cc-safe-setup 29.6.27 → 29.6.29

package/COOKBOOK.md

@@ -215,9 +215,32 @@ npx cc-safe-setup --install-example classifier-fallback-allow
 
 PermissionRequest hook that approves cat, ls, grep, git read-only when the classifier can't respond.
 
+## Block Reading Credential Files
+
+Prevent the agent from displaying tokens in conversations by reading package manager credential files:
+
+```bash
+npx cc-safe-setup --install-example credential-file-cat-guard
+```
+
+Blocks `cat`, `head`, `tail`, `grep` on `~/.netrc`, `~/.npmrc`, `~/.cargo/credentials`, `~/.docker/config.json`, `~/.kube/config`, and more. Complements `credential-exfil-guard` which blocks hunting patterns. See [#34819](https://github.com/anthropics/claude-code/issues/34819).
+
+## Require Tests Before Push
+
+Block `git push` to protected branches unless tests have passed in the current session:
+
+```bash
+npx cc-safe-setup --install-example push-requires-test-pass
+npx cc-safe-setup --install-example push-requires-test-pass-record
+```
+
+Two-hook system: the PostToolUse `record` hook detects successful test runs (`npm test`, `pytest`, `cargo test`, etc.) and saves a timestamp. The PreToolUse hook blocks push to main/master/production if no recent test pass exists (30-minute window). See [#36673](https://github.com/anthropics/claude-code/issues/36673).
+
 ## Further Reading
 
 - [Getting Started](https://yurukusa.github.io/cc-safe-setup/getting-started.html)
 - [Common Mistakes](https://yurukusa.github.io/cc-safe-setup/common-mistakes.html)
+- [Auto-Approve Guide](https://yurukusa.github.io/cc-safe-setup/auto-approve-guide.html)
+- [Credential Protection](https://yurukusa.github.io/cc-safe-setup/prevent-credential-leak.html)
 - [Troubleshooting](TROUBLESHOOTING.md)
 - [Settings Reference](SETTINGS_REFERENCE.md)

package/README.md

@@ -4,7 +4,7 @@
 [![npm downloads](https://img.shields.io/npm/dw/cc-safe-setup)](https://www.npmjs.com/package/cc-safe-setup)
 [![tests](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml/badge.svg)](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml)
 
-**One command to make Claude Code safe for autonomous operation.** 507 example hooks · 7,341 tests · 1,000+ installs/day · [日本語](docs/README.ja.md)
+**One command to make Claude Code safe for autonomous operation.** 514 example hooks · 7,564 tests · 1,000+ installs/day · [日本語](docs/README.ja.md)
 
 ```bash
 npx cc-safe-setup
@@ -117,7 +117,7 @@ Install any of these: `npx cc-safe-setup --install-example <name>`
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 507 examples |
+| `--install-example <name>` | Install from 514 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |

package/examples/README.md

@@ -1,26 +1,44 @@
 # Example Hooks
 
-38 installable hooks. Each solves a real problem from GitHub Issues or autonomous operation.
+514 installable hooks. Each solves a real problem from GitHub Issues or autonomous operation. 7,564 tests.
 
 ```bash
-npx cc-safe-setup --install-example <name>
-npx cc-safe-setup --examples  # list all
+npx cc-safe-setup --install-example <name>   # install one
+npx cc-safe-setup --examples                  # list all
+npx cc-safe-setup --examples safety           # filter by category
+npx cc-safe-setup --shield                    # install recommended set
 ```
 
-## Safety Guards (13)
-allowlist, block-database-wipe, case-sensitive-guard, compound-command-approver, deploy-guard, env-var-check, git-config-guard, network-guard, path-traversal-guard, protect-dotfiles, scope-guard, test-before-push, timeout-guard
+## Categories
 
-## Auto-Approve (5)
-auto-approve-build, auto-approve-docker, auto-approve-git-read, auto-approve-python, auto-approve-ssh
+| Category | Count | Examples |
+|----------|-------|---------|
+| Destructive Command Prevention | 12 | `destructive-guard`, `branch-guard`, `no-sudo-guard`, `symlink-guard` |
+| Data Protection | 5 | `block-database-wipe`, `secret-guard`, `hardcoded-secret-detector` |
+| Git Safety | 11 | `git-config-guard`, `no-verify-blocker`, `push-requires-test-pass` |
+| Auto-Approve (PreToolUse) | 11 | `auto-approve-readonly`, `auto-approve-build`, `auto-approve-docker` |
+| Auto-Approve (PermissionRequest) | 7 | `allow-git-hooks-dir`, `allow-protected-dirs`, `edit-always-allow` |
+| Code Quality | 10 | `syntax-check`, `diff-size-guard`, `test-deletion-guard` |
+| Security | 10 | `credential-file-cat-guard`, `credential-exfil-guard`, `prompt-injection-guard` |
+| Deploy | 4 | `deploy-guard`, `no-deploy-friday`, `work-hours-guard` |
+| Monitoring & Cost | 13 | `context-monitor`, `cost-tracker`, `loop-detector`, `edit-error-counter` |
+| Utility | 17 | `comment-strip`, `session-handoff`, `auto-checkpoint`, `edit-retry-loop-guard` |
 
-## Quality (8)
-branch-name-check, commit-message-check, commit-quality-gate, edit-guard, enforce-tests, large-file-guard, todo-check, verify-before-commit
+## Popular Hooks
 
-## Recovery (3)
-auto-checkpoint, auto-snapshot, session-checkpoint
+- **`auto-approve-readonly`** — Skip prompts for `cat`, `ls`, `grep`, `git status`
+- **`destructive-guard`** — Block `rm -rf`, `git reset --hard`
+- **`credential-file-cat-guard`** — Block reading `.netrc`, `.npmrc`, `.cargo/credentials`
+- **`push-requires-test-pass`** — Block `git push main` without passing tests
+- **`context-monitor`** — Warn at 40/25/20/15% context remaining
 
-## UX (9)
-cost-tracker, dependency-audit, diff-size-guard, hook-debug-wrapper, loop-detector, notify-waiting, read-before-edit, session-handoff, tmp-cleanup
+## Guides
+
+- [Auto-Approve Guide](https://yurukusa.github.io/cc-safe-setup/auto-approve-guide.html)
+- [Credential Protection](https://yurukusa.github.io/cc-safe-setup/prevent-credential-leak.html)
+- [OWASP MCP Top 10 Defense](https://yurukusa.github.io/cc-safe-setup/owasp-mcp-hooks.html)
+- [COOKBOOK](../COOKBOOK.md)
 
 ## Write Your Own
+
 See [CONTRIBUTING.md](../CONTRIBUTING.md).

package/examples/credential-file-cat-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# credential-file-cat-guard.sh — Block cat/read of package manager credential files
+#
+# Solves: Agent displays full credential files in conversation
+#         (#34819 — cat ~/.netrc, ~/.npmrc, ~/.cargo/credentials.toml displayed all tokens)
+#
+# Complements credential-exfil-guard.sh which blocks hunting patterns.
+# This hook blocks direct read of known credential files that the
+# exfil guard misses: .netrc, .npmrc, .cargo/credentials, .docker/config.json, etc.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/credential-file-cat-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Known credential files that contain tokens/passwords
+CRED_FILES='\.netrc|\.npmrc|\.yarnrc\.yml|\.cargo/credentials|\.docker/config\.json|\.kube/config|\.config/gh/hosts\.yml|\.nuget/NuGet\.Config|\.m2/settings\.xml|\.gradle/gradle\.properties|\.pypirc|\.gem/credentials|\.config/pip/pip\.conf|\.bowerrc|\.composer/auth\.json'
+
+# Block cat/head/tail/less/more/grep reading credential files
+if echo "$COMMAND" | grep -qE "(cat|head|tail|less|more|bat)\s+[^\|;]*($CRED_FILES)"; then
+    FILE=$(echo "$COMMAND" | grep -oE "[~\/][^\s;|]*($CRED_FILES)[^\s;|]*" | head -1)
+    echo "BLOCKED: Reading credential file: $FILE" >&2
+    echo "  These files contain authentication tokens. Use environment variables instead." >&2
+    exit 2
+fi
+
+# Block grep searching inside credential files
+if echo "$COMMAND" | grep -qE "grep\s+.*\s+[^\|;]*($CRED_FILES)"; then
+    echo "BLOCKED: Searching inside credential file" >&2
+    exit 2
+fi
+
+exit 0

package/examples/edit-retry-loop-guard.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# edit-retry-loop-guard.sh — Detect Edit tool stuck retrying the same file
+#
+# Solves: Edit tool path contamination in long sessions
+#         (#35576 — Edit gets "stuck" targeting wrong file, retrying 15+ times)
+#
+# Tracks consecutive Edit failures on the same file. After 3 failures,
+# warns the model to verify the file path.
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+[ "$TOOL" = "Edit" ] || exit 0
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_output.exit_code // empty' 2>/dev/null)
+OUTPUT=$(echo "$INPUT" | jq -r '.tool_output // empty' 2>/dev/null)
+
+[ -z "$FILE" ] && exit 0
+
+STATE_FILE="/tmp/.cc-edit-retry-$(echo "$FILE" | md5sum | cut -c1-8)"
+
+# Check if edit failed (non-zero exit or "no changes" in output)
+if [ "$EXIT_CODE" != "0" ] || echo "$OUTPUT" | grep -qiE 'no changes|not found|old_string.*not.*found'; then
+    COUNT=1
+    [ -f "$STATE_FILE" ] && COUNT=$(( $(cat "$STATE_FILE") + 1 ))
+    echo "$COUNT" > "$STATE_FILE"
+
+    if [ "$COUNT" -ge 3 ]; then
+        echo "WARNING: Edit has failed $COUNT times on: $FILE" >&2
+        echo "  Verify the file path is correct. Use Read to check the current content." >&2
+        echo "  The file may have been moved, renamed, or the content changed." >&2
+        rm -f "$STATE_FILE"
+    fi
+else
+    # Success — reset counter
+    rm -f "$STATE_FILE"
+fi
+
+exit 0

package/examples/git-checkout-safety-guard.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# git-checkout-safety-guard.sh — Prevent file loss from careless branch switching
+#
+# Solves: git checkout to another branch removes files that only exist
+#         on the current branch, causing data loss (#37150)
+#
+# The pattern:
+#   1. User works on feature branch with new files
+#   2. Agent runs "git checkout master" — files disappear from working tree
+#   3. Agent runs "git branch -D feature" — files unrecoverable
+#
+# This hook blocks git checkout/switch when:
+#   - There are uncommitted changes (safety baseline)
+#   - The command includes branch deletion (-D, -d) of a non-merged branch
+#
+# Usage: PreToolUse hook on "Bash"
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/git-checkout-safety-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# === Check 1: git checkout/switch to different branch with uncommitted changes ===
+if echo "$COMMAND" | grep -qE 'git\s+(checkout|switch)\s+[a-zA-Z]'; then
+    # Check for uncommitted changes
+    if git status --porcelain 2>/dev/null | grep -q '^'; then
+        echo "BLOCKED: git checkout with uncommitted changes" >&2
+        echo "  Commit or stash your changes first to avoid data loss." >&2
+        exit 2
+    fi
+fi
+
+# === Check 2: git branch -D (force delete — uppercase only) ===
+if echo "$COMMAND" | grep -qE 'git\s+branch\s+-D\s'; then
+    BRANCH=$(echo "$COMMAND" | grep -oE 'git\s+branch\s+-[dD]\s+(\S+)' | awk '{print $NF}')
+    echo "BLOCKED: Destructive branch deletion: $BRANCH" >&2
+    echo "  Use 'git branch -d' (lowercase) for safe deletion (checks merge status)." >&2
+    echo "  Force deletion (-D) can cause unrecoverable data loss." >&2
+    exit 2
+fi
+
+# === Check 3: git checkout -- . (discard all changes) ===
+if echo "$COMMAND" | grep -qE 'git\s+checkout\s+--\s+\.'; then
+    echo "BLOCKED: git checkout -- . discards ALL uncommitted changes" >&2
+    echo "  Use 'git stash' to save changes, or specify individual files." >&2
+    exit 2
+fi
+
+# === Check 4: git checkout + branch -D in same command (the #37150 pattern) ===
+if echo "$COMMAND" | grep -qE 'git\s+checkout.*&&.*git\s+branch\s+-D'; then
+    echo "BLOCKED: checkout + branch deletion is a data loss pattern" >&2
+    echo "  Files that only exist on the deleted branch will be lost forever." >&2
+    exit 2
+fi
+
+exit 0

package/examples/hook-permission-fixer.sh

