cc-safe-setup 29.6.16 → 29.6.17

package/examples/disk-partition-guard.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# disk-partition-guard.sh — Block disk partitioning and mount operations
+#
+# Solves: Claude Code running disk operations that can cause data loss
+#         or system instability. Mounting/unmounting, partitioning, and
+#         formatting are irreversible on production systems.
+#
+# Detects:
+#   mount / umount           (filesystem mount operations)
+#   fdisk / parted / gdisk   (partition table editors)
+#   mkfs / mkswap            (filesystem/swap creation)
+#   dd if=                   (raw disk writes)
+#   swapon / swapoff         (swap management)
+#
+# Does NOT block:
+#   df / lsblk / blkid       (read-only disk info)
+#   mount (no args)          (list mounts)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block partition editors
+if echo "$COMMAND" | grep -qE '\b(fdisk|parted|gdisk|cfdisk|sfdisk)\b'; then
+    echo "BLOCKED: Disk partitioning tool detected." >&2
+    echo "  Partitioning can cause irreversible data loss." >&2
+    exit 2
+fi
+
+# Block filesystem creation
+if echo "$COMMAND" | grep -qE '\b(mkfs|mkswap|mke2fs)\b'; then
+    echo "BLOCKED: Filesystem creation/formatting detected." >&2
+    exit 2
+fi
+
+# Block mount/umount with arguments
+if echo "$COMMAND" | grep -qE '\bumount\b|\bumount\b'; then
+    echo "BLOCKED: Unmounting filesystem can cause data loss." >&2
+    exit 2
+fi
+if echo "$COMMAND" | grep -qE '\bmount\s+\S' && ! echo "$COMMAND" | grep -qE '\bmount\s*$'; then
+    echo "BLOCKED: Mounting filesystem requires administrator oversight." >&2
+    exit 2
+fi
+
+# Block dd (raw disk writes)
+if echo "$COMMAND" | grep -qE '\bdd\s+if='; then
+    echo "BLOCKED: Raw disk write (dd) detected." >&2
+    exit 2
+fi
+
+# Block swap management
+if echo "$COMMAND" | grep -qE '\b(swapon|swapoff)\b'; then
+    echo "BLOCKED: Swap management operation detected." >&2
+    exit 2
+fi
+
+exit 0

package/examples/user-account-guard.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# user-account-guard.sh — Block user/group account modifications
+#
+# Solves: Claude Code creating, deleting, or modifying system user
+#         accounts which can create security backdoors or lock out
+#         legitimate users.
+#
+# Detects:
+#   useradd / adduser        (create user)
+#   userdel / deluser        (delete user)
+#   usermod                  (modify user)
+#   passwd                   (change password)
+#   groupadd / groupdel      (group management)
+#   visudo / sudoers editing  (privilege escalation)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+if echo "$COMMAND" | grep -qE '\b(useradd|adduser|userdel|deluser|usermod|groupadd|groupdel|groupmod)\b'; then
+    echo "BLOCKED: User/group account modification detected." >&2
+    echo "  Creating or modifying system accounts requires administrator oversight." >&2
+    exit 2
+fi
+
+if echo "$COMMAND" | grep -qE '\bpasswd\b'; then
+    echo "BLOCKED: Password change detected." >&2
+    exit 2
+fi
+
+if echo "$COMMAND" | grep -qE '\bvisudo\b|/etc/sudoers'; then
+    echo "BLOCKED: Sudoers modification (privilege escalation risk)." >&2
+    exit 2
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.16",
-  "description": "One command to make Claude Code safe. 438 example hooks + 8 built-in. 52 CLI commands. 5835 tests. Works with Auto Mode.",
+  "version": "29.6.17",
+  "description": "One command to make Claude Code safe. 440 example hooks + 8 built-in. 52 CLI commands. 5855 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"