cc-safe-setup 29.6.32 → 29.6.33

package/examples/self-modify-bypass-guard.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# self-modify-bypass-guard.sh — Auto-allow .claude/ writes in bypass mode
+#
+# Solves: Self-modification guard prompts for .claude/ writes even when
+#         bypassPermissions is active (#40463). The guard fires before
+#         hooks/permissions are evaluated.
+#
+# How it works: PermissionRequest hook that detects .claude/ write prompts
+#   and auto-allows them when the project uses bypassPermissions mode.
+#   Exempts security-sensitive paths (settings.json, CLAUDE.md).
+#
+# TRIGGER: PermissionRequest
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+
+# Extract the permission request details
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Only handle Edit/Write to .claude/ paths
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+case "$FILE" in
+  .claude/*|*/.claude/*) ;;
+  *) exit 0 ;;
+esac
+
+# Security-sensitive files: always prompt (don't auto-allow)
+BASENAME=$(basename "$FILE")
+case "$BASENAME" in
+  settings.json|settings.local.json|CLAUDE.md)
+    # Let the default prompt handle these
+    exit 0 ;;
+esac
+
+# Check if bypassPermissions is configured
+SETTINGS=".claude/settings.json"
+if [ -f "$SETTINGS" ]; then
+    MODE=$(jq -r '.defaultMode // empty' "$SETTINGS" 2>/dev/null)
+    if [ "$MODE" = "bypassPermissions" ]; then
+        # Auto-allow: output hookSpecificOutput to approve
+        echo '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","allow":true}}'
+        exit 0
+    fi
+fi
+
+# Not in bypass mode — let default prompt handle it
+exit 0

package/examples/sensitive-log-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/session-checkpoint.sh

@@ -19,6 +19,8 @@
 #
 # Recovery: Add to CLAUDE.md:
 #   "If ~/.claude/checkpoints/ has a file for this project, read it first."
+#
+# TRIGGER: Stop  MATCHER: ""
 
 INPUT=$(cat)
 REASON=$(echo "$INPUT" | jq -r '.stop_reason // empty' 2>/dev/null)

package/examples/session-end-logger.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# session-end-logger.sh — Log session activity at exit
+#
+# Solves: No built-in session audit trail. When a session ends,
+#         there's no record of what was done unless you manually check
+#         git log or conversation history (#40010).
+#
+# How it works: SessionEnd hook that captures recent git commits,
+#   modified files, and session metadata into a structured log file.
+#
+# TRIGGER: SessionEnd
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "SessionEnd": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-end-logger.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // "unknown"' 2>/dev/null)
+
+LOG_DIR=".claude/session-logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/$(date '+%Y-%m-%d').md"
+
+{
+    echo ""
+    echo "## Session $SESSION_ID — $(date '+%H:%M')"
+    echo ""
+
+    # Recent git activity
+    if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+        COMMITS=$(git log --oneline --since="1 hour ago" 2>/dev/null)
+        if [ -n "$COMMITS" ]; then
+            echo "### Commits"
+            echo '```'
+            echo "$COMMITS"
+            echo '```'
+        fi
+
+        CHANGED=$(git diff --name-only HEAD~5..HEAD 2>/dev/null | head -20)
+        if [ -n "$CHANGED" ]; then
+            echo "### Changed files"
+            echo '```'
+            echo "$CHANGED"
+            echo '```'
+        fi
+    fi
+
+    echo ""
+} >> "$LOG_FILE"
+
+exit 0