@@ -9,6 +9,8 @@
 #
 #   Without this, hooks fail with "Permission denied" errors.
 #   See: github.com/anthropics/claude-code/issues/38901
+#        github.com/anthropics/claude-code/issues/39777
+#        github.com/anthropics/claude-code/issues/39798
 #
 # TRIGGER: SessionStart  MATCHER: ""
 # ================================================================

package/examples/plan-mode-enforcer.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+# plan-mode-enforcer.sh — Hard-enforce Plan Mode read-only constraint
+#
+# Solves: Plan Mode restrictions bypassed — model performs write/execution
+#         operations instead of writing a plan first (#39713)
+#
+# Root cause: Plan Mode is only a system-reminder, easily overridden by
+# tool instructions. This hook enforces it at the tool permission layer.
+#
+# How it works:
+#   - Checks if a state file indicates plan mode is active
+#   - If active, blocks all write operations (Edit, Write, Bash with side effects)
+#   - Allows read-only operations (Read, Glob, Grep, git status, etc.)
+#
+# Enable:  touch /tmp/.cc-plan-mode-active
+# Disable: rm /tmp/.cc-plan-mode-active
+#
+# Or use the companion SessionStart hook to auto-detect plan mode.
+#
+# Usage: PreToolUse hook (matcher: "")
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/plan-mode-enforcer.sh" }]
+#     }]
+#   }
+# }
+
+STATE_FILE="/tmp/.cc-plan-mode-active"
+[ -f "$STATE_FILE" ] || exit 0
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Always allow read-only tools
+case "$TOOL" in
+    Read|Glob|Grep)
+        exit 0
+        ;;
+esac
+
+# Block write tools entirely
+case "$TOOL" in
+    Edit|Write|NotebookEdit)
+        echo "BLOCKED: Plan Mode active — write operations are not allowed" >&2
+        echo "  Write your implementation plan first, then exit plan mode." >&2
+        exit 2
+        ;;
+esac
+
+# For Bash, allow read-only commands only
+if [ "$TOOL" = "Bash" ]; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$COMMAND" ] && exit 0
+
+    # Extract base command
+    BASE=$(echo "$COMMAND" | awk '{print $1}' | sed 's|.*/||')
+
+    # Allowlist: read-only commands
+    case "$BASE" in
+        cat|head|tail|less|more|wc|grep|rg|ag|find|locate|\
+        ls|ll|dir|tree|stat|file|which|whereis|type|realpath|\
+        date|uptime|uname|hostname|whoami|id|env|printenv|pwd|\
+        df|du|free|top|ps|pgrep|jq|yq|curl|wget)
+            exit 0
+            ;;
+    esac
+
+    # Allow read-only git commands
+    if echo "$COMMAND" | grep -qE '^\s*git\s+(status|log|diff|show|branch|remote|tag\s+-l|blame|shortlog|describe|rev-parse|ls-files|ls-tree)\b'; then
+        exit 0
+    fi
+
+    # Allow npm/pip read-only
+    if echo "$COMMAND" | grep -qE '^\s*(npm\s+(ls|list|info|view|outdated)|pip\s+(list|show|freeze)|cargo\s+(tree|doc))'; then
+        exit 0
+    fi
+
+    # Block everything else in Bash during plan mode
+    echo "BLOCKED: Plan Mode active — command execution not allowed: $BASE" >&2
+    echo "  Only read-only commands are permitted. Write your plan first." >&2
+    exit 2
+fi
+
+# Block Agent tool (sub-agents can bypass plan mode)
+if [ "$TOOL" = "Agent" ]; then
+    echo "BLOCKED: Plan Mode active — sub-agent creation not allowed" >&2
+    exit 2
+fi
+
+# Allow other tools (TaskCreate, etc.)
+exit 0

package/examples/protect-dotfiles.sh

@@ -42,11 +42,16 @@ if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
             exit 2
         fi
     done
-    # Block writing to any ~/.ssh/ or ~/.aws/ files
+    # Block writing to any ~/.ssh/ or ~/.aws/ or project .kiro/ files
     if [[ "$FILE" == "${HOME_DIR}/.ssh/"* || "$FILE" == "${HOME_DIR}/.aws/"* ]]; then
         echo "BLOCKED: Cannot modify files in ${FILE%/*}/" >&2
         exit 2
     fi
+    # Protect .kiro/ directory (#40139 — Claude runtime silently deletes .kiro/)
+    if [[ "$FILE" == *"/.kiro/"* ]]; then
+        echo "BLOCKED: Cannot modify .kiro/ directory" >&2
+        exit 2
+    fi
 fi
 
 # === Check 2: Bash commands that modify dotfiles ===

package/examples/push-requires-test-pass-record.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# push-requires-test-pass-record.sh — Record when tests pass (companion to push-requires-test-pass.sh)
+#
+# PostToolUse hook that detects successful test runs and records the timestamp.
+# The PreToolUse companion then checks this record before allowing git push.
+#
+# Detected test commands: npm test, pytest, cargo test, go test, make test, etc.
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_output.exit_code // .exit_code // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Only record on exit code 0 (success)
+[ "$EXIT_CODE" = "0" ] || exit 0
+
+# Detect test commands
+if echo "$COMMAND" | grep -qE '(npm\s+test|npx\s+jest|npx\s+vitest|npx\s+mocha|pytest|python\s+-m\s+pytest|cargo\s+test|go\s+test|make\s+test|gradle\s+test|mvn\s+test|bundle\s+exec\s+rspec|php\s+artisan\s+test|dotnet\s+test|bash\s+test\.sh)'; then
+    STATE_FILE="/tmp/.cc-test-pass-$(pwd | md5sum | cut -c1-8)"
+    date +%s > "$STATE_FILE"
+fi
+
+exit 0

package/examples/push-requires-test-pass.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# push-requires-test-pass.sh — Block git push to main/production without test verification
+#
+# Solves: Agent pushes broken code to production without running tests
+#         (#36673 — pushed broken code 4 times, crashed live SaaS application)
+#
+# How it works:
+#   1. PostToolUse companion records when tests pass (creates state file)
+#   2. This PreToolUse hook blocks git push to protected branches unless tests passed
+#
+# Requires companion hook: push-requires-test-pass-record.sh (PostToolUse)
+#
+# Usage: Add BOTH hooks to settings.json
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/push-requires-test-pass.sh" }]
+#     }],
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/push-requires-test-pass-record.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Only check git push commands
+echo "$COMMAND" | grep -qE '^\s*git\s+push\b' || exit 0
+
+# Protected branches
+PROTECTED='main|master|production|prod|release|deploy'
+
+# Check if pushing to a protected branch
+if echo "$COMMAND" | grep -qE "git\s+push\s+\S+\s+($PROTECTED)\b|git\s+push\s+($PROTECTED)\b|git\s+push\s*$"; then
+    STATE_FILE="/tmp/.cc-test-pass-$(pwd | md5sum | cut -c1-8)"
+
+    if [ ! -f "$STATE_FILE" ]; then
+        echo "BLOCKED: git push to protected branch without test verification" >&2
+        echo "  Run your test suite first. Tests must pass before pushing." >&2
+        echo "  Protected branches: main, master, production, prod, release, deploy" >&2
+        exit 2
+    fi
+
+    # Check if test pass is recent (within last 30 minutes)
+    if [ -f "$STATE_FILE" ]; then
+        PASS_TIME=$(cat "$STATE_FILE" 2>/dev/null)
+        NOW=$(date +%s)
+        AGE=$(( NOW - PASS_TIME ))
+        if [ "$AGE" -gt 1800 ]; then
+            echo "BLOCKED: Test pass record is stale ($(( AGE / 60 )) minutes old)" >&2
+            echo "  Re-run tests before pushing to protected branch." >&2
+            rm -f "$STATE_FILE"
+            exit 2
+        fi
+    fi
+fi
+
+exit 0

package/examples/shell-wrapper-guard.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# shell-wrapper-guard.sh — Detect destructive commands hidden in shell wrappers
+#
+# Solves: Bypass vectors that evade destructive-guard by wrapping commands:
+#   sh -c "rm -rf /"
+#   bash -c "git reset --hard"
+#   python3 -c "import os; os.system('rm -rf ~')"
+#   perl -e "system('rm -rf /')"
+#   ruby -e "system('rm -rf /')"
+#   node -e "require('child_process').execSync('rm -rf /')"
+#
+# Complements destructive-guard.sh which checks direct commands.
+# This hook unwraps interpreter one-liners and checks the inner command.
