npm - cc-safe-setup - Versions diffs - 29.6.17 → 29.6.19 - Mend

cc-safe-setup 29.6.17 → 29.6.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +1 -1
package/examples/no-verify-blocker.sh +38 -0
package/examples/npm-global-install-guard.sh +31 -0
package/examples/pip-requirements-guard.sh +43 -0
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -117,7 +117,7 @@ Install any of these: `npx cc-safe-setup --install-example <name>`
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 425 examples |
+| `--install-example <name>` | Install from 442 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |

package/examples/no-verify-blocker.sh ADDED Viewed

@@ -0,0 +1,38 @@
+#!/bin/bash
+# ================================================================
+# no-verify-blocker.sh — Block --no-verify on git commands
+# ================================================================
+# PURPOSE:
+#   Claude Code may use --no-verify to skip pre-commit hooks,
+#   bypassing safety checks like linting, tests, and secret scanning.
+#   This hook blocks all --no-verify usage unless explicitly allowed.
+#
+#   Solves: #40117 — Agent used --no-verify on 6 consecutive commits,
+#   silently bypassing pre-commit hooks that validate tests, secrets,
+#   and production readiness.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+# Block --no-verify on any git command
+if echo "$COMMAND" | grep -qE '\bgit\b.*--no-verify'; then
+    echo "BLOCKED: --no-verify bypasses git hooks (pre-commit, pre-push)" >&2
+    echo "Fix the underlying issue instead of skipping hooks" >&2
+    exit 2
+fi
+# Also block the short form -n for git commit (which means --no-verify)
+if echo "$COMMAND" | grep -qE '\bgit\s+commit\b.*\s-[a-zA-Z]*n'; then
+    # Avoid false positive: -n alone is not always --no-verify
+    # Only block if it looks like a commit with -n flag
+    if echo "$COMMAND" | grep -qE '\bgit\s+commit\s+-n\b'; then
+        echo "BLOCKED: git commit -n skips pre-commit hook" >&2
+        exit 2
+    fi
+fi
+exit 0

package/examples/npm-global-install-guard.sh ADDED Viewed

@@ -0,0 +1,31 @@
+#!/bin/bash
+# npm-global-install-guard.sh — Block npm global installs
+#
+# Solves: Claude Code running npm install -g which modifies the global
+#         node_modules directory. Global installs can conflict with
+#         system tools and affect all projects.
+#
+# Detects:
+#   npm install -g <package>
+#   npm i -g <package>
+#   npm install --global <package>
+#
+# Does NOT block:
+#   npm install (local)
+#   npx <package> (temporary execution)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bnpm\s+(install|i)\s+(-g|--global)\b'; then
+    echo "BLOCKED: npm global install modifies system-wide packages." >&2
+    echo "  Use 'npx <package>' for one-time execution instead." >&2
+    echo "  Or install locally: 'npm install --save-dev <package>'" >&2
+    exit 2
+fi
+exit 0

package/examples/pip-requirements-guard.sh ADDED Viewed

@@ -0,0 +1,43 @@
+#!/bin/bash
+# pip-requirements-guard.sh — Enforce pip install from requirements.txt only
+#
+# Solves: Claude Code installing arbitrary Python packages with pip install
+#         instead of using the project's requirements.txt or pyproject.toml.
+#         Random package installs can introduce vulnerabilities and break
+#         reproducible builds.
+#
+# Detects:
+#   pip install <package>        (direct package install)
+#   pip3 install <package>       (same)
+#   python -m pip install <pkg>  (module invocation)
+#
+# Does NOT block:
+#   pip install -r requirements.txt  (from requirements file)
+#   pip install -e .                 (editable install of current project)
+#   pip install --upgrade pip        (pip self-upgrade)
+#   pip list / pip show             (read-only)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+# Only check pip install commands
+echo "$COMMAND" | grep -qE '\bpip3?\s+install\b|python3?\s+-m\s+pip\s+install\b' || exit 0
+# Allow requirements file installs
+echo "$COMMAND" | grep -qE 'pip3?\s+install\s+-r\s' && exit 0
+# Allow editable installs
+echo "$COMMAND" | grep -qE 'pip3?\s+install\s+-e\s' && exit 0
+# Allow pip self-upgrade
+echo "$COMMAND" | grep -qE 'pip3?\s+install\s+--upgrade\s+pip\b' && exit 0
+# Block direct package installs
+echo "BLOCKED: Direct pip install detected." >&2
+echo "  Use 'pip install -r requirements.txt' for reproducible builds." >&2
+echo "  Command: $COMMAND" >&2
+exit 2

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.17",
-  "description": "One command to make Claude Code safe. 440 example hooks + 8 built-in. 52 CLI commands. 5855 tests. Works with Auto Mode.",
+  "version": "29.6.19",
+  "description": "One command to make Claude Code safe. 443 example hooks + 8 built-in. 52 CLI commands. 5890 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"