cc-safe-setup 29.6.32 → 29.6.33

package/COOKBOOK.md

@@ -236,6 +236,76 @@ npx cc-safe-setup --install-example push-requires-test-pass-record
 
 Two-hook system: the PostToolUse `record` hook detects successful test runs (`npm test`, `pytest`, `cargo test`, etc.) and saves a timestamp. The PreToolUse hook blocks push to main/master/production if no recent test pass exists (30-minute window). See [#36673](https://github.com/anthropics/claude-code/issues/36673).
 
+## Recipe: Protect CI/CD Pipelines
+
+```bash
+npx cc-safe-setup --install-example github-actions-secret-guard
+npx cc-safe-setup --install-example ci-workflow-guard
+npx cc-safe-setup --install-example gitops-drift-guard
+```
+
+Three-hook system: `github-actions-secret-guard` (PostToolUse) detects hardcoded secrets in workflow files. `ci-workflow-guard` (PostToolUse) flags `--no-verify`, remote script execution, and broad write permissions. `gitops-drift-guard` (PreToolUse) warns when editing infrastructure files on protected branches.
+
+## Recipe: Kubernetes Production Safety
+
+```bash
+npx cc-safe-setup --install-example k8s-production-guard
+# Set production contexts/namespaces:
+export CC_K8S_PROD_CONTEXTS="prod:production"
+export CC_K8S_PROD_NAMESPACES="production:prod"
+```
+
+Blocks `kubectl delete`, `scale --replicas=0`, `drain`, and `helm uninstall` on production namespaces/contexts. Safe operations (get, logs, describe) are always allowed.
+
+## Recipe: MCP Server Allowlist
+
+```bash
+npx cc-safe-setup --install-example mcp-server-allowlist
+npx cc-safe-setup --install-example mcp-tool-audit-log
+export CC_MCP_ALLOWED="github:filesystem:memory"
+```
+
+Only allows MCP tool calls from whitelisted servers. Blocks calls from unknown/synced servers that may cause OOM crashes ([#20412](https://github.com/anthropics/claude-code/issues/20412)). The audit log records all MCP tool calls for security review (OWASP MCP09 compliance).
+
+## Recipe: Role-Based Agent Teams
+
+```bash
+npx cc-safe-setup --install-example role-tool-guard
+echo "pm" > .claude/current-role.txt
+```
+
+Restricts tools based on agent role. PM can only read and delegate (no Edit/Write/Bash). Architect can design but not execute. Reviewer is read-only. Developer has full access. Switch roles: `echo "developer" > .claude/current-role.txt`. See [#40425](https://github.com/anthropics/claude-code/issues/40425).
+
+## Recipe: Fix git show --no-stat Bug
+
+Claude Code frequently runs `git show <ref> --no-stat`, which fails because `--no-stat` is not a valid git-show flag. This wastes context on error output. The hook silently rewrites the command.
+
+```bash
+npx cc-safe-setup --install-example git-show-flag-sanitizer
+```
+
+Install in `.claude/settings.json` as a PreToolUse hook with matcher `Bash`. The hook detects `git show` + `--no-stat`, strips the invalid flag, and returns the corrected command via `updatedInput`. See [#13071](https://github.com/anthropics/claude-code/issues/13071).
+
+## Recipe: Disable Auto-Compaction
+
+Power users who manage context manually can block auto-compaction entirely:
+
+```bash
+npx cc-safe-setup --install-example compact-blocker
+```
+
+Install as a PreCompact hook (no matcher needed). Exit code 2 blocks compaction. For conditional control, add a guard: `[ -f /tmp/allow-compact ] && exit 0`. See [#6689](https://github.com/anthropics/claude-code/issues/6689).
+
+## Recipe: WebFetch Domain Allowlist
+
+`WebFetch(domain:*)` in settings.json fails in sandbox mode. This hook auto-approves WebFetch requests by domain:
+
+```bash
+npx cc-safe-setup --install-example webfetch-domain-allow
+```
+
+Install as a PreToolUse hook with matcher `WebFetch`. By default allows all domains. Set `CC_WEBFETCH_ALLOW_DOMAINS=github.com,docs.anthropic.com` for specific domains. See [#9329](https://github.com/anthropics/claude-code/issues/9329).