+#
+# Usage: PreToolUse hook on "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Destructive patterns to detect inside wrappers
+DESTRUCT_PATTERN='rm\s+-[rf]*\s+[/~]|rm\s+-[rf]*\s+\.\.|git\s+reset\s+--hard|git\s+clean\s+-[fd]+|git\s+checkout\s+\.|mkfs\.|dd\s+if=|>\s*/dev/sd|chmod\s+777\s+/'
+
+# === Check 1: sh/bash -c wrappers ===
+if echo "$COMMAND" | grep -qE '(sh|bash|zsh|dash)\s+-c\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*(sh|bash|zsh|dash)\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
+    if echo "$INNER" | grep -qE "$DESTRUCT_PATTERN"; then
+        echo "BLOCKED: Destructive command hidden in shell wrapper" >&2
+        echo "  Detected: $INNER" >&2
+        exit 2
+    fi
+fi
+
+# === Check 2: Python one-liners ===
+if echo "$COMMAND" | grep -qE 'python[23]?\s+-c\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
+    if echo "$INNER" | grep -qiE "os\.system\(.*($DESTRUCT_PATTERN)|subprocess\.(run|call|Popen)\(.*($DESTRUCT_PATTERN)|shutil\.rmtree\s*\(\s*['\"/~]"; then
+        echo "BLOCKED: Destructive command in Python one-liner" >&2
+        exit 2
+    fi
+fi
+
+# === Check 3: Perl/Ruby one-liners ===
+if echo "$COMMAND" | grep -qE '(perl|ruby)\s+-e\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*(perl|ruby)\s+-e\s+['\"]?//" | sed "s/['\"]?\s*$//")
+    if echo "$INNER" | grep -qE "system\(.*($DESTRUCT_PATTERN)|exec\(.*($DESTRUCT_PATTERN)"; then
+        echo "BLOCKED: Destructive command in interpreter one-liner" >&2
+        exit 2
+    fi
+fi
+
+# === Check 4: Node.js one-liners ===
+if echo "$COMMAND" | grep -qE 'node\s+-e\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*node\s+-e\s+['\"]?//" | sed "s/['\"]?\s*$//")
+    if echo "$INNER" | grep -qE "execSync\(.*($DESTRUCT_PATTERN)|exec\(.*($DESTRUCT_PATTERN)"; then
+        echo "BLOCKED: Destructive command in Node.js one-liner" >&2
+        exit 2
+    fi
+fi
+
+# === Check 5: Nested wrappers (sh -c "bash -c 'rm -rf /'") ===
+if echo "$COMMAND" | grep -qE '(sh|bash)\s+-c\s+.*(sh|bash)\s+-c'; then
+    if echo "$COMMAND" | grep -qE "$DESTRUCT_PATTERN"; then
+        echo "BLOCKED: Nested shell wrapper with destructive command" >&2
+        exit 2
+    fi
+fi
+
+# === Check 6: Pipe to shell (echo "rm -rf /" | sh) ===
+if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)\s*$'; then
+    # Extract the piped content
+    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)\s*$//')
+    if echo "$PIPED" | grep -qE "$DESTRUCT_PATTERN"; then
+        echo "BLOCKED: Destructive command piped to shell" >&2
+        exit 2
+    fi
+fi
+
+# === Check 7: Here-string to shell (bash <<< "rm -rf /") ===
+if echo "$COMMAND" | grep -qE '(sh|bash|zsh)\s+<<<\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*(sh|bash|zsh)\s+<<<\s+['\"]?//" | sed "s/['\"]?\s*$//")
+    if echo "$INNER" | grep -qE "$DESTRUCT_PATTERN"; then
+        echo "BLOCKED: Destructive command via here-string" >&2
+        exit 2
+    fi
+fi
+
+# === Check 8: env-based bypass (env VAR=val sh -c "$VAR") ===
+if echo "$COMMAND" | grep -qE '^\s*env\s+.*\s+(sh|bash)\s+-c'; then
+    if echo "$COMMAND" | grep -qE "$DESTRUCT_PATTERN"; then
+        echo "BLOCKED: Destructive command via env wrapper" >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.27",
-  "description": "One command to make Claude Code safe. 507 example hooks + 8 built-in. 56 CLI commands. 7341 tests. Works with Auto Mode.",
+  "version": "29.6.29",
+  "description": "One command to make Claude Code safe. 514 example hooks + 8 built-in. 56 CLI commands. 7564 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"

package/scripts.json

@@ -1 +1,10 @@
-{"destructive-guard": "#!/bin/bash\n# ================================================================\n# destructive-guard.sh \u2014 Destructive Command Blocker\n# ================================================================\n# PURPOSE:\n#   Blocks dangerous shell commands that can cause irreversible damage.\n#   Catches rm -rf on sensitive paths, git reset --hard, git clean -fd,\n#   and other destructive operations before they execute.\n#\n#   Built after a real incident where rm -rf on a pnpm project\n#   followed NTFS junctions and deleted an entire C:\\Users directory.\n#   (GitHub Issue #36339)\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - rm -rf / rm -r on root, home, or parent paths (/, ~, .., /home, /etc)\n#   - git reset --hard\n#   - git clean -fd / git clean -fdx\n#   - chmod -R 777 on sensitive paths\n#   - find ... -delete on broad patterns\n#\n# WHAT IT ALLOWS (exit 0):\n#   - rm -rf on specific project subdirectories (node_modules, dist, build)\n#   - git reset --soft, git reset HEAD\n#   - All non-destructive commands\n#\n# CONFIGURATION:\n#   CC_ALLOW_DESTRUCTIVE=1 \u2014 disable this guard (not recommended)\n#   CC_SAFE_DELETE_DIRS \u2014 colon-separated list of safe-to-delete dirs\n#     default: \"node_modules:dist:build:.cache:__pycache__:coverage\"\n#\n# NOTE: On Windows/WSL2, rm -rf can follow NTFS junctions (symlinks)\n# and delete far more than intended. This guard is especially critical\n# on WSL2 environments.\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Allow override (not recommended)\nif [[ \"${CC_ALLOW_DESTRUCTIVE:-0}\" == \"1\" ]]; then\n    exit 0\nfi\n\n# Log function \u2014 records blocked commands for audit\nlog_block() {\n    local reason=\"$1\"\n    local logfile=\"${CC_BLOCK_LOG:-$HOME/.claude/blocked-commands.log}\"\n    mkdir -p \"$(dirname \"$logfile\")\" 2>/dev/null\n    echo \"[$(date -Iseconds)] BLOCKED: $reason | cmd: $COMMAND\" >> \"$logfile\" 2>/dev/null\n}\n\n# Safe directories that can be deleted\nSAFE_DIRS=\"${CC_SAFE_DELETE_DIRS:-node_modules:dist:build:.cache:__pycache__:coverage:.next:.nuxt:tmp}\"\n\n# --- Check 0: --no-preserve-root ---\nif echo \"$COMMAND\" | grep -qE \"rm\\\\s.*\\\\-\\\\-no-preserve-root\"; then\n    echo \"BLOCKED: --no-preserve-root detected.\" >&2\n    exit 2\nfi\n\n# --- Check 1: rm -rf on dangerous paths ---\nif echo \"$COMMAND\" | grep -qE 'rm\\s+(-[rf]+\\s+)*(\\/$|\\/\\s|\\/[^a-z]|\\/home|\\/etc|\\/usr|\\/var|\\/mnt|~\\/|~\\s*$|\\.\\.\\/|\\.\\.\\s*$|\\.\\s*$|\\.\\/\\s*$)'; then\n    # Exception: safe directories\n    SAFE=0\n    IFS=':' read -ra DIRS <<< \"$SAFE_DIRS\"\n    for dir in \"${DIRS[@]}\"; do\n        if echo \"$COMMAND\" | grep -qE \"rm\\s+.*${dir}\\s*$|rm\\s+.*${dir}/\"; then\n            SAFE=1\n            break\n        fi\n    done\n\n    # Check for mounted filesystems inside the target (NFS, Docker, bind mounts)\n    # Why: GitHub #36640 \u2014 rm -rf on a dir with NFS mount deleted production data\n    if (( SAFE == 0 )); then\n        # Extract the target path from the rm command\n        TARGET_PATH=$(echo \"$COMMAND\" | grep -oP 'rm\\s+(-[rf]+\\s+)*\\K\\S+')\n        if [ -n \"$TARGET_PATH\" ] && command -v findmnt &>/dev/null; then\n            if findmnt -n -o TARGET --submounts \"$TARGET_PATH\" 2>/dev/null | grep -q .; then\n                log_block \"rm on path with mounted filesystem\"\n                echo \"BLOCKED: Target contains a mounted filesystem (NFS, Docker, bind).\" >&2\n                echo \"\" >&2\n                echo \"Command: $COMMAND\" >&2\n                echo \"\" >&2\n                echo \"Unmount the filesystem first, then retry.\" >&2\n                exit 2\n            fi\n        fi\n    fi\n\n    if (( SAFE == 0 )); then\n        log_block \"rm on sensitive path\"\n        echo \"BLOCKED: rm on sensitive path detected.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"This command targets a sensitive directory that could cause\" >&2\n        echo \"irreversible data loss. On WSL2, rm -rf can follow NTFS\" >&2\n        echo \"junctions and delete far beyond the target directory.\" >&2\n        echo \"\" >&2\n        echo \"If you need to delete a specific subdirectory, target it directly:\" >&2\n        echo \"  rm -rf ./specific-folder\" >&2\n        exit 2\n    fi\nfi\n\n# --- Check 2: git reset --hard ---\n# Only match when git is the actual command, not inside strings/arguments\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+reset\\s+--hard|;\\s*git\\s+reset\\s+--hard|&&\\s*git\\s+reset\\s+--hard|\\|\\|\\s*git\\s+reset\\s+--hard'; then\n    log_block \"git reset --hard\"\n    echo \"BLOCKED: git reset --hard discards all uncommitted changes.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git stash, or git reset --soft to keep changes staged.\" >&2\n    exit 2\nfi\n\n# --- Check 3: git clean -fd ---\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+clean\\s+-[a-z]*[fd]|;\\s*git\\s+clean|&&\\s*git\\s+clean|\\|\\|\\s*git\\s+clean'; then\n    log_block \"git clean\"\n    echo \"BLOCKED: git clean removes untracked files permanently.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git clean -n (dry run) first to see what would be deleted.\" >&2\n    exit 2\nfi\n\n# --- Check 4: chmod 777 on broad paths ---\nif echo \"$COMMAND\" | grep -qE 'chmod\\s+(-R\\s+)?777\\s+(\\/|~|\\.)'; then\n    echo \"BLOCKED: chmod 777 on broad path is a security risk.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    exit 2\nfi\n\n# --- Check 5: find -delete on broad patterns ---\nif echo \"$COMMAND\" | grep -qE 'find\\s+(\\/|~|\\.\\.)\\s.*-delete'; then\n    echo \"BLOCKED: find -delete on broad path risks mass deletion.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: find ... -print first to verify what matches.\" >&2\n    exit 2\nfi\n\n# --- Check 6: sudo with dangerous commands ---\nif echo \"$COMMAND\" | grep -qE '^\\s*sudo\\s+(rm\\s+-[rf]|chmod\\s+(-R\\s+)?777|dd\\s+if=|mkfs)'; then\n    log_block \"sudo with dangerous command\"\n    echo \"BLOCKED: sudo with dangerous command detected.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Running destructive commands with sudo amplifies the damage.\" >&2\n    echo \"Review the command carefully before proceeding.