >&2
+    exit 2
+fi
+
+# Block cargo publish (crates.io)
+if echo "$COMMAND" | grep -qE '\bcargo\s+publish\b'; then
+    echo "BLOCKED: crates.io publish detected." >&2
+    exit 2
+fi
+
+# Block dotnet nuget push
+if echo "$COMMAND" | grep -qE '\bdotnet\s+nuget\s+push\b'; then
+    echo "BLOCKED: NuGet publish detected." >&2
+    exit 2
+fi
+
+# Block docker push
+if echo "$COMMAND" | grep -qE '\bdocker\s+push\b'; then
+    echo "BLOCKED: Docker image push detected." >&2
+    echo "  Verify the image tag and registry before pushing." >&2
+    exit 2
+fi
+
+# Block helm push
+if echo "$COMMAND" | grep -qE '\bhelm\s+(push|package.*push)\b'; then
+    echo "BLOCKED: Helm chart push detected." >&2
+    exit 2
+fi
+
+exit 0

package/examples/sensitive-file-read-guard.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# sensitive-file-read-guard.sh — Block reading sensitive system/user files
+#
+# Solves: Claude Code reading private keys, credentials, password files
+#         via the Read tool. Even reading these files exposes secrets in
+#         the conversation context, which persists in transcripts.
+#
+# Detects (via Read tool):
+#   ~/.ssh/id_rsa, id_ed25519 (private keys)
+#   ~/.gnupg/                 (GPG keys)
+#   ~/.aws/credentials        (AWS credentials)
+#   /etc/shadow               (password hashes)
+#   *.pem, *.key              (certificate private keys)
+#   .env.production           (production secrets)
+#
+# Does NOT block:
+#   ~/.ssh/config             (SSH config, no secrets)
+#   ~/.ssh/id_rsa.pub         (public keys are fine)
+#   /etc/passwd               (no secrets, world-readable)
+#   Regular project files
+#
+# TRIGGER: PreToolUse  MATCHER: "Read"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+[ -z "$FILE" ] && exit 0
+
+# Block private key files
+if echo "$FILE" | grep -qiE '(id_rsa|id_ed25519|id_ecdsa|id_dsa)$'; then
+    # Allow .pub files
+    echo "$FILE" | grep -qiE '\.pub$' && exit 0
+    echo "BLOCKED: Reading private key file: $FILE" >&2
+    echo "  Private keys should never be read into conversation context." >&2
+    exit 2
+fi
+
+# Block certificate private keys
+if echo "$FILE" | grep -qiE '\.(pem|key)$' && echo "$FILE" | grep -qiE '(private|server|ssl|tls)'; then
+    echo "BLOCKED: Reading certificate private key: $FILE" >&2
+    exit 2
+fi
+
+# Block credential files
+if echo "$FILE" | grep -qiE '\.aws/credentials|\.gcloud/credentials|\.azure/|/etc/shadow|\.gnupg/'; then
+    echo "BLOCKED: Reading credential/secret file: $FILE" >&2
+    exit 2
+fi
+
+# Block production env files
+if echo "$FILE" | grep -qiE '\.env\.(production|prod|staging)$'; then
+    echo "BLOCKED: Reading production environment file: $FILE" >&2
+    echo "  Production secrets should not be in conversation context." >&2
+    exit 2
+fi
+
+exit 0

package/examples/systemd-service-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# systemd-service-guard.sh — Block dangerous systemd service operations
+#
+# Solves: Claude Code stopping/restarting system services without
+#         understanding the impact. Stopping nginx kills all connections,
+#         stopping postgresql causes data loss if not cleanly shut down.
+#
+# Detects:
+#   systemctl stop <service>
+#   systemctl restart <service>
+#   systemctl disable <service>
+#   systemctl mask <service>
+#   service <name> stop
+#
+# Does NOT block:
+#   systemctl status <service>
+#   systemctl start <service>    (starting is generally safe)
+#   systemctl list-units
+#   journalctl
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block systemctl stop/restart/disable/mask
+if echo "$COMMAND" | grep -qE '\bsystemctl\s+(stop|restart|disable|mask)\b'; then
+    ACTION=$(echo "$COMMAND" | grep -oE 'systemctl\s+(stop|restart|disable|mask)\s+\S+')
+    echo "BLOCKED: Dangerous systemd operation: $ACTION" >&2
+    echo "  Stopping/restarting services can cause downtime and data loss." >&2
+    echo "  Use 'systemctl status <service>' to check before acting." >&2
+    exit 2
+fi
+
+# Block legacy service command
+if echo "$COMMAND" | grep -qE '\bservice\s+\S+\s+(stop|restart)\b'; then
+    echo "BLOCKED: Dangerous service operation." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.13",
-  "description": "One command to make Claude Code safe. 427 example hooks + 8 built-in. 52 CLI commands. 5718 tests. Works with Auto Mode.",
+  "version": "29.6.15",
+  "description": "One command to make Claude Code safe. 434 example hooks + 8 built-in. 52 CLI commands. 5800 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"