+
 ## Further Reading
 
 - [Getting Started](https://yurukusa.github.io/cc-safe-setup/getting-started.html)

package/README.md

@@ -4,7 +4,7 @@
 [![npm downloads](https://img.shields.io/npm/dw/cc-safe-setup)](https://www.npmjs.com/package/cc-safe-setup)
 [![tests](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml/badge.svg)](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml)
 
-**One command to make Claude Code safe for autonomous operation.** 517 example hooks · 7,591 tests · 1,000+ installs/day · [日本語](docs/README.ja.md)
+**One command to make Claude Code safe for autonomous operation.** 611 example hooks · 10,411 tests · 1,000+ installs/day · [日本語](docs/README.ja.md)
 
 ```bash
 npx cc-safe-setup
@@ -91,6 +91,9 @@ Override Claude Code's built-in confirmation prompts. These run **after** the bu
 | `edit-always-allow` | Edit prompts in `.claude/skills/` despite `bypassPermissions` | [#36192](https://github.com/anthropics/claude-code/issues/36192) |
 | `allow-git-hooks-dir` | Edit prompts in `.git/hooks/` for pre-commit/pre-push setup | |
 | `allow-protected-dirs` | All protected directory prompts (CI/Docker environments) | [#36168](https://github.com/anthropics/claude-code/issues/36168) |
+| `git-show-flag-sanitizer` | Strips invalid `--no-stat` from `git show` (wastes context on error) | [#13071](https://github.com/anthropics/claude-code/issues/13071) |
+| `compact-blocker` | Blocks auto-compaction via PreCompact (preserves full context) | [#6689](https://github.com/anthropics/claude-code/issues/6689) |
+| `webfetch-domain-allow` | Auto-approves WebFetch by domain (fixes broken `domain:*` wildcard) | [#9329](https://github.com/anthropics/claude-code/issues/9329) |
 
 Install any of these: `npx cc-safe-setup --install-example <name>`
 
@@ -117,7 +120,7 @@ Install any of these: `npx cc-safe-setup --install-example <name>`
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 517 examples |
+| `--install-example <name>` | Install from 564 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |
@@ -404,6 +407,7 @@ See [Issue #1](https://github.com/yurukusa/cc-safe-setup/issues/1) for details.
 - [Cookbook](COOKBOOK.md) — 26 practical recipes (block, approve, protect, monitor, diagnose)
 - [Official Hooks Reference](https://code.claude.com/docs/en/hooks) — Claude Code hooks documentation
 - [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 25 recipes from real GitHub Issues ([interactive version](https://yurukusa.github.io/claude-code-hooks/))
+- [Skills Guide deep-dive (Qiita, 19K+ views)](https://qiita.com/yurukusa/items/f69920b4a02cf7e2988c) — Anthropic's official Skills PDF analyzed with 40% token reduction
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
 - [v2.1.85 `if` field guide (Qiita)](https://qiita.com/yurukusa/items/7079866e9dc239fcdd57) — Reduce hook overhead with conditional execution
 - [Hook Test Runner](https://github.com/yurukusa/cc-hook-test) — `npx cc-hook-test <hook.sh>` to auto-test any hook

package/examples/absolute-rule-enforcer.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# absolute-rule-enforcer.sh — Enforce CLAUDE.md "ABSOLUTE RULE" markers
+#
+# Solves: ABSOLUTE RULEs in CLAUDE.md treated as advisory (#40284).
+#         Even rules marked with strong language get ignored under
+#         context pressure. This hook extracts and enforces them.
+#
+# How it works: Stop hook that parses CLAUDE.md for "ABSOLUTE RULE"
+#   or "MUST NEVER" markers, extracts the constraint keywords,
+#   and checks if the session violated them.
+#
+# TRIGGER: Stop
+# MATCHER: ""
+
+set -euo pipefail
+
+# Find CLAUDE.md
+CLAUDEMD=""
+for candidate in "CLAUDE.md" "../CLAUDE.md" "../../CLAUDE.md"; do
+  if [ -f "$candidate" ]; then
+    CLAUDEMD="$candidate"
+    break
+  fi
+done
+
+[ -z "$CLAUDEMD" ] && exit 0
+
+# Extract absolute rules (lines containing ABSOLUTE, MUST NEVER, NEVER, 絶対)
+RULES=$(grep -iE '(ABSOLUTE|MUST NEVER|NEVER|絶対|禁止)' "$CLAUDEMD" 2>/dev/null | head -10 || true)
+
+if [ -z "$RULES" ]; then
+  exit 0
+fi
+
+# Log that absolute rules exist (reminder to model via stderr)
+echo "REMINDER: This project has absolute rules in CLAUDE.md:" >&2
+echo "$RULES" | head -5 | while IFS= read -r rule; do
+  echo "  $rule" >&2
+done
+echo "Verify your changes comply before finalizing." >&2
+
+exit 0

package/examples/allow-claude-settings.sh