\" >&2\n    exit 2\nfi\n\n\n# --- Check 7: PowerShell Remove-Item (Windows/WSL2) ---\n# Real incident: GitHub #37331 \u2014 destroyed entire repo\n# Skip if command is git commit (message text triggers false positive)\nif echo \"$COMMAND\" | grep -qE '^\\s*(git\\s+commit|echo\\s|printf\\s|cat\\s)'; then\n    :  # string output commands mentioning PS commands are not destructive\nelif echo \"$COMMAND\" | grep -qiE 'Remove-Item.*-Recurse.*-Force|Remove-Item.*-Force.*-Recurse|del\\s+/s\\s+/q|rd\\s+/s\\s+/q|rmdir\\s+/s\\s+/q'; then\n    log_block \"PowerShell destructive command\"\n    echo \"BLOCKED: Destructive PowerShell command detected.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Remove-Item with recursive force-delete can destroy entire directories\" >&2\n    echo \"irreversibly. Target specific files instead.\" >&2\n    exit 2\nfi\nif echo \"$COMMAND\" | grep -qE '(^|;|&&|\\|\\|)\\s*git\\s+(checkout|switch)\\s+.*(--force\\b|-f\\b|--discard-changes\\b)'; then\n    log_block \"git checkout/switch --force\"\n    echo \"BLOCKED: git checkout/switch with --force discards uncommitted changes.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git stash before switching, or use git switch without --force.\" >&2\n    exit 2\nfi\nexit 0\n", "branch-guard": "#!/bin/bash\n# ================================================================\n# branch-guard.sh \u2014 Branch Push Protector\n# ================================================================\n# PURPOSE:\n#   Prevents accidental git push to main/master branches AND\n#   blocks force-push on ALL branches without explicit approval.\n#\n#   Force-pushes rewrite history and can destroy teammates' work.\n#   Protected branch pushes bypass code review.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - git push origin main/master (any protected branch)\n#   - git push --force (any branch \u2014 history rewriting)\n#   - git push -f (short flag variant)\n#   - git push --force-with-lease (still destructive)\n#\n# WHAT IT ALLOWS (exit 0):\n#   - git push origin feature-branch (non-force)\n#   - git push -u origin feature-branch\n#   - All other git commands\n#   - All non-git commands\n#\n# CONFIGURATION:\n#   CC_PROTECT_BRANCHES \u2014 colon-separated list of protected branches\n#     default: \"main:master\"\n#   CC_ALLOW_FORCE_PUSH=1 \u2014 disable force-push protection\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Only check git push commands\nif ! echo \"$COMMAND\" | grep -qE '^\\s*git\\s+push'; then\n    exit 0\nfi\n\n# --- Check 1: Force push on ANY branch ---\nif [[ \"${CC_ALLOW_FORCE_PUSH:-0}\" != \"1\" ]]; then\n    if echo \"$COMMAND\" | grep -qE 'git\\s+push\\s+.*(-f\\b|--force\\b|--force-with-lease\\b)'; then\n        echo \"BLOCKED: Force push detected.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"Force push rewrites remote history and can destroy\" >&2\n        echo \"other people's work. This is almost never what you want.\" >&2\n        echo \"\" >&2\n        echo \"If you truly need to force push, set CC_ALLOW_FORCE_PUSH=1\" >&2\n        exit 2\n    fi\nfi\n\n# --- Check 2: Push to protected branches ---\nPROTECTED=\"${CC_PROTECT_BRANCHES:-main:master}\"\n\nBLOCKED=0\nIFS=':' read -ra BRANCHES <<< \"$PROTECTED\"\nfor branch in \"${BRANCHES[@]}\"; do\n    if echo \"$COMMAND\" | grep -qwE \"origin\\s+${branch}|${branch}\\s|${branch}$\"; then\n        BLOCKED=1\n        break\n    fi\ndone\n\nif (( BLOCKED == 1 )); then\n    echo \"BLOCKED: Attempted push to protected branch.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Protected branches: $PROTECTED\" >&2\n    echo \"\" >&2\n    echo \"Push to a feature branch first, then create a pull request.\" >&2\n    exit 2\nfi\n\nexit 0\n", "syntax-check": "#!/bin/bash\n# ================================================================\n# syntax-check.sh \u2014 Automatic Syntax Validation After Edits\n# ================================================================\n# PURPOSE:\n#   Runs syntax checks immediately after Claude Code edits or\n#   writes a file. Catches syntax errors before they propagate\n#   into downstream failures.\n#\n# SUPPORTED LANGUAGES:\n#   .py    \u2014 python -m py_compile\n#   .sh    \u2014 bash -n\n#   .bash  \u2014 bash -n\n#   .json  \u2014 jq empty\n#   .yaml  \u2014 python3 yaml.safe_load (if PyYAML installed)\n#   .yml   \u2014 python3 yaml.safe_load (if PyYAML installed)\n#   .js    \u2014 node --check (if node installed)\n#   .ts    \u2014 npx tsc --noEmit (if tsc available) [EXPERIMENTAL]\n#\n# TRIGGER: PostToolUse\n# MATCHER: \"Edit|Write\"\n#\n# DESIGN PHILOSOPHY:\n#   - Never blocks (always exit 0) \u2014 reports errors but doesn't\n#     prevent the edit from completing\n#   - Silent on success \u2014 only speaks up when something is wrong\n#   - Fails open \u2014 if a checker isn't installed, silently skips\n#\n# BORN FROM:\n#   Countless sessions where Claude Code introduced a syntax error,\n#   continued working for 10+ tool calls, then hit a wall when\n#   trying to run the broken file. Catching it immediately saves\n#   context window and frustration.\n# ================================================================\n\nINPUT=$(cat)\nFILE_PATH=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null)\n\n# No file path = nothing to check\nif [[ -z \"$FILE_PATH\" || ! -f \"$FILE_PATH\" ]]; then\n    exit 0\nfi\n\nEXT=\"${FILE_PATH##*.}\"\n\ncase \"$EXT\" in\n    py)\n        if python3 -m py_compile \"$FILE_PATH\" 2>&1; then\n            :  # silent on success\n        else\n            echo \"SYNTAX ERROR (Python): $FILE_PATH\" >&2\n        fi\n        ;;\n    sh|bash)\n        if bash -n \"$FILE_PATH\" 2>&1; then\n            :\n        else\n            echo \"SYNTAX ERROR (Shell): $FILE_PATH\" >&2\n        fi\n        ;;\n    json)\n        if command -v jq &>/dev/null; then\n            if jq empty \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (JSON): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    yaml|yml)\n        if python3 -c \"import yaml\" 2>/dev/null; then\n            if python3 -c \"\nimport yaml, sys\nwith open(sys.argv[1]) as f:\n    yaml.safe_load(f)\n\" \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (YAML): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    js)\n        if command -v node &>/dev/null; then\n            if node --check \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (JavaScript): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    ts)\n        # EXPERIMENTAL: TypeScript check requires tsc in PATH\n        if command -v npx &>/dev/null; then\n            if npx tsc --noEmit \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (TypeScript) [experimental]: $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    *)\n        # Unknown extension \u2014 skip silently\n        ;;\nesac\n\nexit 0\n", "context-monitor": "#!/bin/bash\n# ================================================================\n# context-monitor.sh \u2014 Context Window Remaining Capacity Monitor\n# ================================================================\n# PURPOSE:\n#   Monitors how much context window remains during a Claude Code\n#   session. Issues graduated warnings (CAUTION \u2192 WARNING \u2192 CRITICAL\n#   \u2192 EMERGENCY) so you never get killed by context exhaustion.\n#\n# HOW IT WORKS:\n#   1. Reads Claude Code's debug log to extract actual token usage\n#   2. Falls back to tool-call-count estimation when debug logs\n#      are unavailable\n#   3. Saves current % to /tmp/cc-context-pct (other scripts can\n#      read this)\n#   4. At CRITICAL/EMERGENCY, writes an evacuation template to\n#      your mission file so you can hand off state before /compact\n#\n# TRIGGER: PostToolUse (all tools)\n# MATCHER: \"\" (empty = every tool invocation)\n#\n# CONFIGURATION:\n#   CC_CONTEXT_MISSION_FILE \u2014 path to your mission/state file\n#     default: $HOME/mission.md\n#\n# THRESHOLDS (edit below to taste):\n#   CAUTION   = 40%  \u2014 be mindful of consumption\n#   WARNING   = 25%  \u2014 finish current task, save state\n#   CRITICAL  = 20%  \u2014 run /compact immediately\n#   EMERGENCY = 15%  \u2014 stop everything, evacuate\n#\n# BORN FROM:\n#   A session that hit 3% context remaining with no warning.\n#   The agent died mid-task and all in-flight work was lost.\n#   Never again.\n# ================================================================\n\nSTATE_FILE=\"/tmp/cc-context-state\"\nPCT_FILE=\"/tmp/cc-context-pct\"\nCOUNTER_FILE=\"/tmp/cc-context-monitor-count\"\nMISSION_FILE=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\n\n# Tool invocation counter (fallback estimator)\nCOUNT=$(cat \"$COUNTER_FILE\" 2>/dev/null || echo 0)\nCOUNT=$((COUNT + 1))\necho \"$COUNT\" > \"$COUNTER_FILE\"\n\n# Check every 3rd invocation to reduce overhead\n# (but always check in CRITICAL/EMERGENCY state)\nLAST_STATE=$(cat \"$STATE_FILE\" 2>/dev/null || echo \"normal\")\nif [ $((COUNT % 3)) -ne 0 ] && [ \"$LAST_STATE\" != \"critical\" ] && [ \"$LAST_STATE\" != \"emergency\" ]; then\n    exit 0\nfi\n\n# --- Extract context % from Claude Code debug logs ---\nget_context_pct() {\n    local debug_dir=\"$HOME/.claude/debug\"\n    if [ ! -d \"$debug_dir\" ]; then\n        echo \"\"\n        return\n    fi\n\n    local latest\n    latest=$(find \"$debug_dir\" -maxdepth 1 -name '*.txt' -printf '%T@ %p\\n' 2>/dev/null | sort -rn | head -1 | cut -d' ' -f2)\n    if [ -z \"$latest\" ]; then\n        echo \"\"\n        return\n    fi\n\n    # Parse the last autocompact entry for token counts\n    local line\n    line=$(grep 'autocompact:' \"$latest\" 2>/dev/null | tail -1)\n    if [ -z \"$line\" ]; then\n        echo \"\"\n        return\n    fi\n\n    local tokens window\n    tokens=$(echo \"$line\" | sed 's/.*tokens=\\([0-9]*\\).*/\\1/')\n    window=$(echo \"$line\" | sed 's/.*effectiveWindow=\\([0-9]*\\).