cc-safe-setup 29.6.15 → 29.6.17

package/examples/disk-partition-guard.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# disk-partition-guard.sh — Block disk partitioning and mount operations
+#
+# Solves: Claude Code running disk operations that can cause data loss
+#         or system instability. Mounting/unmounting, partitioning, and
+#         formatting are irreversible on production systems.
+#
+# Detects:
+#   mount / umount           (filesystem mount operations)
+#   fdisk / parted / gdisk   (partition table editors)
+#   mkfs / mkswap            (filesystem/swap creation)
+#   dd if=                   (raw disk writes)
+#   swapon / swapoff         (swap management)
+#
+# Does NOT block:
+#   df / lsblk / blkid       (read-only disk info)
+#   mount (no args)          (list mounts)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block partition editors
+if echo "$COMMAND" | grep -qE '\b(fdisk|parted|gdisk|cfdisk|sfdisk)\b'; then
+    echo "BLOCKED: Disk partitioning tool detected." >&2
+    echo "  Partitioning can cause irreversible data loss." >&2
+    exit 2
+fi
+
+# Block filesystem creation
+if echo "$COMMAND" | grep -qE '\b(mkfs|mkswap|mke2fs)\b'; then
+    echo "BLOCKED: Filesystem creation/formatting detected." >&2
+    exit 2
+fi
+
+# Block mount/umount with arguments
+if echo "$COMMAND" | grep -qE '\bumount\b|\bumount\b'; then
+    echo "BLOCKED: Unmounting filesystem can cause data loss." >&2
+    exit 2
+fi
+if echo "$COMMAND" | grep -qE '\bmount\s+\S' && ! echo "$COMMAND" | grep -qE '\bmount\s*$'; then
+    echo "BLOCKED: Mounting filesystem requires administrator oversight." >&2
+    exit 2
+fi
+
+# Block dd (raw disk writes)
+if echo "$COMMAND" | grep -qE '\bdd\s+if='; then
+    echo "BLOCKED: Raw disk write (dd) detected." >&2
+    exit 2
+fi
+
+# Block swap management
+if echo "$COMMAND" | grep -qE '\b(swapon|swapoff)\b'; then
+    echo "BLOCKED: Swap management operation detected." >&2
+    exit 2
+fi
+
+exit 0

package/examples/dns-config-guard.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# dns-config-guard.sh — Block DNS/hosts file modifications
+#
+# Solves: Claude Code modifying /etc/hosts or /etc/resolv.conf which
+#         can redirect traffic, break name resolution, or create
+#         security vulnerabilities.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash|Edit|Write"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+    Bash)
+        CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+        [ -z "$CMD" ] && exit 0
+        if echo "$CMD" | grep -qE '(echo|tee|sed|awk).*(/etc/hosts|/etc/resolv\.conf|/etc/nsswitch)'; then
+            echo "BLOCKED: DNS configuration modification detected." >&2
+            exit 2
+        fi
+        ;;
+    Edit|Write)
+        FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+        if echo "$FILE" | grep -qE '/etc/hosts$|/etc/resolv\.conf$|/etc/nsswitch\.conf$'; then
+            echo "BLOCKED: Cannot modify DNS configuration file: $FILE" >&2
+            exit 2
+        fi
+        ;;
+esac
+
+exit 0

package/examples/git-history-rewrite-guard.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# git-history-rewrite-guard.sh — Block git history rewriting commands
+#
+# Solves: Claude Code rewriting git history which can cause permanent
+#         data loss and break shared branches. History rewriting on
+#         pushed commits requires force-push and affects all collaborators.
+#
+# Detects:
+#   git filter-branch           (legacy history rewriter)
+#   git filter-repo             (modern history rewriter)
+#   git rebase -i               (interactive rebase, can reorder/squash)
+#   git reset --hard HEAD~N     (discards recent commits)
+#   git reflog expire --all     (destroys reflog recovery data)
+#
+# Does NOT block:
+#   git rebase <branch>         (non-interactive, covered by no-git-rebase-public)
+#   git reset --soft            (safe, keeps changes staged)
+#   git reset --mixed           (safe, keeps changes in working tree)
+#   git reflog                  (read-only, viewing history)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block filter-branch (legacy, dangerous)
+if echo "$COMMAND" | grep -qE '\bgit\s+filter-branch\b'; then
+    echo "BLOCKED: git filter-branch rewrites entire repository history." >&2
+    echo "  This is irreversible on shared branches." >&2
+    exit 2
+fi
+
+# Block filter-repo
+if echo "$COMMAND" | grep -qE '\bgit\s+filter-repo\b'; then
+    echo "BLOCKED: git filter-repo rewrites repository history." >&2
+    exit 2
+fi
+
+# Block interactive rebase
+if echo "$COMMAND" | grep -qE '\bgit\s+rebase\s+-i\b'; then
+    echo "BLOCKED: Interactive rebase can reorder, squash, or drop commits." >&2
+    echo "  Use non-interactive rebase instead." >&2
+    exit 2
+fi
+
+# Block git reset --hard with commit count
+if echo "$COMMAND" | grep -qE '\bgit\s+reset\s+--hard\s+(HEAD|origin)'; then
+    echo "BLOCKED: git reset --hard discards commits permanently." >&2
+    echo "  Use 'git reset --soft' to keep changes staged." >&2
+    exit 2
+fi
+
+# Block reflog destruction
+if echo "$COMMAND" | grep -qE '\bgit\s+reflog\s+(expire|delete)\b'; then
+    echo "BLOCKED: Destroying reflog removes the safety net for recovering commits." >&2
+    exit 2
+fi
+
+exit 0