@@ -13,6 +13,8 @@
 # WARNING: Only use in environments where you trust Claude's edits
 # to your configuration. In shared or production environments,
 # keep the default prompts.
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/allow-git-hooks-dir.sh

@@ -9,6 +9,8 @@
 #
 # WARNING: Only allow specific subdirectories you trust.
 # Never blanket-allow all of .git/ — that exposes HEAD, config, etc.
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/allow-protected-dirs.sh

@@ -13,6 +13,8 @@
 # It bypasses ALL built-in file protection. Do NOT use in shared or
 # production environments. Prefer allow-git-hooks-dir.sh or
 # allow-claude-settings.sh for targeted bypass.
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/allowlist.sh

@@ -21,6 +21,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/ansible-vault-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [[ -z "$COMMAND" ]] && exit 0

package/examples/auto-approve-build.sh

@@ -14,6 +14,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/auto-approve-compound-git.sh

@@ -14,6 +14,8 @@
 #
 # See: https://github.com/anthropics/claude-code/issues/30519
 # See: https://github.com/anthropics/claude-code/issues/16561
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/auto-approve-docker.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 [ "$TOOL" != "Bash" ] && exit 0

package/examples/auto-approve-git-read.sh

@@ -8,6 +8,8 @@
 # GitHub Issues: #36900, #32985
 #
 # Usage: Add to settings.json as a PreToolUse hook on "Bash"
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/auto-approve-python.sh

@@ -14,6 +14,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/auto-approve-readonly-tools.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 case "$TOOL" in

package/examples/auto-approve-ssh.sh

@@ -8,6 +8,8 @@
 #
 # Usage: Add to settings.json as a PreToolUse hook on "Bash"
 # Customize SAFE_COMMANDS for your use case.
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/auto-approve-test.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '^\s*(npm\s+test|npm\s+run\s+test|npx\s+(jest|vitest|mocha|ava|tap|playwright\s+test|cypress\s+run)|yarn\s+test|pnpm\s+test|bun\s+test)\b'; then

package/examples/auto-checkpoint.sh

@@ -17,6 +17,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/auto-git-checkpoint.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/auto-mode-safe-commands.sh

@@ -20,6 +20,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/auto-snapshot.sh

@@ -21,6 +21,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/backup-before-refactor.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)

package/examples/banned-command-guard.sh

@@ -13,13 +13,13 @@
 # Default banned commands (configurable via CC_BANNED_COMMANDS):
 #   sed -i (in-place file editing — use Edit tool instead)
 #   awk -i inplace (same reason)
-#   perl -pi -e (same reason)
+#   perl -i / perl -pi (same reason — covers -i -pe, -pi -e, etc.)
 #
 # TRIGGER: PreToolUse  MATCHER: "Bash"
 #
 # Configuration:
 #   CC_BANNED_COMMANDS — colon-separated list of regex patterns to block
-#   Default: "sed -i:awk -i inplace:perl -pi"
+#   Default: "sed -i:awk -i inplace:perl -pi:perl .*-i"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
@@ -27,7 +27,7 @@ COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 
 # Configurable banned patterns (colon-separated)
-BANNED="${CC_BANNED_COMMANDS:-sed\s+-i:awk\s+-i\s+inplace:perl\s+-pi}"
+BANNED="${CC_BANNED_COMMANDS:-sed\s+-i:awk\s+-i\s+inplace:perl\s+-pi:perl\s+.*-i}"
 
 # Check each banned pattern
 IFS=':' read -ra PATTERNS <<< "$BANNED"

package/examples/bash-domain-allowlist.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# bash-domain-allowlist.sh — Block curl/wget to unauthorized domains
+#
+# Solves: Sandbox allowedDomains not enforced for plain HTTP requests,
+#         allowing data exfiltration via curl/wget (#40213).
+#         Also provides defense-in-depth when sandbox is not available.
+#
+# How it works: PreToolUse hook on Bash that extracts target domains from
+#   curl/wget commands and blocks requests to domains not in the allowlist.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/bash-domain-allowlist.sh" }]
+#     }]
+#   }
+# }
+#
+# Configuration: Set CC_ALLOWED_DOMAINS env var (comma-separated)
+#   or edit the ALLOWED_DOMAINS array below.
