cc-safe-setup 29.6.32 → 29.6.33

package/examples/no-side-effects-in-render.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on side effects in render" >&2

package/examples/no-sleep-in-hooks.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [ -z "$FILE" ] && exit 0

package/examples/no-star-import-python.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/no-string-concat-sql.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qiE "\"SELECT.*\+|'SELECT.*\+" && echo "WARNING: String concatenation in SQL — use parameterized queries" >&2

package/examples/no-sudo-guard.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '^\s*sudo\s'; then

package/examples/no-sync-external-call.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on sync external API calls" >&2

package/examples/no-sync-fs.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "readFileSync|writeFileSync|mkdirSync|existsSync" && echo "NOTE: Sync fs in hot path — consider async" >&2

package/examples/no-table-layout.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on table for layout" >&2

package/examples/no-throw-string.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on throwing strings" >&2

package/examples/no-todo-in-merge.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 COMMAND=$(cat | jq -r ".tool_input.command // empty" 2>/dev/null); echo "$COMMAND" | grep -qE "git\s+merge" && git diff --cached 2>/dev/null | grep -q "TODO" && echo "WARNING: TODO markers in merge target" >&2

package/examples/no-todo-in-production.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/no-todo-without-issue.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "TODO[^(]|FIXME[^(]" && ! echo "$CONTENT" | grep -qE "TODO\(#|FIXME\(#" && echo "NOTE: TODO without issue reference" >&2

package/examples/no-triple-slash-ref.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on TS triple-slash references" >&2

package/examples/no-unreachable-code.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on code after return" >&2

package/examples/no-unused-import.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "^import.*from" && echo "$CONTENT" | grep -cE "^import" | xargs -I{} test {} -gt 10 && echo "NOTE: Many imports — check for unused ones" >&2

package/examples/no-unused-state.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on unused state in components" >&2

package/examples/no-var-keyword.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "^\s*var\s" && echo "NOTE: var keyword — use const/let" >&2

package/examples/no-wildcard-cors.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "Access-Control.*\*" && echo "WARNING: Wildcard CORS origin" >&2

package/examples/no-wildcard-import.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)

package/examples/no-window-location.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "NOTE: Warn on window.location assignment" >&2

package/examples/no-with-statement.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "\bwith\s*\(" && echo "WARNING: with statement is deprecated" >&2

package/examples/no-write-outside-src.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [ -z "$FILE" ] && exit 0
 case "$FILE" in

package/examples/no-xml-external-entity.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0
 echo "$CONTENT" | grep -qE "parseXML|xml2js|DOMParser|libxml" && echo "$CONTENT" | grep -q "ENTITY" && echo "WARNING: Possible XXE in XML parsing" >&2

package/examples/notify-waiting.sh

@@ -17,6 +17,8 @@
 # }
 
 # Linux (notify-send) — skip on WSL2 where D-Bus may not be running
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 if command -v notify-send &>/dev/null && [ -z "$WSL_DISTRO_NAME" ]; then
     notify-send "Claude Code" "Waiting for your input" --urgency=normal 2>/dev/null && exit 0
 fi

package/examples/npm-audit-warn.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 echo "$COMMAND" | grep -qE "^\s*npm\s+install" && echo "NOTE: Run npm audit after install" >&2

package/examples/npm-publish-guard.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '^\s*(npm\s+publish|npx\s+npm\s+publish)' && ! echo "$COMMAND" | grep -qE '\-\-dry-run'; then