*/\\1/')\n\n    if [ -n \"$tokens\" ] && [ -n \"$window\" ] && [ \"$window\" -gt 0 ] 2>/dev/null; then\n        local pct\n        pct=$(( (window - tokens) * 100 / window ))\n        echo \"$pct\"\n    else\n        echo \"\"\n    fi\n}\n\nCONTEXT_PCT=$(get_context_pct)\n\n# Fallback: estimate from tool call count when debug logs unavailable\n# Assumes ~180 tool calls fills ~100% of context (conservative)\nif [ -z \"$CONTEXT_PCT\" ]; then\n    CONTEXT_PCT=$(( 100 - (COUNT * 100 / 180) ))\n    if [ \"$CONTEXT_PCT\" -lt 0 ]; then CONTEXT_PCT=0; fi\n    SOURCE=\"estimate\"\nelse\n    SOURCE=\"debug\"\nfi\n\necho \"$CONTEXT_PCT\" > \"$PCT_FILE\"\n\nTIMESTAMP=$(date '+%Y-%m-%d %H:%M')\n\n# --- Evacuation template (with cooldown to prevent spam) ---\nEVAC_COOLDOWN_FILE=\"/tmp/cc-context-evac-last\"\nEVAC_COOLDOWN_SEC=1800  # 30 min cooldown between template generations\n\ngenerate_evacuation_template() {\n    local level=\"$1\"\n\n    # Cooldown check\n    if [ -f \"$EVAC_COOLDOWN_FILE\" ]; then\n        local last_ts now_ts diff\n        last_ts=$(cat \"$EVAC_COOLDOWN_FILE\" 2>/dev/null || echo 0)\n        now_ts=$(date +%s)\n        diff=$((now_ts - last_ts))\n        if [ \"$diff\" -lt \"$EVAC_COOLDOWN_SEC\" ]; then\n            return\n        fi\n    fi\n\n    # Don't add a new template if there's already an unfilled one\n    if [ -f \"$MISSION_FILE\" ] && grep -q '\\[TODO\\]' \"$MISSION_FILE\" 2>/dev/null; then\n        return\n    fi\n\n    date +%s > \"$EVAC_COOLDOWN_FILE\"\n\n    # Create mission file directory if needed\n    mkdir -p \"$(dirname \"$MISSION_FILE\")\"\n\n    cat >> \"$MISSION_FILE\" << EVAC_EOF\n\n## Context Evacuation Template (${level} - ${TIMESTAMP})\n<!-- Auto-generated by context-monitor.sh. Fill in before /compact -->\n### Current Task\n- Task: [TODO]\n- Progress: [TODO]\n- Files being edited: [TODO]\n\n### Git State\n- Branch: [TODO]\n- Uncommitted changes: [TODO]\n\n### Next Action\n- Next command/action: [TODO]\nEVAC_EOF\n}\n\n# --- Graduated warnings ---\nif [ \"$CONTEXT_PCT\" -le 15 ]; then\n    # EMERGENCY\n    if [ \"$LAST_STATE\" != \"emergency\" ]; then\n        echo \"emergency\" > \"$STATE_FILE\"\n        generate_evacuation_template \"EMERGENCY\"\n    fi\n    echo \"\"\n    echo \"EMERGENCY: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n    echo \"Run /compact IMMEDIATELY. Evacuation template written to ${MISSION_FILE}.\"\n    echo \"1. Fill in the [TODO] fields in the template\"\n    echo \"2. Run /compact\"\n    echo \"3. If needed, restart and resume from mission file\"\n    echo \"No further work allowed. Evacuate only.\"\n\nelif [ \"$CONTEXT_PCT\" -le 20 ]; then\n    # CRITICAL\n    if [ \"$LAST_STATE\" != \"critical\" ]; then\n        echo \"critical\" > \"$STATE_FILE\"\n        generate_evacuation_template \"CRITICAL\"\n    fi\n    echo \"\"\n    echo \"CRITICAL: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n    echo \"Run /compact IMMEDIATELY. Evacuation template written to ${MISSION_FILE}.\"\n    echo \"1. Save current task state to the template\"\n    echo \"2. Run /compact\"\n\nelif [ \"$CONTEXT_PCT\" -le 25 ]; then\n    # WARNING\n    if [ \"$LAST_STATE\" != \"warning\" ]; then\n        echo \"warning\" > \"$STATE_FILE\"\n        echo \"\"\n        echo \"WARNING: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n        echo \"Do not start new large tasks. Finish current work and save state.\"\n    fi\n\nelif [ \"$CONTEXT_PCT\" -le 40 ]; then\n    # CAUTION\n    if [ \"$LAST_STATE\" != \"caution\" ]; then\n        echo \"caution\" > \"$STATE_FILE\"\n        echo \"\"\n        echo \"CAUTION: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n        echo \"Be mindful of context consumption. Keep interactions concise.\"\n    fi\nfi\n\nexit 0\n", "comment-strip": "#!/bin/bash\n# ================================================================\n# comment-strip.sh \u2014 Strip bash comments that break permissions\n# ================================================================\n# PURPOSE:\n#   Claude Code sometimes adds comments to bash commands like:\n#     # Check the diff\n#     git diff HEAD~1\n#   This breaks permission allowlists (e.g. Bash(git:*)) because\n#   the matcher sees \"# Check the diff\" instead of \"git diff\".\n#\n#   This hook strips leading comment lines and returns the clean\n#   command via updatedInput, so permissions match correctly.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #29582 (18 reactions)\n#   Users on linux/vscode report that bash comments added by Claude\n#   cause permission prompts even when the command is allowlisted.\n#\n# HOW IT WORKS:\n#   - Reads the command from tool_input\n#   - Strips leading lines that start with #\n#   - Strips trailing comments (everything after # on command lines)\n#   - Returns updatedInput with the cleaned command\n#   - Uses hookSpecificOutput.permissionDecision = \"allow\" only if\n#     the command was modified (so it doesn't override other hooks)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Strip leading comment lines and empty lines\nCLEAN=$(echo \"$COMMAND\" | sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d')\n\n# If nothing changed, pass through\nif [[ \"$CLEAN\" == \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# If command is empty after stripping, don't modify\nif [[ -z \"$CLEAN\" ]]; then\n    exit 0\nfi\n\n# Return cleaned command via hookSpecificOutput\n# permissionDecision is not set \u2014 let the normal permission flow handle it\n# We only modify the input so the permission matcher sees the real command\njq -n --arg cmd \"$CLEAN\" '{\n  hookSpecificOutput: {\n    hookEventName: \"PreToolUse\",\n    updatedInput: {\n      command: $cmd\n    }\n  }\n}'\n", "cd-git-allow": "#!/bin/bash\n# ================================================================\n# cd-git-allow.sh \u2014 Auto-approve cd+git compound commands\n# ================================================================\n# PURPOSE:\n#   Claude Code shows \"Compound commands with cd and git require\n#   approval\" for commands like: cd /path && git log\n#   This is safe in trusted project directories but causes\n#   constant permission prompts.\n#\n#   This hook auto-approves cd+git compounds when the git operation\n#   is read-only (log, diff, status, branch, show, etc.)\n#   Destructive git operations (push, reset, clean) are NOT\n#   auto-approved \u2014 they still require manual approval.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #32985 (9 reactions)\n#\n# WHAT IT AUTO-APPROVES:\n#   - cd /path && git log\n#   - cd /path && git diff\n#   - cd /path && git status\n#   - cd /path && git branch\n#   - cd /path && git show\n#   - cd /path && git rev-parse\n#\n# WHAT IT DOES NOT APPROVE (still prompts):\n#   - cd /path && git push\n#   - cd /path && git reset --hard\n#   - cd /path && git clean\n#   - cd /path && git checkout (could discard changes)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Only handle cd + git compounds\nif ! echo \"$COMMAND\" | grep -qE '^\\s*cd\\s+.*&&\\s*git\\s'; then\n    exit 0\nfi\n\n# Extract the git subcommand\nGIT_CMD=$(echo \"$COMMAND\" | grep -oP '&&\\s*git\\s+\\K\\S+')\n\n# Read-only git operations \u2014 safe to auto-approve\nSAFE_GIT=\"log diff status branch show rev-parse tag remote stash-list describe name-rev\"\n\nfor safe in $SAFE_GIT; do\n    if [[ \"$GIT_CMD\" == \"$safe\" ]]; then\n        jq -n '{\n          hookSpecificOutput: {\n            hookEventName: \"PreToolUse\",\n            permissionDecision: \"allow\",\n            permissionDecisionReason: \"cd+git compound auto-approved (read-only git operation)\"\n          }\n        }'\n        exit 0\n    fi\ndone\n\n# Not a read-only git op \u2014 let normal permission flow handle it\nexit 0\n", "secret-guard": "#!/bin/bash\n# ================================================================\n# secret-guard.sh \u2014 Secret/Credential Leak Prevention\n# ================================================================\n# PURPOSE:\n#   Prevents accidental exposure of secrets, API keys, and\n#   credentials through git commits or shell output.\n#\n#   Catches the most common ways secrets leak:\n#   - git add .env (committing env files)\n#   - git add credentials.json / *.pem / *.key\n#   - echo $API_KEY or printenv (exposing secrets in output)\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - git add .env / .env.local / .env.production\n#   - git add *credentials* / *secret* / *.pem / *.key\n#   - git add -A or git add . when .env exists (warns)\n#\n# WHAT IT ALLOWS (exit 0):\n#   - git add specific safe files\n#   - Reading .env for application use (not committing)\n#   - All non-git-add commands\n#\n# CONFIGURATION:\n#   CC_SECRET_PATTERNS \u2014 colon-separated additional patterns to block\n#     default: \".env:.env.local:.env.production:credentials:secret:*.pem:*.key:*.p12\"\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# --- Check 1: git add of secret files ---\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+add'; then\n    # Direct .env file staging\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*\\.env(\\s|$|\\.|/)'; then\n        echo \"BLOCKED: Attempted to stage .env file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \".env files contain secrets and should never be committed.\" >&2\n        echo \"Add .env to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # Credential/key files\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*(credentials|\\.pem|\\.key|\\.p12|\\.pfx|id_rsa|id_ed25519)'; then\n        echo \"BLOCKED: Attempted to stage credential/key file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"Key and credential files should never be committed to git.\" >&2\n        echo \"Add them to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # git add -A or git add . when .env exists \u2014 warn but check\n    if echo \"$COMMAND\" | grep -qE 'git\\s+add\\s+(-A|--all|\\.)