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Only check commands that make HTTP requests
+echo "$CMD" | grep -qE '\b(curl|wget|http|fetch)\b' || exit 0
+
+# ========================================
+# DOMAIN ALLOWLIST — edit to your needs
+# ========================================
+if [ -n "$CC_ALLOWED_DOMAINS" ]; then
+    IFS=',' read -ra ALLOWED_DOMAINS <<< "$CC_ALLOWED_DOMAINS"
+else
+    ALLOWED_DOMAINS=(
+        "github.com"
+        "api.github.com"
+        "raw.githubusercontent.com"
+        "registry.npmjs.org"
+        "pypi.org"
+        "*.amazonaws.com"
+        "localhost"
+        "127.0.0.1"
+    )
+fi
+
+# Extract target domains from URLs in the command
+DOMAINS=$(echo "$CMD" | grep -oE 'https?://[^/"'"'"'"'"'"' ]+' | sed -E 's|^https?://||;s|/.*||;s|:.*||' | sort -u)
+[ -z "$DOMAINS" ] && exit 0
+
+for domain in $DOMAINS; do
+    allowed=false
+    for pattern in "${ALLOWED_DOMAINS[@]}"; do
+        # Convert glob to regex (*.example.com -> .*\.example\.com)
+        regex=$(echo "$pattern" | sed 's/\./\\./g; s/\*/.*/g')
+        if echo "$domain" | grep -qE "^${regex}$"; then
+            allowed=true
+            break
+        fi
+    done
+    if [ "$allowed" = false ]; then
+        echo "BLOCKED: HTTP request to unauthorized domain: $domain" >&2
+        echo "Allowed: ${ALLOWED_DOMAINS[*]}" >&2
+        exit 2
+    fi
+done
+exit 0

package/examples/bash-safety-auto-deny.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# bash-safety-auto-deny.sh — Auto-deny commands that trigger safety prompts
+#
+# Solves: Users want "auto-deny" instead of "prompt" for risky commands (#28993).
+#         Currently Claude's safety heuristic prompts the user. This hook
+#         blocks the command outright, forcing Claude to reformulate.
+#
+# How it works: PreToolUse hook on Bash that detects patterns the built-in
+#   safety system would flag, and blocks them with exit 2 instead of
+#   prompting. Claude learns to use safer alternatives.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Patterns that trigger built-in safety prompts
+# 1. Pipe to bash/sh (command injection risk)
+if echo "$COMMAND" | grep -qE '\|\s*(bash|sh|zsh)\b'; then
+  echo "BLOCKED: Piping to shell interpreter detected." >&2
+  echo "Reformulate without piping to bash/sh." >&2
+  exit 2
+fi
+
+# 2. curl/wget piped to execution
+if echo "$COMMAND" | grep -qE '(curl|wget)\s.*\|\s*(bash|sh|python|node|perl)'; then
+  echo "BLOCKED: Remote code execution pattern detected." >&2
+  echo "Download the file first, review it, then execute separately." >&2
+  exit 2
+fi
+
+# 3. eval with variable expansion
+if echo "$COMMAND" | grep -qE '\beval\s'; then
+  echo "BLOCKED: eval detected. Use direct commands instead." >&2
+  exit 2
+fi
+
+# 4. Nested command substitution in dangerous positions
+if echo "$COMMAND" | grep -qE '(rm|mv|cp|chmod|chown)\s.*\$\('; then
+  echo "BLOCKED: Command substitution in destructive command." >&2
+  echo "Expand the subcommand first, verify the result, then run." >&2
+  exit 2
+fi
+
+# 5. Globbed rm (rm *.* or rm -rf *)
+if echo "$COMMAND" | grep -qE 'rm\s+.*\*'; then
+  echo "BLOCKED: Wildcard deletion detected." >&2
+  echo "List the files first (ls), verify, then delete specific files." >&2
+  exit 2
+fi
+
+exit 0

package/examples/bash-secret-output-detector.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# bash-secret-output-detector.sh — Warn when Bash output contains secrets
+#
+# Solves: Bash command output containing API keys, tokens, or credentials
+#         enters the LLM context window and gets sent to the API provider
+#         (#39882). PostToolUse hook that scans stdout for secret patterns.