package/examples/npm-script-injection.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 CONTENT=$(cat | jq -r '.tool_input.new_string // empty' 2>/dev/null)
 FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/npm-supply-chain-guard.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# npm-supply-chain-guard.sh — Detect npm supply chain attack patterns
+#
+# Solves: npm install can execute arbitrary code via postinstall scripts.
+#         Claude Code may install malicious packages via typosquatting,
+#         dependency confusion, or compromised packages (#39421).
+#
+# How it works: PreToolUse hook on Bash that detects npm/yarn/pnpm
+#   install commands and checks for:
+#   1. Typosquatting patterns (similar to popular packages)
+#   2. Scoped packages from unknown registries
+#   3. Packages with suspicious install scripts
+#   4. Version pinning warnings
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/npm-supply-chain-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Only check npm/yarn/pnpm install commands
+echo "$CMD" | grep -qE '\b(npm|yarn|pnpm)\s+(install|add|i)\b' || exit 0
+
+# Extract package names from command
+PACKAGES=$(echo "$CMD" | grep -oE '\b(npm|yarn|pnpm)\s+(install|add|i)\s+(.+)' | sed -E 's/^(npm|yarn|pnpm)\s+(install|add|i)\s+//' | tr ' ' '\n' | grep -v '^-')
+
+WARNINGS=""
+
+for pkg in $PACKAGES; do
+    # Skip flags
+    [[ "$pkg" == -* ]] && continue
+
+    # Check for known typosquatting patterns
+    # Common targets: lodash, express, react, axios, webpack, babel
+    POPULAR=("lodash" "express" "react" "axios" "webpack" "babel" "moment" "chalk" "commander" "inquirer")
+    for popular in "${POPULAR[@]}"; do
+        # Skip exact matches
+        [ "$pkg" = "$popular" ] && continue
+        # Check Levenshtein-like similarity (simple: 1 char difference)
+        if [ "${#pkg}" -ge 3 ] && [ "${#pkg}" -le $((${#popular} + 2)) ]; then
+            # Check if package name is very similar to a popular one
+            diff_count=$(python3 -c "
+import sys
+a, b = '$pkg', '$popular'
+if abs(len(a)-len(b)) <= 2:
+    # Simple edit distance check
+    d = sum(1 for x,y in zip(a,b) if x!=y) + abs(len(a)-len(b))
+    print(d)
+else:
+    print(99)
+" 2>/dev/null)
+            if [ -n "$diff_count" ] && [ "$diff_count" -le 2 ] && [ "$diff_count" -gt 0 ]; then
+                WARNINGS="${WARNINGS}\n  ⚠ '$pkg' looks similar to popular package '$popular' (possible typosquatting)"
+            fi
+        fi
+    done
+
+    # Check for internal/private scope packages being installed from public registry
+    if echo "$pkg" | grep -qE '^@[a-z]+-internal/|^@private-'; then
+        WARNINGS="${WARNINGS}\n  ⚠ '$pkg' looks like an internal scoped package — verify it exists on the intended registry"
+    fi
+done
+
+# Check for --ignore-scripts bypass
+if echo "$CMD" | grep -q '\-\-ignore-scripts'; then
+    # This is actually a safety measure, no warning needed
+    :
+fi
+
+# Warn about not using --ignore-scripts
+if [ -n "$PACKAGES" ] && ! echo "$CMD" | grep -qE '\-\-ignore-scripts|\-\-production'; then
+    WARNINGS="${WARNINGS}\n  ℹ Consider using --ignore-scripts to prevent postinstall script execution"
+fi
+
+if [ -n "$WARNINGS" ]; then
+    echo "⚠ npm supply chain check:" >&2
+    echo -e "$WARNINGS" >&2
+    # Warn but don't block — exit 0
+fi
+
+exit 0

package/examples/nuxt-config-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/output-secret-mask.sh

@@ -22,6 +22,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PostToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 OUTPUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)

package/examples/package-json-guard.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 if echo "$COMMAND" | grep -qE '\brm\b.*package\.json'; then

package/examples/parallel-session-guard.sh

@@ -21,6 +21,8 @@
 #   }
 # }
 # ================================================================
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/path-traversal-guard.sh

@@ -15,6 +15,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/permission-audit-log.sh