(\\s|$)'; then\n        # Check if .env exists in the current or project directory\n        if [ -f \".env\" ] || [ -f \".env.local\" ] || [ -f \".env.production\" ]; then\n            echo \"BLOCKED: 'git add .' with .env file present.\" >&2\n            echo \"\" >&2\n            echo \"Command: $COMMAND\" >&2\n            echo \"\" >&2\n            echo \"An .env file exists in this directory. 'git add .' would stage it.\" >&2\n            echo \"Add specific files instead: git add src/ lib/ package.json\" >&2\n            echo \"Or add .env to .gitignore first.\" >&2\n            exit 2\n        fi\n    fi\nfi\n\nexit 0\n", "api-error-alert": "#!/bin/bash\nINPUT=$(cat)\nREASON=$(echo \"$INPUT\" | jq -r '.stop_reason // \"unknown\"' 2>/dev/null)\nHOOK_EVENT=$(echo \"$INPUT\" | jq -r '.hook_event_name // \"\"' 2>/dev/null)\nif [[ \"$REASON\" == \"user\" || \"$REASON\" == \"normal\" || -z \"$REASON\" ]]; then\n    exit 0\nfi\nLOG=\"${CC_ERROR_ALERT_LOG:-$HOME/.claude/session-errors.log}\"\nMISSION=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\nTS=$(date -Iseconds)\nmkdir -p \"$(dirname \"$LOG\")\" 2>/dev/null\necho \"[$TS] Session stopped: reason=$REASON event=$HOOK_EVENT\" >> \"$LOG\"\nif [ -z \"$WSL_DISTRO_NAME\" ]; then\n    notify-send \"Claude Code\" \"Session stopped: $REASON\" 2>/dev/null || true\n    osascript -e \"display notification \\\"Session stopped: $REASON\\\" with title \\\"Claude Code\\\"\" 2>/dev/null || true\nelse\n    powershell.exe -Command \"Write-Host 'Claude Code: Session stopped - $REASON'\" 2>/dev/null || true\nfi\nexit 0\n"}
+{
+  "destructive-guard": "#!/bin/bash\n# ================================================================\n# destructive-guard.sh — Destructive Command Blocker\n# ================================================================\n# PURPOSE:\n#   Blocks dangerous shell commands that can cause irreversible damage.\n#   Catches rm -rf on sensitive paths, git reset --hard, git clean -fd,\n#   and other destructive operations before they execute.\n#\n#   Built after a real incident where rm -rf on a pnpm project\n#   followed NTFS junctions and deleted an entire C:\\Users directory.\n#   (GitHub Issue #36339)\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - rm -rf / rm -r on root, home, or parent paths (/, ~, .., /home, /etc)\n#   - git reset --hard\n#   - git clean -fd / git clean -fdx\n#   - chmod -R 777 on sensitive paths\n#   - find ... -delete on broad patterns\n#\n# WHAT IT ALLOWS (exit 0):\n#   - rm -rf on specific project subdirectories (node_modules, dist, build)\n#   - git reset --soft, git reset HEAD\n#   - All non-destructive commands\n#\n# CONFIGURATION:\n#   CC_ALLOW_DESTRUCTIVE=1 — disable this guard (not recommended)\n#   CC_SAFE_DELETE_DIRS — colon-separated list of safe-to-delete dirs\n#     default: \"node_modules:dist:build:.cache:__pycache__:coverage\"\n#\n# NOTE: On Windows/WSL2, rm -rf can follow NTFS junctions (symlinks)\n# and delete far more than intended. This guard is especially critical\n# on WSL2 environments.\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Allow override (not recommended)\nif [[ \"${CC_ALLOW_DESTRUCTIVE:-0}\" == \"1\" ]]; then\n    exit 0\nfi\n\n# Log function — records blocked commands for audit\nlog_block() {\n    local reason=\"$1\"\n    local logfile=\"${CC_BLOCK_LOG:-$HOME/.claude/blocked-commands.log}\"\n    mkdir -p \"$(dirname \"$logfile\")\" 2>/dev/null\n    echo \"[$(date -Iseconds)] BLOCKED: $reason | cmd: $COMMAND\" >> \"$logfile\" 2>/dev/null\n}\n\n# Safe directories that can be deleted\nSAFE_DIRS=\"${CC_SAFE_DELETE_DIRS:-node_modules:dist:build:.cache:__pycache__:coverage:.next:.nuxt:tmp}\"\n\n# --- Check 0: --no-preserve-root ---\nif echo \"$COMMAND\" | grep -qE \"rm\\\\s.*\\\\-\\\\-no-preserve-root\"; then\n    echo \"BLOCKED: --no-preserve-root detected.\" >&2\n    exit 2\nfi\n\n# --- Check 1: rm -rf on dangerous paths ---\nif echo \"$COMMAND\" | grep -qE 'rm\\s+(-[rf]+\\s+)*(\\/$|\\/\\s|\\/[^a-z]|\\/home|\\/etc|\\/usr|\\/var|\\/mnt|~\\/|~\\s*$|\\.\\.\\/|\\.\\.\\s*$|\\.\\s*$|\\.\\/\\s*$)'; then\n    # Exception: safe directories\n    SAFE=0\n    IFS=':' read -ra DIRS <<< \"$SAFE_DIRS\"\n    for dir in \"${DIRS[@]}\"; do\n        if echo \"$COMMAND\" | grep -qE \"rm\\s+.*${dir}\\s*$|rm\\s+.*${dir}/\"; then\n            SAFE=1\n            break\n        fi\n    done\n\n    # Check for mounted filesystems inside the target (NFS, Docker, bind mounts)\n    # Why: GitHub #36640 — rm -rf on a dir with NFS mount deleted production data\n    if (( SAFE == 0 )); then\n        # Extract the target path from the rm command\n        TARGET_PATH=$(echo \"$COMMAND\" | grep -oP 'rm\\s+(-[rf]+\\s+)*\\K\\S+')\n        if [ -n \"$TARGET_PATH\" ] && command -v findmnt &>/dev/null; then\n            if findmnt -n -o TARGET --submounts \"$TARGET_PATH\" 2>/dev/null | grep -q .; then\n                log_block \"rm on path with mounted filesystem\"\n                echo \"BLOCKED: Target contains a mounted filesystem (NFS, Docker, bind).\" >&2\n                echo \"\" >&2\n                echo \"Command: $COMMAND\" >&2\n                echo \"\" >&2\n                echo \"Unmount the filesystem first, then retry.\" >&2\n                exit 2\n            fi\n        fi\n    fi\n\n    if (( SAFE == 0 )); then\n        log_block \"rm on sensitive path\"\n        echo \"BLOCKED: rm on sensitive path detected.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"This command targets a sensitive directory that could cause\" >&2\n        echo \"irreversible data loss. On WSL2, rm -rf can follow NTFS\" >&2\n        echo \"junctions and delete far beyond the target directory.\" >&2\n        echo \"\" >&2\n        echo \"If you need to delete a specific subdirectory, target it directly:\" >&2\n        echo \"  rm -rf ./specific-folder\" >&2\n        exit 2\n    fi\nfi\n\n# --- Check 2: git reset --hard ---\n# Only match when git is the actual command, not inside strings/arguments\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+reset\\s+--hard|;\\s*git\\s+reset\\s+--hard|&&\\s*git\\s+reset\\s+--hard|\\|\\|\\s*git\\s+reset\\s+--hard'; then\n    log_block \"git reset --hard\"\n    echo \"BLOCKED: git reset --hard discards all uncommitted changes.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git stash, or git reset --soft to keep changes staged.\" >&2\n    exit 2\nfi\n\n# --- Check 3: git clean -fd ---\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+clean\\s+-[a-z]*[fd]|;\\s*git\\s+clean|&&\\s*git\\s+clean|\\|\\|\\s*git\\s+clean'; then\n    log_block \"git clean\"\n    echo \"BLOCKED: git clean removes untracked files permanently.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git clean -n (dry run) first to see what would be deleted.\" >&2\n    exit 2\nfi\n\n# --- Check 4: chmod 777 on broad paths ---\nif echo \"$COMMAND\" | grep -qE 'chmod\\s+(-R\\s+)?777\\s+(\\/|~|\\.)'; then\n    echo \"BLOCKED: chmod 777 on broad path is a security risk.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    exit 2\nfi\n\n# --- Check 5: find -delete on broad patterns ---\nif echo \"$COMMAND\" | grep -qE 'find\\s+(\\/|~|\\.\\.)\\s.*-delete'; then\n    echo \"BLOCKED: find -delete on broad path risks mass deletion.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: find ... -print first to verify what matches.\" >&2\n    exit 2\nfi\n\n# --- Check 6: sudo with dangerous commands ---\nif echo \"$COMMAND\" | grep -qE '^\\s*sudo\\s+(rm\\s+-[rf]|chmod\\s+(-R\\s+)?777|dd\\s+if=|mkfs)'; then\n    log_block \"sudo with dangerous command\"\n    echo \"BLOCKED: sudo with dangerous command detected.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Running destructive commands with sudo amplifies the damage.\" >&2\n    echo \"Review the command carefully before proceeding.\" >&2\n    exit 2\nfi\n\n\n# --- Check 7: PowerShell Remove-Item (Windows/WSL2) ---\n# Real incident: GitHub #37331 — destroyed entire repo\n# Skip if command is git commit (message text triggers false positive)\nif echo \"$COMMAND\" | grep -qE '^\\s*(git\\s+commit|echo\\s|printf\\s|cat\\s)'; then\n    :  # string output commands mentioning PS commands are not destructive\nelif echo \"$COMMAND\" | grep -qiE 'Remove-Item.*-Recurse.*-Force|Remove-Item.*-Force.*-Recurse|del\\s+/s\\s+/q|rd\\s+/s\\s+/q|rmdir\\s+/s\\s+/q'; then\n    log_block \"PowerShell destructive command\"\n    echo \"BLOCKED: Destructive PowerShell command detected.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Remove-Item with recursive force-delete can destroy entire directories\" >&2\n    echo \"irreversibly. Target specific files instead.\" >&2\n    exit 2\nfi\nif echo \"$COMMAND\" | grep -qE '(^|;|&&|\\|\\|)\\s*git\\s+(checkout|switch)\\s+.*(--force\\b|-f\\b|--discard-changes\\b)'; then\n    log_block \"git checkout/switch --force\"\n    echo \"BLOCKED: git checkout/switch with --force discards uncommitted changes.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Consider: git stash before switching, or use git switch without --force.\" >&2\n    exit 2\nfi\n\nif echo \"$COMMAND\" | grep -qE '(sh|bash|zsh)\\s+-c\\s+'; then\n    INNER=$(echo \"$COMMAND\" | sed -E \"s/.*(sh|bash|zsh)\\s+-c\\s+['\\\"]//\" | sed \"s/['\\\"]*$//\" )\n    if echo \"$INNER\" | grep -qE 'rm\\s+-[rf]*\\s+[/~]|git\\s+reset\\s+--hard|git\\s+clean\\s+-[fd]+|mkfs\\.|dd\\s+if='; then\n        echo \"BLOCKED: Destructive command hidden in shell wrapper\" >&2\n        echo \"\" >&2\n        echo \"Detected: $INNER\" >&2\n        exit 2\n    fi\nfi\nif echo \"$COMMAND\" | grep -qE '\\|\\s*(sh|bash)\\s*$'; then\n    if echo \"$COMMAND\" | grep -qE 'rm\\s+-[rf]*\\s+[/~]|git\\s+reset\\s+--hard|git\\s+clean\\s+-[fd]+'; then\n        echo \"BLOCKED: Destructive command piped to shell\" >&2\n        exit 2\n    fi\nfi\nexit 0",
