cc-safe-setup 29.6.30 → 29.6.32

package/examples/max-concurrent-agents.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# max-concurrent-agents.sh — Limit number of simultaneous subagents
+#
+# Solves: Uncontrolled agent spawning burns through rate limits and tokens.
+#         A single prompt like "research 10 topics" can spawn 10 agents,
+#         each consuming context and API calls simultaneously.
+#
+# How it works: PreToolUse hook on "Agent" that tracks active agents
+#   via a counter file. Blocks new agents when the limit is reached.
+#   Counter is decremented by a companion PostToolUse hook or timeout.
+#
+# CONFIG:
+#   CC_MAX_AGENTS=3  (default: 3 concurrent agents)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Agent" ] && exit 0
+
+MAX_AGENTS=${CC_MAX_AGENTS:-3}
+COUNTER_FILE="/tmp/cc-agent-count-${PPID}"
+
+# Initialize counter
+[ -f "$COUNTER_FILE" ] || echo "0" > "$COUNTER_FILE"
+
+# Read current count
+CURRENT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+
+# Clean up stale counts (reset if file is older than 10 minutes)
+if [ -f "$COUNTER_FILE" ]; then
+    AGE=$(( $(date +%s) - $(stat -c %Y "$COUNTER_FILE" 2>/dev/null || echo 0) ))
+    [ "$AGE" -gt 600 ] && echo "0" > "$COUNTER_FILE" && CURRENT=0
+fi
+
+if [ "$CURRENT" -ge "$MAX_AGENTS" ]; then
+    echo "BLOCKED: Maximum concurrent agents reached (${CURRENT}/${MAX_AGENTS})" >&2
+    echo "  Wait for existing agents to complete before spawning new ones." >&2
+    echo "  Set CC_MAX_AGENTS to increase the limit." >&2
+    exit 2
+fi
+
+# Increment counter
+echo $((CURRENT + 1)) > "$COUNTER_FILE"
+exit 0

package/examples/mcp-config-freeze.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# mcp-config-freeze.sh — Prevent MCP configuration changes during session
+#
+# Solves: Shadow MCP servers added mid-session (OWASP MCP09).
+#         An agent or prompt injection could modify .mcp.json or
+#         settings.json to add unauthorized MCP servers.
+#
+# How it works: On SessionStart, snapshots the current MCP config.
+#   On subsequent Edit/Write to config files, compares against snapshot.
+#   Blocks changes that add new MCP servers.
+#
+# Complements mcp-server-guard.sh (which blocks Bash-based server launches)
+# by also covering config file modification.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check MCP-related config files
+FILENAME=$(basename "$FILE")
+case "$FILENAME" in
+    .mcp.json|mcp.json|mcp-config.json)
+        ;;
+    settings.json|settings.local.json)
+        # Check if the edit adds mcpServers
+        CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+        if echo "$CONTENT" | grep -qiE 'mcpServers|mcp_servers'; then
+            echo "BLOCKED: MCP server configuration change detected" >&2
+            echo "  File: $FILE" >&2
+            echo "  MCP server additions require manual approval." >&2
+            echo "  Edit the file manually or remove this hook temporarily." >&2
+            exit 2
+        fi
+        exit 0
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+# For .mcp.json files, block all modifications
+echo "BLOCKED: MCP configuration file is frozen during this session" >&2
+echo "  File: $FILE" >&2
+echo "  To modify MCP config, edit the file manually outside Claude Code." >&2
+exit 2