@@ -25,6 +25,8 @@
 #   cat ~/.claude/tool-usage.jsonl | jq -s 'group_by(.tool) | map({tool: .[0].tool, count: length}) | sort_by(-.count)'
 #   # Top commands:
 #   cat ~/.claude/tool-usage.jsonl | jq -s '[.[] | select(.tool=="Bash")] | group_by(.command | split(" ")[0]) | map({cmd: .[0].command | split(" ")[0], count: length}) | sort_by(-.count) | .[:20]'
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/permission-entry-validator.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# permission-entry-validator.sh — Clean broken permission entries from settings
+#
+# Solves: Shell redirect targets saved as standalone permissions (#40382).
+#         Commands like `az ... > "filepath"` cause Claude Code to save
+#         `Bash("D:/path/file.json")` which is a bare filepath, not a command.
+#
+# How it works: Stop hook that reads settings.local.json and removes
+#   permission entries that are bare file paths (not valid command patterns).
+#   Identifies entries matching path patterns without a command prefix.
+#
+# TRIGGER: Stop
+# MATCHER: ""
+
+set -euo pipefail
+
+SETTINGS_FILE=".claude/settings.local.json"
+[ -f "$SETTINGS_FILE" ] || exit 0
+
+# Check for broken entries (bare file paths as Bash permissions)
+BROKEN=$(jq -r '
+  .permissions.allow // [] | .[] |
+  select(
+    startswith("Bash(\"") and
+    (
+      # Windows paths
+      test("^Bash\\(\"[A-Z]:/") or
+      # Unix absolute paths without command
+      test("^Bash\\(\"/[^\"]*\"\\)$")
+    ) and
+    # Must NOT contain a space (command + args have spaces)
+    (test("^Bash\\(\"[^\" ]*\"\\)$"))
+  )
+' "$SETTINGS_FILE" 2>/dev/null || true)
+
+if [ -n "$BROKEN" ]; then
+    COUNT=$(echo "$BROKEN" | wc -l)
+    echo "WARNING: Found $COUNT broken permission entries (bare file paths):" >&2
+    echo "$BROKEN" | head -5 | while IFS= read -r entry; do
+        echo "  $entry" >&2
+    done
+    echo "" >&2
+    echo "These entries were likely created by 'Always allow' on commands with" >&2
+    echo "shell redirects (> filepath). They don't match any command pattern." >&2
+    echo "Consider removing them from $SETTINGS_FILE" >&2
+fi
+
+exit 0

package/examples/php-lint-on-edit.sh

@@ -16,6 +16,8 @@
 #   }
 # }
 # ================================================================
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

package/examples/pip-publish-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [[ -z "$COMMAND" ]] && exit 0

package/examples/plain-language-danger-warn.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# plain-language-danger-warn.sh — Add plain-language warnings to dangerous commands
+#
+# Solves: Users not understanding technical risk of commands (#30505).
+#         "git reset --hard" doesn't convey "this deletes all your unsaved work."
+#
+# How it works: PreToolUse hook on Bash that detects dangerous commands
+#   and injects plain-language explanations into stderr context.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Map dangerous commands to plain-language warnings
+if echo "$COMMAND" | grep -qE 'git\s+reset\s+--hard'; then
+  echo "WARNING: This will DELETE all unsaved changes in your working directory." >&2
+  echo "Any uncommitted work will be permanently lost." >&2
+elif echo "$COMMAND" | grep -qE 'git\s+clean\s+-[fd]'; then
+  echo "WARNING: This will DELETE all untracked files (files not in git)." >&2
+elif echo "$COMMAND" | grep -qE 'git\s+push\s+.*--force'; then
+  echo "WARNING: This will OVERWRITE the remote branch history." >&2
+  echo "Other people's commits may be permanently lost." >&2
+elif echo "$COMMAND" | grep -qE 'rm\s+-rf\s+/'; then
+  echo "WARNING: This will DELETE everything on the system. Unrecoverable." >&2
+elif echo "$COMMAND" | grep -qE 'drop\s+(database|table|schema)'; then
+  echo "WARNING: This will DELETE the entire database/table. Data is unrecoverable." >&2
+elif echo "$COMMAND" | grep -qE 'truncate\s+table'; then
+  echo "WARNING: This will DELETE all rows in the table." >&2
+fi
+
+# Always allow — this hook only warns, doesn't block
+exit 0