+  "branch-guard": "#!/bin/bash\n# ================================================================\n# branch-guard.sh — Branch Push Protector\n# ================================================================\n# PURPOSE:\n#   Prevents accidental git push to main/master branches AND\n#   blocks force-push on ALL branches without explicit approval.\n#\n#   Force-pushes rewrite history and can destroy teammates' work.\n#   Protected branch pushes bypass code review.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - git push origin main/master (any protected branch)\n#   - git push --force (any branch — history rewriting)\n#   - git push -f (short flag variant)\n#   - git push --force-with-lease (still destructive)\n#\n# WHAT IT ALLOWS (exit 0):\n#   - git push origin feature-branch (non-force)\n#   - git push -u origin feature-branch\n#   - All other git commands\n#   - All non-git commands\n#\n# CONFIGURATION:\n#   CC_PROTECT_BRANCHES — colon-separated list of protected branches\n#     default: \"main:master\"\n#   CC_ALLOW_FORCE_PUSH=1 — disable force-push protection\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Only check git push commands\nif ! echo \"$COMMAND\" | grep -qE '^\\s*git\\s+push'; then\n    exit 0\nfi\n\n# --- Check 1: Force push on ANY branch ---\nif [[ \"${CC_ALLOW_FORCE_PUSH:-0}\" != \"1\" ]]; then\n    if echo \"$COMMAND\" | grep -qE 'git\\s+push\\s+.*(-f\\b|--force\\b|--force-with-lease\\b)'; then\n        echo \"BLOCKED: Force push detected.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"Force push rewrites remote history and can destroy\" >&2\n        echo \"other people's work. This is almost never what you want.\" >&2\n        echo \"\" >&2\n        echo \"If you truly need to force push, set CC_ALLOW_FORCE_PUSH=1\" >&2\n        exit 2\n    fi\nfi\n\n# --- Check 2: Push to protected branches ---\nPROTECTED=\"${CC_PROTECT_BRANCHES:-main:master}\"\n\nBLOCKED=0\nIFS=':' read -ra BRANCHES <<< \"$PROTECTED\"\nfor branch in \"${BRANCHES[@]}\"; do\n    if echo \"$COMMAND\" | grep -qwE \"origin\\s+${branch}|${branch}\\s|${branch}$\"; then\n        BLOCKED=1\n        break\n    fi\ndone\n\nif (( BLOCKED == 1 )); then\n    echo \"BLOCKED: Attempted push to protected branch.\" >&2\n    echo \"\" >&2\n    echo \"Command: $COMMAND\" >&2\n    echo \"\" >&2\n    echo \"Protected branches: $PROTECTED\" >&2\n    echo \"\" >&2\n    echo \"Push to a feature branch first, then create a pull request.\" >&2\n    exit 2\nfi\n\nexit 0\n",
+  "syntax-check": "#!/bin/bash\n# ================================================================\n# syntax-check.sh — Automatic Syntax Validation After Edits\n# ================================================================\n# PURPOSE:\n#   Runs syntax checks immediately after Claude Code edits or\n#   writes a file. Catches syntax errors before they propagate\n#   into downstream failures.\n#\n# SUPPORTED LANGUAGES:\n#   .py    — python -m py_compile\n#   .sh    — bash -n\n#   .bash  — bash -n\n#   .json  — jq empty\n#   .yaml  — python3 yaml.safe_load (if PyYAML installed)\n#   .yml   — python3 yaml.safe_load (if PyYAML installed)\n#   .js    — node --check (if node installed)\n#   .ts    — npx tsc --noEmit (if tsc available) [EXPERIMENTAL]\n#\n# TRIGGER: PostToolUse\n# MATCHER: \"Edit|Write\"\n#\n# DESIGN PHILOSOPHY:\n#   - Never blocks (always exit 0) — reports errors but doesn't\n#     prevent the edit from completing\n#   - Silent on success — only speaks up when something is wrong\n#   - Fails open — if a checker isn't installed, silently skips\n#\n# BORN FROM:\n#   Countless sessions where Claude Code introduced a syntax error,\n#   continued working for 10+ tool calls, then hit a wall when\n#   trying to run the broken file. Catching it immediately saves\n#   context window and frustration.\n# ================================================================\n\nINPUT=$(cat)\nFILE_PATH=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null)\n\n# No file path = nothing to check\nif [[ -z \"$FILE_PATH\" || ! -f \"$FILE_PATH\" ]]; then\n    exit 0\nfi\n\nEXT=\"${FILE_PATH##*.}\"\n\ncase \"$EXT\" in\n    py)\n        if python3 -m py_compile \"$FILE_PATH\" 2>&1; then\n            :  # silent on success\n        else\n            echo \"SYNTAX ERROR (Python): $FILE_PATH\" >&2\n        fi\n        ;;\n    sh|bash)\n        if bash -n \"$FILE_PATH\" 2>&1; then\n            :\n        else\n            echo \"SYNTAX ERROR (Shell): $FILE_PATH\" >&2\n        fi\n        ;;\n    json)\n        if command -v jq &>/dev/null; then\n            if jq empty \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (JSON): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    yaml|yml)\n        if python3 -c \"import yaml\" 2>/dev/null; then\n            if python3 -c \"\nimport yaml, sys\nwith open(sys.argv[1]) as f:\n    yaml.safe_load(f)\n\" \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (YAML): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    js)\n        if command -v node &>/dev/null; then\n            if node --check \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (JavaScript): $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    ts)\n        # EXPERIMENTAL: TypeScript check requires tsc in PATH\n        if command -v npx &>/dev/null; then\n            if npx tsc --noEmit \"$FILE_PATH\" 2>&1; then\n                :\n            else\n                echo \"SYNTAX ERROR (TypeScript) [experimental]: $FILE_PATH\" >&2\n            fi\n        fi\n        ;;\n    *)\n        # Unknown extension — skip silently\n        ;;\nesac\n\nexit 0\n",
+  "context-monitor": "#!/bin/bash\n# ================================================================\n# context-monitor.sh — Context Window Remaining Capacity Monitor\n# ================================================================\n# PURPOSE:\n#   Monitors how much context window remains during a Claude Code\n#   session. Issues graduated warnings (CAUTION → WARNING → CRITICAL\n#   → EMERGENCY) so you never get killed by context exhaustion.\n#\n# HOW IT WORKS:\n#   1. Reads Claude Code's debug log to extract actual token usage\n#   2. Falls back to tool-call-count estimation when debug logs\n#      are unavailable\n#   3. Saves current % to /tmp/cc-context-pct (other scripts can\n#      read this)\n#   4. At CRITICAL/EMERGENCY, writes an evacuation template to\n#      your mission file so you can hand off state before /compact\n#\n# TRIGGER: PostToolUse (all tools)\n# MATCHER: \"\" (empty = every tool invocation)\n#\n# CONFIGURATION:\n#   CC_CONTEXT_MISSION_FILE — path to your mission/state file\n#     default: $HOME/mission.md\n#\n# THRESHOLDS (edit below to taste):\n#   CAUTION   = 40%  — be mindful of consumption\n#   WARNING   = 25%  — finish current task, save state\n#   CRITICAL  = 20%  — run /compact immediately\n#   EMERGENCY = 15%  — stop everything, evacuate\n#\n# BORN FROM:\n#   A session that hit 3% context remaining with no warning.\n#   The agent died mid-task and all in-flight work was lost.\n#   Never again.\n# ================================================================\n\nSTATE_FILE=\"/tmp/cc-context-state\"\nPCT_FILE=\"/tmp/cc-context-pct\"\nCOUNTER_FILE=\"/tmp/cc-context-monitor-count\"\nMISSION_FILE=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\n\n# Tool invocation counter (fallback estimator)\nCOUNT=$(cat \"$COUNTER_FILE\" 2>/dev/null || echo 0)\nCOUNT=$((COUNT + 1))\necho \"$COUNT\" > \"$COUNTER_FILE\"\n\n# Check every 3rd invocation to reduce overhead\n# (but always check in CRITICAL/EMERGENCY state)\nLAST_STATE=$(cat \"$STATE_FILE\" 2>/dev/null || echo \"normal\")\nif [ $((COUNT % 3)) -ne 0 ] && [ \"$LAST_STATE\" != \"critical\" ] && [ \"$LAST_STATE\" != \"emergency\" ]; then\n    exit 0\nfi\n\n# --- Extract context % from Claude Code debug logs ---\nget_context_pct() {\n    local debug_dir=\"$HOME/.claude/debug\"\n    if [ ! -d \"$debug_dir\" ]; then\n        echo \"\"\n        return\n    fi\n\n    local latest\n    latest=$(find \"$debug_dir\" -maxdepth 1 -name '*.txt' -printf '%T@ %p\\n' 2>/dev/null | sort -rn | head -1 | cut -d' ' -f2)\n    if [ -z \"$latest\" ]; then\n        echo \"\"\n        return\n    fi\n\n    # Parse the last autocompact entry for token counts\n    local line\n    line=$(grep 'autocompact:' \"$latest\" 2>/dev/null | tail -1)\n    if [ -z \"$line\" ]; then\n        echo \"\"\n        return\n    fi\n\n    local tokens window\n    tokens=$(echo \"$line\" | sed 's/.*tokens=\\([0-9]*\\).*/\\1/')\n    window=$(echo \"$line\" | sed 's/.*effectiveWindow=\\([0-9]*\\).*/\\1/')\n\n    if [ -n \"$tokens\" ] && [ -n \"$window\" ] && [ \"$window\" -gt 0 ] 2>/dev/null; then\n        local pct\n        pct=$(( (window - tokens) * 100 / window ))\n        echo \"$pct\"\n    else\n        echo \"\"\n    fi\n}\n\nCONTEXT_PCT=$(get_context_pct)\n\n# Fallback: estimate from tool call count when debug logs unavailable\n# Assumes ~180 tool calls fills ~100% of context (conservative)\nif [ -z \"$CONTEXT_PCT\" ]; then\n    CONTEXT_PCT=$(( 100 - (COUNT * 100 / 180) ))\n    if [ \"$CONTEXT_PCT\" -lt 0 ]; then CONTEXT_PCT=0; fi\n    SOURCE=\"estimate\"\nelse\n    SOURCE=\"debug\"\nfi\n\necho \"$CONTEXT_PCT\" > \"$PCT_FILE\"\n\nTIMESTAMP=$(date '+%Y-%m-%d %H:%M')\n\n# --- Evacuation template (with cooldown to prevent spam) ---\nEVAC_COOLDOWN_FILE=\"/tmp/cc-context-evac-last\"\nEVAC_COOLDOWN_SEC=1800  # 30 min cooldown between template generations\n\ngenerate_evacuation_template() {\n    local level=\"$1\"\n\n    # Cooldown check\n    if [ -f \"$EVAC_COOLDOWN_FILE\" ]; then\n        local last_ts now_ts diff\n        last_ts=$(cat \"$EVAC_COOLDOWN_FILE\" 2>/dev/null || echo 0)\n        now_ts=$(date +%s)\n        diff=$((now_ts - last_ts))\n        if [ \"$diff\" -lt \"$EVAC_COOLDOWN_SEC\" ]; then\n            return\n        fi\n    fi\n\n    # Don't add a new template if there's already an unfilled one\n    if [ -f \"$MISSION_FILE\" ] && grep -q '\\[TODO\\]' \"$MISSION_FILE\" 2>/dev/null; then\n        return\n    fi\n\n    date +%s > \"$EVAC_COOLDOWN_FILE\"\n\n    # Create mission file directory if needed\n    mkdir -p \"$(dirname \"$MISSION_FILE\")\"\n\n    cat >> \"$MISSION_FILE\" << EVAC_EOF\n\n## Context Evacuation Template (${level} - ${TIMESTAMP})\n<!