package/examples/mcp-data-boundary.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# mcp-data-boundary.sh — Prevent MCP tools from accessing sensitive paths
+#
+# Solves: MCP tools can read/write files outside the intended scope.
+#         A rogue or misconfigured MCP server could exfiltrate credentials
+#         or modify system files. (OWASP MCP01 + MCP10)
+#
+# How it works: PostToolUse hook that checks MCP tool results for
+#   sensitive file path references. Warns if an MCP tool accessed
+#   paths outside the project directory.
+#
+# CONFIG:
+#   CC_MCP_ALLOWED_PATHS="/home/user/project"  (colon-separated)
+#
+# TRIGGER: PostToolUse
+# MATCHER: "" (monitors all tools, focuses on MCP tool outputs)
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+OUTPUT=$(echo "$INPUT" | jq -r '.tool_output // empty' 2>/dev/null | head -c 2000)
+[ -z "$OUTPUT" ] && exit 0
+
+# Only check MCP tool outputs (tool names starting with mcp__)
+echo "$TOOL" | grep -q '^mcp__' || exit 0
+
+# Check for sensitive path patterns in output
+SENSITIVE_PATHS='/etc/passwd|/etc/shadow|\.ssh/|\.aws/|\.env|credentials|\.npmrc|\.pypirc|\.netrc|\.gnupg|\.kube/config'
+
+if echo "$OUTPUT" | grep -qiE "$SENSITIVE_PATHS"; then
+    echo "⚠ MCP DATA BOUNDARY: MCP tool accessed sensitive path" >&2
+    echo "  Tool: $TOOL" >&2
+    echo "  Detected sensitive path reference in output." >&2
+    echo "  Review the MCP server's file access scope." >&2
+fi
+
+# Check for data that looks like secrets in output
+if echo "$OUTPUT" | grep -qE 'sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{30,}|-----BEGIN.*KEY|AKIA[A-Z0-9]{16}'; then
+    echo "⚠ MCP DATA BOUNDARY: MCP tool output contains potential secrets" >&2
+    echo "  Tool: $TOOL" >&2
+    echo "  Review output for leaked credentials." >&2
+fi
+
+exit 0

package/examples/no-git-amend.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# no-git-amend.sh — Block git commit --amend to prevent overwriting previous commits
+#
+# Solves: Claude Code amending previous commits instead of creating new ones.
+#         When a pre-commit hook fails, the commit doesn't happen. If Claude
+#         then runs --amend to "fix" it, it modifies the PREVIOUS commit
+#         instead of creating a new one — potentially destroying prior work.
+#
+# This is explicitly recommended in Claude Code's own system prompt:
+#   "Always create NEW commits rather than amending"
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block git commit --amend
+if echo "$COMMAND" | grep -qE 'git\s+commit\s+.*--amend|git\s+commit\s+--amend'; then
+    echo "BLOCKED: git commit --amend is not allowed" >&2
+    echo "  Create a new commit instead: git commit -m 'fix: ...'" >&2
+    echo "  Amending can overwrite the previous commit's changes." >&2
+    exit 2
+fi
+
+exit 0

package/examples/path-deny-bash-guard.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# path-deny-bash-guard.sh — Enforce path deny rules on Bash commands
+#
+# Solves: Bash tool bypasses settings.json path deny rules (#39987).
+#         Read/Glob/Grep respect deny rules, but Bash commands like
+#         `cat /denied/path/file.txt` or `grep pattern /denied/path/`
+#         bypass the restriction entirely.
+#
+# How it works: Reads denied paths from CC_DENIED_PATHS env var or
+#   a config file, then checks if any Bash command argument contains
+#   a denied path.
+#
+# CONFIG:
+#   CC_DENIED_PATHS="/path/one:/path/two:/path/three"
+#   Or create ~/.claude/denied-paths.txt (one path per line)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Load denied paths
+DENIED_PATHS=""
+
+# Source 1: Environment variable (colon-separated)
+if [ -n "${CC_DENIED_PATHS:-}" ]; then
+    DENIED_PATHS="$CC_DENIED_PATHS"
+fi
+
+# Source 2: Config file (one path per line)
+DENY_FILE="${HOME}/.claude/denied-paths.txt"
+if [ -f "$DENY_FILE" ]; then
+    while IFS= read -r line; do
+        [ -z "$line" ] && continue
+        [[ "$line" =~ ^# ]] && continue
+        if [ -n "$DENIED_PATHS" ]; then
+            DENIED_PATHS="${DENIED_PATHS}:${line}"
+        else
+            DENIED_PATHS="$line"
+        fi
+    done < "$DENY_FILE"
+fi
+
+[ -z "$DENIED_PATHS" ] && exit 0
+
+# Check command against denied paths
+IFS=':'
+for denied_path in $DENIED_PATHS; do
+    [ -z "$denied_path" ] && continue
+    # Normalize: remove trailing slash
+    denied_path="${denied_path%/}"
+
+    if echo "$COMMAND" | grep -qF "$denied_path"; then
+        echo "BLOCKED: Bash command accesses denied path" >&2
+        echo "  Denied: $denied_path" >&2
+        echo "  Command: $(echo "$COMMAND" | head -c 100)" >&2
+        echo "  Note: This path is restricted in your deny rules." >&2
+        echo "        Use Read/Glob/Grep tools which respect deny rules," >&2
+        echo "        or remove the path from denied-paths.txt." >&2
+        exit 2
+    fi
+done
+
+exit 0