package/examples/log-truncation-guard.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# log-truncation-guard.sh — Block log file truncation/deletion
+#
+# Solves: Claude Code truncating or deleting log files which destroys
+#         audit trails and makes debugging incidents impossible.
+#
+# Detects:
+#   > /var/log/syslog        (truncation via redirect)
+#   truncate -s 0 <logfile>  (explicit truncation)
+#   rm /var/log/*            (log deletion)
+#   echo "" > <logfile>      (content erasure)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block log file truncation
+if echo "$COMMAND" | grep -qE '>\s*/var/log/|truncate.*(/var/log/|\.log)|rm\s+.*(/var/log/|\.log)'; then
+    echo "BLOCKED: Log file truncation/deletion detected." >&2
+    echo "  Destroying logs removes audit trails." >&2
+    echo "  Use log rotation instead: logrotate." >&2
+    exit 2
+fi
+
+exit 0

package/examples/network-interface-guard.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# network-interface-guard.sh — Block network interface modifications
+#
+# Solves: Claude Code modifying network interfaces which can cause
+#         immediate loss of connectivity on remote servers.
+#
+# Detects:
+#   ifconfig <iface> down    (disable interface)
+#   ip link set <iface> down (modern equivalent)
+#   ip addr del              (remove IP address)
+#   ip route del             (remove route)
+#   nmcli connection delete  (NetworkManager)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block interface disable
+if echo "$COMMAND" | grep -qE '\bifconfig\s+\S+\s+down\b'; then
+    echo "BLOCKED: Disabling network interface will cause connectivity loss." >&2
+    exit 2
+fi
+
+# Block ip link/addr/route destructive operations
+if echo "$COMMAND" | grep -qE '\bip\s+(link\s+set\s+\S+\s+down|addr\s+del|route\s+del)\b'; then
+    echo "BLOCKED: Network configuration change can cause connectivity loss." >&2
+    exit 2
+fi
+
+# Block NetworkManager connection deletion
+if echo "$COMMAND" | grep -qE '\bnmcli\s+connection\s+delete\b'; then
+    echo "BLOCKED: Deleting NetworkManager connection." >&2
+    exit 2
+fi
+
+exit 0

package/examples/user-account-guard.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# user-account-guard.sh — Block user/group account modifications
+#
+# Solves: Claude Code creating, deleting, or modifying system user
+#         accounts which can create security backdoors or lock out
+#         legitimate users.
+#
+# Detects:
+#   useradd / adduser        (create user)
+#   userdel / deluser        (delete user)
+#   usermod                  (modify user)
+#   passwd                   (change password)
+#   groupadd / groupdel      (group management)
+#   visudo / sudoers editing  (privilege escalation)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+if echo "$COMMAND" | grep -qE '\b(useradd|adduser|userdel|deluser|usermod|groupadd|groupdel|groupmod)\b'; then
+    echo "BLOCKED: User/group account modification detected." >&2
+    echo "  Creating or modifying system accounts requires administrator oversight." >&2
+    exit 2
+fi
+
+if echo "$COMMAND" | grep -qE '\bpasswd\b'; then
+    echo "BLOCKED: Password change detected." >&2
+    exit 2
+fi
+
+if echo "$COMMAND" | grep -qE '\bvisudo\b|/etc/sudoers'; then
+    echo "BLOCKED: Sudoers modification (privilege escalation risk)." >&2
+    exit 2
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.15",
-  "description": "One command to make Claude Code safe. 434 example hooks + 8 built-in. 52 CLI commands. 5800 tests. Works with Auto Mode.",
+  "version": "29.6.17",
+  "description": "One command to make Claude Code safe. 440 example hooks + 8 built-in. 52 CLI commands. 5855 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"