+#
+# How it works: PostToolUse hook on Bash that checks command stdout for
+#   patterns matching API keys, tokens, passwords, and connection strings.
+#   Emits a systemMessage warning the model to ignore/not repeat secrets.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/bash-secret-output-detector.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+STDOUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+
+[ -z "$STDOUT" ] && exit 0
+
+# Secret patterns (high-confidence, low false-positive)
+FOUND=""
+
+# AWS keys
+if echo "$STDOUT" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+    FOUND="${FOUND}AWS access key, "
+fi
+
+# Generic API keys/tokens (long hex/base64 strings after key= or token=)
+if echo "$STDOUT" | grep -qiE '(api[_-]?key|api[_-]?secret|auth[_-]?token|access[_-]?token|secret[_-]?key)\s*[:=]\s*\S{20,}'; then
+    FOUND="${FOUND}API key/token, "
+fi
+
+# Connection strings with passwords
+if echo "$STDOUT" | grep -qiE '(mysql|postgres|mongodb|redis)://[^:]+:[^@]+@'; then
+    FOUND="${FOUND}database connection string, "
+fi
+
+# Private keys
+if echo "$STDOUT" | grep -qE '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----'; then
+    FOUND="${FOUND}private key, "
+fi
+
+# JWT tokens
+if echo "$STDOUT" | grep -qE 'eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]+'; then
+    FOUND="${FOUND}JWT token, "
+fi
+
+# GitHub/GitLab tokens
+if echo "$STDOUT" | grep -qE '(ghp|gho|ghs|ghr|glpat)_[A-Za-z0-9]{30,}'; then
+    FOUND="${FOUND}GitHub/GitLab token, "
+fi
+
+if [ -n "$FOUND" ]; then
+    FOUND="${FOUND%, }"
+    echo "{\"systemMessage\":\"⚠ SECRET DETECTED in command output: ${FOUND}. Do NOT repeat, log, or include these values in any output. They are now in context but should be treated as redacted.\"}"
+fi
+
+exit 0

package/examples/bash-timeout-guard.sh

@@ -22,6 +22,8 @@
 #   }
 # }
 # ================================================================
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/bashrc-safety-check.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# bashrc-safety-check.sh — Warn about .bashrc lines that hang in non-interactive shells
+#
+# Solves: Agent-spawned bash shells source user .bashrc/.bash_profile,
+#         causing hangs or process cascades when completion scripts or
+#         slow init commands run in non-interactive shells (#40354).
+#
+# How it works: SessionStart hook scans .bashrc for known-dangerous patterns
+#   (completion scripts, nvm, conda, pyenv) and warns the user to add an
+#   interactive-shell guard.
+#
+# TRIGGER: SessionStart
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "SessionStart": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/bashrc-safety-check.sh" }]
+#     }]
+#   }
+# }
+
+BASHRC="$HOME/.bashrc"
+[ ! -f "$BASHRC" ] && exit 0
+
+# Check if .bashrc already has a non-interactive guard at the top
+if head -10 "$BASHRC" | grep -qE 'case \$- in|\[\[ \$- ==.*i'; then
+    # Already guarded — skip check
+    exit 0
+fi
+
+# Patterns known to hang/crash in non-interactive agent shells
+DANGEROUS_PATTERNS=(
+    'source.*<.*completion'     # Angular CLI, kubectl, etc.
+    'eval.*\$.*completion'      # Completion eval patterns
+    'nvm\.sh'                   # nvm can be slow on init
+    'conda.*activate'           # conda activation in non-interactive
+    'pyenv.*init'               # pyenv init sometimes hangs
+    'rbenv.*init'               # rbenv init
+    'rvm.*scripts'              # rvm scripts
+)
+
+WARNINGS=""
+for pattern in "${DANGEROUS_PATTERNS[@]}"; do
+    MATCH=$(grep -n "$pattern" "$BASHRC" 2>/dev/null | head -3)
+    if [ -n "$MATCH" ]; then
+        WARNINGS="${WARNINGS}\n  Line: $MATCH"
+    fi
+done
+
+if [ -n "$WARNINGS" ]; then
+    echo "⚠ WARNING: .bashrc contains commands that may hang in agent subshells:" >&2
+    echo -e "$WARNINGS" >&2
+    echo "" >&2
+    echo "Add this as the FIRST line of .bashrc to fix:" >&2
+    echo '  case $- in *i*) ;; *) return;; esac' >&2
+fi
+exit 0