package/examples/permission-mode-drift-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# permission-mode-drift-guard.sh — Detect permission mode changes mid-session
+#
+# Solves: Permission mode resets from 'Bypass permissions' to 'Edit automatically'
+#         mid-session without user interaction (#39057, 3 reactions).
+#
+# How it works: On SessionStart, records the initial permission mode.
+#   On each PermissionRequest, compares current behavior against expected.
+#   If permissions are being requested when bypass mode was set,
+#   warns the user that the mode may have drifted.
+#
+# Uses ConfigChange hook event (v2.1.83+) when available, falls back
+# to heuristic detection via unexpected permission prompts.
+#
+# TRIGGER: PermissionRequest (fallback detection)
+# MATCHER: "" (all permission requests)
+
+INPUT=$(cat)
+MESSAGE=$(echo "$INPUT" | jq -r '.message // empty' 2>/dev/null)
+
+STATE_FILE="/tmp/cc-permission-mode-${PPID}"
+
+# On first call, record that we're getting permission prompts
+if [ ! -f "$STATE_FILE" ]; then
+    echo "prompt_count=1" > "$STATE_FILE"
+    echo "first_prompt=$(date +%s)" >> "$STATE_FILE"
+    exit 0
+fi
+
+# Track prompt count
+. "$STATE_FILE"
+prompt_count=$((prompt_count + 1))
+echo "prompt_count=$prompt_count" > "$STATE_FILE"
+echo "first_prompt=$first_prompt" >> "$STATE_FILE"
+
+# If we're getting many permission prompts, something may be wrong
+if [ "$prompt_count" -eq 5 ]; then
+    echo "⚠ Permission mode drift detected: ${prompt_count} permission prompts this session" >&2
+    echo "  If you set 'Bypass permissions', it may have reset to 'Edit automatically'" >&2
+    echo "  Check: Ctrl+Shift+P → Claude Code: Set Permission Mode" >&2
+fi
+
+if [ "$prompt_count" -eq 20 ]; then
+    echo "⚠ ${prompt_count} permission prompts — consider re-enabling bypass mode" >&2
+fi
+
+exit 0

package/examples/plan-mode-strict-guard.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# plan-mode-strict-guard.sh — Hard-block all write operations during plan mode
+#
+# Solves: Plan mode doesn't hard-block write tools (#40324, 0 reactions).
+#         When Claude is in plan mode, it should only read and analyze.
+#         But the model can propose Edit/Write operations, and if the user
+#         clicks "approve", they execute — defeating the purpose of plan mode.
+#
+# How it works: Checks for plan mode indicators:
+#   1. CC_PLAN_MODE env var (set by some configurations)
+#   2. .claude/plan-mode.lock file (created by plan-mode-enforcer.sh)
+#   3. Plan-related keywords in the session context
+#
+# When plan mode is active, blocks Edit, Write, and dangerous Bash commands.
+# Read, Glob, Grep, and safe Bash commands are allowed.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write|Bash"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ -z "$TOOL" ] && exit 0
+
+# Check if plan mode is active
+PLAN_MODE=false
+
+# Method 1: Environment variable
+[ "${CC_PLAN_MODE:-}" = "true" ] && PLAN_MODE=true
+
+# Method 2: Lock file
+[ -f "${HOME}/.claude/plan-mode.lock" ] && PLAN_MODE=true
+
+# Method 3: Project-level plan lock
+[ -f ".claude/plan-mode.lock" ] && PLAN_MODE=true
+
+[ "$PLAN_MODE" = "false" ] && exit 0
+
+# Plan mode is active — enforce read-only
+case "$TOOL" in
+    Edit|Write)
+        echo "BLOCKED: Plan mode is active — write operations are not allowed" >&2
+        echo "  Exit plan mode first, then make changes" >&2
+        echo "  Remove ~/.claude/plan-mode.lock or unset CC_PLAN_MODE" >&2
+        exit 2
+        ;;
+    Bash)
+        CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+        [ -z "$CMD" ] && exit 0
+
+        # Allow read-only commands in plan mode
+        # Strip compound operators to get the first command
+        FIRST_PART=$(echo "$CMD" | sed 's/[;&|].*//' | sed 's/^\s*//')
+
+        # Single-word safe commands
+        FIRST_WORD=$(echo "$FIRST_PART" | awk '{print $1}')
+        SAFE_SINGLE="ls|cat|head|tail|grep|find|wc|diff|pwd|echo|date|which|type|file|tree|du|df|env|printenv"
+        if echo "$FIRST_WORD" | grep -qxE "$SAFE_SINGLE"; then
+            exit 0
+        fi
+
+        # Two-word safe commands (git, npm, etc.)
+        FIRST_TWO=$(echo "$FIRST_PART" | awk '{print $1, $2}')
+        SAFE_TWO="git status|git log|git diff|git branch|git show|git rev-parse|git tag|node -v|python3 -V|npm list|npm outdated|pip list|pip show"
+        if echo "$FIRST_TWO" | grep -qxE "$SAFE_TWO"; then
+            exit 0
+        fi
+
+        # Block write commands in plan mode
+        echo "BLOCKED: Plan mode is active — only read-only Bash commands allowed" >&2
+        echo "  Allowed: ls, cat, grep, git status/log/diff, etc." >&2
+        exit 2
+        ;;
+esac
+
+exit 0