-- Auto-generated by context-monitor.sh. Fill in before /compact -->\n### Current Task\n- Task: [TODO]\n- Progress: [TODO]\n- Files being edited: [TODO]\n\n### Git State\n- Branch: [TODO]\n- Uncommitted changes: [TODO]\n\n### Next Action\n- Next command/action: [TODO]\nEVAC_EOF\n}\n\n# --- Graduated warnings ---\nif [ \"$CONTEXT_PCT\" -le 15 ]; then\n    # EMERGENCY\n    if [ \"$LAST_STATE\" != \"emergency\" ]; then\n        echo \"emergency\" > \"$STATE_FILE\"\n        generate_evacuation_template \"EMERGENCY\"\n    fi\n    echo \"\"\n    echo \"EMERGENCY: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n    echo \"Run /compact IMMEDIATELY. Evacuation template written to ${MISSION_FILE}.\"\n    echo \"1. Fill in the [TODO] fields in the template\"\n    echo \"2. Run /compact\"\n    echo \"3. If needed, restart and resume from mission file\"\n    echo \"No further work allowed. Evacuate only.\"\n\nelif [ \"$CONTEXT_PCT\" -le 20 ]; then\n    # CRITICAL\n    if [ \"$LAST_STATE\" != \"critical\" ]; then\n        echo \"critical\" > \"$STATE_FILE\"\n        generate_evacuation_template \"CRITICAL\"\n    fi\n    echo \"\"\n    echo \"CRITICAL: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n    echo \"Run /compact IMMEDIATELY. Evacuation template written to ${MISSION_FILE}.\"\n    echo \"1. Save current task state to the template\"\n    echo \"2. Run /compact\"\n\nelif [ \"$CONTEXT_PCT\" -le 25 ]; then\n    # WARNING\n    if [ \"$LAST_STATE\" != \"warning\" ]; then\n        echo \"warning\" > \"$STATE_FILE\"\n        echo \"\"\n        echo \"WARNING: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n        echo \"Do not start new large tasks. Finish current work and save state.\"\n    fi\n\nelif [ \"$CONTEXT_PCT\" -le 40 ]; then\n    # CAUTION\n    if [ \"$LAST_STATE\" != \"caution\" ]; then\n        echo \"caution\" > \"$STATE_FILE\"\n        echo \"\"\n        echo \"CAUTION: Context remaining ${CONTEXT_PCT}% (${SOURCE})\"\n        echo \"Be mindful of context consumption. Keep interactions concise.\"\n    fi\nfi\n\nexit 0\n",
+  "comment-strip": "#!/bin/bash\n# ================================================================\n# comment-strip.sh — Strip bash comments that break permissions\n# ================================================================\n# PURPOSE:\n#   Claude Code sometimes adds comments to bash commands like:\n#     # Check the diff\n#     git diff HEAD~1\n#   This breaks permission allowlists (e.g. Bash(git:*)) because\n#   the matcher sees \"# Check the diff\" instead of \"git diff\".\n#\n#   This hook strips leading comment lines and returns the clean\n#   command via updatedInput, so permissions match correctly.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #29582 (18 reactions)\n#   Users on linux/vscode report that bash comments added by Claude\n#   cause permission prompts even when the command is allowlisted.\n#\n# HOW IT WORKS:\n#   - Reads the command from tool_input\n#   - Strips leading lines that start with #\n#   - Strips trailing comments (everything after # on command lines)\n#   - Returns updatedInput with the cleaned command\n#   - Uses hookSpecificOutput.permissionDecision = \"allow\" only if\n#     the command was modified (so it doesn't override other hooks)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Strip leading comment lines and empty lines\nCLEAN=$(echo \"$COMMAND\" | sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d')\n\n# If nothing changed, pass through\nif [[ \"$CLEAN\" == \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# If command is empty after stripping, don't modify\nif [[ -z \"$CLEAN\" ]]; then\n    exit 0\nfi\n\n# Return cleaned command via hookSpecificOutput\n# permissionDecision is not set — let the normal permission flow handle it\n# We only modify the input so the permission matcher sees the real command\njq -n --arg cmd \"$CLEAN\" '{\n  hookSpecificOutput: {\n    hookEventName: \"PreToolUse\",\n    updatedInput: {\n      command: $cmd\n    }\n  }\n}'\n",
+  "cd-git-allow": "#!/bin/bash\n# ================================================================\n# cd-git-allow.sh — Auto-approve cd+git compound commands\n# ================================================================\n# PURPOSE:\n#   Claude Code shows \"Compound commands with cd and git require\n#   approval\" for commands like: cd /path && git log\n#   This is safe in trusted project directories but causes\n#   constant permission prompts.\n#\n#   This hook auto-approves cd+git compounds when the git operation\n#   is read-only (log, diff, status, branch, show, etc.)\n#   Destructive git operations (push, reset, clean) are NOT\n#   auto-approved — they still require manual approval.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #32985 (9 reactions)\n#\n# WHAT IT AUTO-APPROVES:\n#   - cd /path && git log\n#   - cd /path && git diff\n#   - cd /path && git status\n#   - cd /path && git branch\n#   - cd /path && git show\n#   - cd /path && git rev-parse\n#\n# WHAT IT DOES NOT APPROVE (still prompts):\n#   - cd /path && git push\n#   - cd /path && git reset --hard\n#   - cd /path && git clean\n#   - cd /path && git checkout (could discard changes)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Only handle cd + git compounds\nif ! echo \"$COMMAND\" | grep -qE '^\\s*cd\\s+.*&&\\s*git\\s'; then\n    exit 0\nfi\n\n# Extract the git subcommand\nGIT_CMD=$(echo \"$COMMAND\" | grep -oP '&&\\s*git\\s+\\K\\S+')\n\n# Read-only git operations — safe to auto-approve\nSAFE_GIT=\"log diff status branch show rev-parse tag remote stash-list describe name-rev\"\n\nfor safe in $SAFE_GIT; do\n    if [[ \"$GIT_CMD\" == \"$safe\" ]]; then\n        jq -n '{\n          hookSpecificOutput: {\n            hookEventName: \"PreToolUse\",\n            permissionDecision: \"allow\",\n            permissionDecisionReason: \"cd+git compound auto-approved (read-only git operation)\"\n          }\n        }'\n        exit 0\n    fi\ndone\n\n# Not a read-only git op — let normal permission flow handle it\nexit 0\n",
+  "secret-guard": "#!/bin/bash\n# ================================================================\n# secret-guard.sh — Secret/Credential Leak Prevention\n# ================================================================\n# PURPOSE:\n#   Prevents accidental exposure of secrets, API keys, and\n#   credentials through git commits or shell output.\n#\n#   Catches the most common ways secrets leak:\n#   - git add .env (committing env files)\n#   - git add credentials.json / *.pem / *.key\n#   - echo $API_KEY or printenv (exposing secrets in output)\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - git add .env / .env.local / .env.production\n#   - git add *credentials* / *secret* / *.pem / *.key\n#   - git add -A or git add . when .env exists (warns)\n#\n# WHAT IT ALLOWS (exit 0):\n#   - git add specific safe files\n#   - Reading .env for application use (not committing)\n#   - All non-git-add commands\n#\n# CONFIGURATION:\n#   CC_SECRET_PATTERNS — colon-separated additional patterns to block\n#     default: \".env:.env.local:.env.production:credentials:secret:*.pem:*.key:*.p12\"\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# --- Check 1: git add of secret files ---\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+add'; then\n    # Direct .env file staging\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*\\.env(\\s|$|\\.|/)'; then\n        echo \"BLOCKED: Attempted to stage .env file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \".env files contain secrets and should never be committed.\" >&2\n        echo \"Add .env to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # Credential/key files\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*(credentials|\\.pem|\\.key|\\.p12|\\.pfx|id_rsa|id_ed25519)'; then\n        echo \"BLOCKED: Attempted to stage credential/key file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"Key and credential files should never be committed to git.\" >&2\n        echo \"Add them to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # git add -A or git add . when .env exists — warn but check\n    if echo \"$COMMAND\" | grep -qE 'git\\s+add\\s+(-A|--all|\\.)(\\s|$)'; then\n        # Check if .env exists in the current or project directory\n        if [ -f \".env\" ] || [ -f \".env.local\" ] || [ -f \".env.production\" ]; then\n            echo \"BLOCKED: 'git add .' with .env file present.\" >&2\n            echo \"\" >&2\n            echo \"Command: $COMMAND\" >&2\n            echo \"\" >&2\n            echo \"An .env file exists in this directory. 'git add .' would stage it.\" >&2\n            echo \"Add specific files instead: git add src/ lib/ package.json\" >&2\n            echo \"Or add .env to .gitignore first.\" >&2\n            exit 2\n        fi\n    fi\nfi\n\nexit 0\n",
+  "api-error-alert": "#!/bin/bash\nINPUT=$(cat)\nREASON=$(echo \"$INPUT\" | jq -r '.stop_reason // \"unknown\"' 2>/dev/null)\nHOOK_EVENT=$(echo \"$INPUT\" | jq -r '.hook_event_name // \"\"' 2>/dev/null)\nif [[ \"$REASON\" == \"user\" || \"$REASON\" == \"normal\" || -z \"$REASON\" ]]; then\n    exit 0\nfi\nLOG=\"${CC_ERROR_ALERT_LOG:-$HOME/.claude/session-errors.log}\"\nMISSION=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\nTS=$(date -Iseconds)\nmkdir -p \"$(dirname \"$LOG\")\" 2>/dev/null\necho \"[$TS] Session stopped: reason=$REASON event=$HOOK_EVENT\" >> \"$LOG\"\nif [ -z \"$WSL_DISTRO_NAME\" ]; then\n    notify-send \"Claude Code\" \"Session stopped: $REASON\" 2>/dev/null || true\n    osascript -e \"display notification \\\"Session stopped: $REASON\\\" with title \\\"Claude Code\\\"\" 2>/dev/null || true\nelse\n    powershell.exe -Command \"Write-Host 'Claude Code: Session stopped - $REASON'\" 2>/dev/null || true\nfi\nexit 0\n"
+}