package/examples/plan-mode-enforcer.sh

@@ -27,6 +27,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 STATE_FILE="/tmp/.cc-plan-mode-active"
 [ -f "$STATE_FILE" ] || exit 0

package/examples/plugin-process-cleanup.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# plugin-process-cleanup.sh — Kill leaked plugin subprocesses on session end
+#
+# Solves: Channel plugin subprocesses (bun server.ts) leak across sessions,
+#         accumulating to 1000%+ CPU usage (#39137). Each session spawns
+#         new processes but never kills old ones.
+#
+# How it works: SessionEnd hook that finds and kills plugin server processes
+#   that are still running from the Claude plugins cache directory.
+#
+# TRIGGER: SessionEnd
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "SessionEnd": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/plugin-process-cleanup.sh" }]
+#     }]
+#   }
+# }
+
+# Find plugin server processes from Claude's cache
+PLUGIN_CACHE="$HOME/.claude/plugins/cache"
+
+# Kill bun/node server processes from plugin directories
+PIDS=$(pgrep -f "$PLUGIN_CACHE" 2>/dev/null)
+
+if [ -n "$PIDS" ]; then
+    COUNT=$(echo "$PIDS" | wc -l | tr -d ' ')
+    echo "Cleaning up $COUNT leaked plugin process(es)..." >&2
+
+    for pid in $PIDS; do
+        # Try graceful shutdown first
+        kill "$pid" 2>/dev/null
+    done
+
+    # Wait briefly for graceful shutdown
+    sleep 1
+
+    # Force kill any remaining
+    for pid in $PIDS; do
+        if kill -0 "$pid" 2>/dev/null; then
+            kill -9 "$pid" 2>/dev/null
+            echo "  Force-killed PID $pid" >&2
+        fi
+    done
+fi
+
+exit 0

package/examples/polyglot-rm-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# polyglot-rm-guard.sh — Block file deletion via any language, not just rm
+#
+# Solves: Claude circumvents Bash(rm) deny rules by using Python os.remove(),
+#         Node fs.unlinkSync(), or other languages to delete files (#39459).
+#         The permission system blocks the tool, not the goal.
+#
+# How it works: PreToolUse hook on Bash that detects file deletion attempts
+#   via Python, Node, Ruby, Perl, or any other interpreter — not just rm.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/polyglot-rm-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Python file deletion
+if echo "$CMD" | grep -qE 'python[23]?\s+-c\s.*\b(os\.remove|os\.unlink|shutil\.rmtree|pathlib.*unlink)\b'; then
+    echo "BLOCKED: File deletion via Python detected." >&2
+    echo "Blocked: os.remove/unlink/rmtree circumvents rm restrictions." >&2
+    exit 2
+fi
+
+# Node.js file deletion
+if echo "$CMD" | grep -qE 'node\s+-e\s.*\b(unlinkSync|rmdirSync|rmSync|fs\.rm)\b'; then
+    echo "BLOCKED: File deletion via Node.js detected." >&2
+    exit 2
+fi
+
+# Ruby file deletion
+if echo "$CMD" | grep -qE 'ruby\s+-e\s.*\b(File\.delete|FileUtils\.rm)\b'; then
+    echo "BLOCKED: File deletion via Ruby detected." >&2
+    exit 2
+fi
+
+# Perl file deletion
+if echo "$CMD" | grep -qE 'perl\s+-[eE]\s.*\bunlink\b'; then
+    echo "BLOCKED: File deletion via Perl detected." >&2
+    exit 2
+fi
+
+# Generic: any interpreter with remove/delete/unlink in the command
+if echo "$CMD" | grep -qE '(python|node|ruby|perl|php)\s+.*-[ceE]\s.*\b(remove|unlink|delete|rmtree|rmdir)\b'; then
+    echo "BLOCKED: File deletion via interpreter detected." >&2
+    exit 2
+fi
+
+exit 0

package/examples/pr-description-check.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)