package/examples/pre-compact-checkpoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# pre-compact-checkpoint.sh — Auto-save before context compaction
+#
+# Uses the PreCompact hook event to create a git checkpoint before
+# Claude Code compresses the conversation context. This ensures
+# uncommitted edits are preserved even if compaction loses track
+# of recent changes.
+#
+# Solves: Context compaction can cause Claude to lose awareness of
+#         recent file edits (#34674). A pre-compaction checkpoint
+#         makes recovery trivial: just run `git log --oneline -5`.
+#
+# TRIGGER: PreCompact (fires right before context compression)
+# MATCHER: No matcher support — always fires
+#
+# DECISION CONTROL: None (notification only)
+#
+# Compared to auto-compact-prep.sh (which uses tool call counting
+# on PreToolUse), this hook fires at the exact right moment —
+# when compaction actually happens, not on an estimated threshold.
+
+# Check if we're in a git repo
+git rev-parse --is-inside-work-tree &>/dev/null || exit 0
+
+# Check for uncommitted changes
+CHANGES=$(git status --porcelain 2>/dev/null | wc -l)
+[ "$CHANGES" -eq 0 ] && exit 0
+
+# Create checkpoint commit
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+TIMESTAMP=$(date -u '+%Y%m%d-%H%M%S')
+
+git add -A 2>/dev/null
+git commit -m "checkpoint: pre-compact auto-save (${CHANGES} files, ${TIMESTAMP})" --no-verify 2>/dev/null
+
+echo "📸 Pre-compact checkpoint: ${CHANGES} file(s) saved on ${BRANCH}" >&2
+echo "  Recover with: git log --oneline -5" >&2
+
+exit 0

package/examples/sandbox-write-verify.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# sandbox-write-verify.sh — Verify file existence before overwrite in sandbox mode
+#
+# Solves: Sandbox half-broken — writes hit real filesystem (#40321).
+#         When sandbox reads are isolated but writes pass through,
+#         Claude overwrites real files it can't see, destroying projects.
+#
+# How it works: Before Edit/Write operations, checks if the target file
+#   exists on the REAL filesystem (not sandboxed). If Claude is about to
+#   overwrite an existing file and can't read it (sandbox read isolation),
+#   blocks the write.
+#
+# Also detects bulk writes (>10 files in quick succession) which is
+# a sign of runaway overwrite behavior.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Track writes per session to detect bulk overwrite
+WRITE_LOG="/tmp/cc-sandbox-writes-${PPID}"
+echo "$(date +%s) $FILE" >> "$WRITE_LOG" 2>/dev/null
+
+# Check for bulk writes (>10 in last 60 seconds)
+if [ -f "$WRITE_LOG" ]; then
+    NOW=$(date +%s)
+    RECENT=$(awk -v now="$NOW" '$1 > now - 60 {count++} END {print count+0}' "$WRITE_LOG")
+    if [ "$RECENT" -gt 10 ]; then
+        echo "BLOCKED: Bulk write detected (${RECENT} files in 60s)" >&2
+        echo "  This may indicate a sandbox read/write mismatch." >&2
+        echo "  Verify sandbox state before continuing." >&2
+        exit 2
+    fi
+fi
+
+# Check if target file exists and is non-empty (potential overwrite)
+if [ -f "$FILE" ] && [ -s "$FILE" ]; then
+    # File exists. Check if it's in a project directory
+    DIR=$(dirname "$FILE")
+    # Count files in the same directory that were recently written
+    DIR_WRITES=$(grep -c "$DIR" "$WRITE_LOG" 2>/dev/null || echo 0)
+    if [ "$DIR_WRITES" -gt 5 ]; then
+        echo "WARNING: ${DIR_WRITES} writes to $(basename "$DIR")/ — verify sandbox state" >&2
+    fi
+fi
+
+exit 0

package/examples/session-resume-guard.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# session-resume-guard.sh — Verify context is loaded after session resume
+#
+# Solves: Session resume loads zero conversation history (#40319).
+#         When --continue resumes a long session, cache_read_input_tokens
+#         can drop from 434k to 0, silently losing all context.
+#
+# How it works: On SessionStart, checks if this is a resumed session
+#   (via CC_RESUME or --continue flag indicators). If so, verifies that
+#   key context files exist and warns if they might be stale.
+#
+# Also saves a "session handoff" file on Stop, so the next session
+# can detect if context was properly transferred.
+#
+# TRIGGER: Notification (SessionStart)
+# MATCHER: "" (fires on all notifications, filters for SessionStart internally)
+
+INPUT=$(cat)
+EVENT=$(echo "$INPUT" | jq -r '.event // empty' 2>/dev/null)
+
+HANDOFF_DIR="${HOME}/.claude/handoff"
+mkdir -p "$HANDOFF_DIR"
+HANDOFF_FILE="${HANDOFF_DIR}/last-session.md"
+
+case "$EVENT" in
+    session_start|SessionStart)
+        # Check if this is a resume (handoff file exists and is recent)
+        if [ -f "$HANDOFF_FILE" ]; then
+            AGE_SECONDS=$(( $(date +%s) - $(stat -c %Y "$HANDOFF_FILE" 2>/dev/null || echo 0) ))
+
+            if [ "$AGE_SECONDS" -lt 3600 ]; then
+                echo "📋 Resuming from previous session (handoff ${AGE_SECONDS}s ago)" >&2
+                echo "  Last session state:" >&2
+                head -5 "$HANDOFF_FILE" >&2
+            else
+                AGE_HOURS=$((AGE_SECONDS / 3600))
+                echo "⚠ Previous session handoff is ${AGE_HOURS}h old" >&2
+                echo "  Context may be stale. Consider starting fresh." >&2
+            fi
+        fi
+
+        # Check for recovery snapshots (from compaction-transcript-guard)
+        RECOVERY_DIR="${HOME}/.claude/recovery"
+        if [ -d "$RECOVERY_DIR" ]; then
+            LATEST=$(ls -t "$RECOVERY_DIR"/pre-compact-*.md 2>/dev/null | head -1)
+            if [ -n "$LATEST" ]; then
+                AGE=$(( $(date +%s) - $(stat -c %Y "$LATEST" 2>/dev/null || echo 0) ))
+                if [ "$AGE" -lt 7200 ]; then
+                    echo "📸 Recent compaction recovery snapshot found ($(( AGE / 60 ))m ago)" >&2
+                    echo "  Path: $LATEST" >&2
+                fi
+            fi
+        fi
+        ;;
+
+    session_end|Stop)
+        # Save handoff for next session
+        cat > "$HANDOFF_FILE" << EOF
+# Session Handoff
+Timestamp: $(date -u '+%Y-%m-%dT%H:%M:%SZ')
+Working directory: $(pwd)
+Branch: $(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo 'N/A')
+Uncommitted: $(git status --porcelain 2>/dev/null | wc -l) files
+Last commit: $(git log --oneline -1 2>/dev/null || echo 'N/A')
+EOF
+        echo "📋 Session handoff saved for next resume" >&2
+        ;;
+esac
+
+exit 0

package/examples/subagent-scope-validator.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# subagent-scope-validator.sh — Validate subagent task scope before launch
+#
+# Solves: Main agent's subagent delegation produces poor scoping (#40339).
+#         Subagents are launched with vague prompts, missing context,
+#         and no result verification criteria.
+#
+# How it works: PreToolUse hook on "Agent" that checks the prompt
+#   for minimum scope requirements:
+#   1. Prompt must be longer than 50 characters (not just "do X")
+#   2. Must contain file paths or specific identifiers
+#   3. Warns if no success criteria are mentioned
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Agent" ] && exit 0
+
+PROMPT=$(echo "$INPUT" | jq -r '.tool_input.prompt // empty' 2>/dev/null)
+[ -z "$PROMPT" ] && exit 0
+
+PROMPT_LEN=${#PROMPT}
+WARNINGS=""
+
+# Check 1: Minimum prompt length
+if [ "$PROMPT_LEN" -lt 50 ]; then
+    WARNINGS="${WARNINGS}\n  - Prompt is only ${PROMPT_LEN} chars. Subagents need detailed context (50+ chars recommended)"
+fi
+
+# Check 2: Contains specific identifiers (files, functions, paths)
+if ! echo "$PROMPT" | grep -qE '/[a-zA-Z]|\.ts|\.py|\.js|\.md|\.json|\.sh|function |class |def |const |let |var '; then
+    WARNINGS="${WARNINGS}\n  - No file paths or code identifiers found. Subagent may lack context"
+fi
+
+# Check 3: Success criteria
+if ! echo "$PROMPT" | grep -qiE 'verify|confirm|test|check|ensure|must|should|expect|return|report'; then
+    WARNINGS="${WARNINGS}\n  - No success criteria detected. Consider adding verification steps"
+fi
+
+# Output warnings (don't block — just inform)
+if [ -n "$WARNINGS" ]; then
+    echo "⚠ Subagent scope review:" >&2
+    echo -e "$WARNINGS" >&2
+    echo "  Prompt preview: $(echo "$PROMPT" | head -c 100)..." >&2
+fi
+
+exit 0

package/examples/windows-path-guard.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# windows-path-guard.sh — Prevent NTFS junction/symlink traversal destruction
+#
+# Solves: rm -rf following NTFS junctions to delete user directories (#36339).
+#         On Windows (WSL/Git Bash), `rm -rf` can traverse NTFS junctions
+#         and delete system directories like C:\Users.
+#
+# How it works: Before rm operations, checks if the target path is
+#   a symlink or junction that points outside the project directory.
+#   Blocks rm if it would traverse to a system-critical location.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check rm commands
+echo "$COMMAND" | grep -qE '^\s*rm\s|;\s*rm\s|&&\s*rm\s' || exit 0
+
+# Check the entire command for Windows system paths
+# This catches both direct paths and quoted paths with spaces
+WINDOWS_SYSTEM='/mnt/[a-z]/(Users|Windows|Program Files|Program)'
+if echo "$COMMAND" | grep -qiE "$WINDOWS_SYSTEM"; then
+    echo "BLOCKED: rm targets Windows system directory" >&2
+    echo "  Command contains a Windows system path reference." >&2
+    echo "  This could destroy system files via NTFS junction traversal." >&2
+    echo "  Reference: GitHub Issue #36339" >&2
+    exit 2
+fi
+
+# Check if any rm target is a symlink pointing to system directories
+for target in $(echo "$COMMAND" | grep -oE '/[^ ";\|&]+' | head -10); do
+    [ -L "$target" ] || [ -L "$(dirname "$target" 2>/dev/null)" ] || continue
+    LINK_TARGET=$(readlink -f "$target" 2>/dev/null)
+    [ -z "$LINK_TARGET" ] && continue
+    if echo "$LINK_TARGET" | grep -qiE "^/(mnt/[a-z]/(Users|Windows|Program)|home$|etc$|usr$|var$)"; then
+        echo "BLOCKED: rm would traverse symlink/junction to system directory" >&2
+        echo "  Target: $target → $LINK_TARGET" >&2
+        exit 2
+    fi
+done
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.30",
-  "description": "One command to make Claude Code safe. 516 example hooks + 8 built-in. 56 CLI commands. 7582 tests. Works with Auto Mode.",
+  "version": "29.6.32",
+  "description": "One command to make Claude Code safe. 539 example hooks + 8 built-in. 56 CLI commands. 7789 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"

package/test.sh.tmp

@@ -0,0 +1,12 @@
+echo "path-deny-bash-guard.sh:"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"cat /etc/passwd"}}' 0 "path-deny: no deny config"
+test_ex path-deny-bash-guard.sh '{}' 0 "path-deny: empty input"
+export CC_DENIED_PATHS="/secret/data:/private/keys"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"cat /secret/data/file.txt"}}' 2 "path-deny: cat denied path BLOCKED"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"grep pattern /secret/data/"}}' 2 "path-deny: grep denied path BLOCKED"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"head /private/keys/id_rsa"}}' 2 "path-deny: head denied path BLOCKED"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"ls /home/user/projects"}}' 0 "path-deny: safe path allowed"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"echo hello"}}' 0 "path-deny: no path in command"
+test_ex path-deny-bash-guard.sh '{"tool_input":{"command":"cat /secret/data/../../../etc/passwd"}}' 2 "path-deny: traversal still matches denied prefix"
+unset CC_DENIED_PATHS
+echo ""