package/examples/session-error-rate-monitor.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# ================================================================
+# session-error-rate-monitor.sh — Detect session quality degradation
+# ================================================================
+# PURPOSE:
+#   Long sessions (6+ hours) show quality decay: more errors,
+#   ignored instructions, and destructive actions. This hook
+#   tracks the error rate over a rolling window and warns when
+#   it exceeds a threshold, suggesting a session restart.
+#
+# How it works:
+#   - Counts tool calls and errors (exit code != 0) in a state file
+#   - Calculates error rate over last N tool calls
+#   - Warns (stderr) when error rate exceeds threshold
+#   - Does NOT block — purely advisory (exit 0 always)
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_ERROR_RATE_WINDOW=20  (rolling window size)
+#   CC_ERROR_RATE_THRESHOLD=40  (% error rate to trigger warning)
+#
+# See: https://github.com/anthropics/claude-code/issues/32963
+# ================================================================
+
+INPUT=$(cat)
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_result.exit_code // "0"' 2>/dev/null)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Only track Bash tool calls
+[[ "$TOOL" != "Bash" ]] && exit 0
+
+WINDOW=${CC_ERROR_RATE_WINDOW:-20}
+THRESHOLD=${CC_ERROR_RATE_THRESHOLD:-40}
+STATE_DIR="${HOME}/.claude/state"
+mkdir -p "$STATE_DIR"
+STATE_FILE="$STATE_DIR/error-rate-history.log"
+
+# Record result: 0=success, 1=error
+if [ "$EXIT_CODE" = "0" ]; then
+    echo "0" >> "$STATE_FILE"
+else
+    echo "1" >> "$STATE_FILE"
+fi
+
+# Keep only last N entries
+TOTAL=$(wc -l < "$STATE_FILE" 2>/dev/null || echo "0")
+if [ "$TOTAL" -gt "$WINDOW" ]; then
+    tail -n "$WINDOW" "$STATE_FILE" > "$STATE_FILE.tmp"
+    mv "$STATE_FILE.tmp" "$STATE_FILE"
+fi
+
+# Calculate error rate
+if [ "$TOTAL" -ge "$WINDOW" ]; then
+    ERRORS=$(tail -n "$WINDOW" "$STATE_FILE" | grep -c "^1$" || echo "0")
+    RATE=$(( ERRORS * 100 / WINDOW ))
+
+    if [ "$RATE" -ge "$THRESHOLD" ]; then
+        echo "⚠ Session quality alert: ${RATE}% error rate over last ${WINDOW} commands (threshold: ${THRESHOLD}%)" >&2
+        echo "  Consider: /compact or starting a fresh session" >&2
+    fi
+fi
+
+exit 0

package/examples/session-health-monitor.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# session-health-monitor.sh — Monitor session health metrics
+#
+# Solves: Long-running sessions degrade silently — context fills up,
+#         tool calls slow down, errors accumulate. No visibility into
+#         session health until it's too late.
+#
+# How it works: PreToolUse hook that tracks session metrics:
+#   - Tool call count (proxy for context usage)
+#   - Error rate (consecutive failures)
+#   - Session duration
+#   Warns at configurable thresholds.
+#
+# TRIGGER: PreToolUse
+# MATCHER: ""
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-health-monitor.sh" }]
+#     }]
+#   }
+# }
+
+STATE="/tmp/cc-health-$$"
+
+# Initialize on first call
+if [ ! -f "$STATE" ]; then
+    echo "start=$(date +%s) calls=0 errors=0" > "$STATE"
+fi
+
+# Read current state
+eval $(cat "$STATE")
+calls=$((calls + 1))
+
+# Update state
+echo "start=$start calls=$calls errors=$errors" > "$STATE"
+
+# Check thresholds
+DURATION=$(( ($(date +%s) - start) / 60 ))
+
+if [ "$calls" -eq 50 ]; then
+    echo "ℹ Session health: 50 tool calls, ${DURATION}m elapsed." >&2
+fi
+
+if [ "$calls" -eq 150 ]; then
+    echo "⚠ Session health: 150 tool calls, ${DURATION}m elapsed. Context may be getting full." >&2
+    echo "Consider saving state and starting a fresh session." >&2
+fi
+
+if [ "$calls" -ge 250 ] && [ $((calls % 50)) -eq 0 ]; then
+    echo "🔴 Session health: $calls tool calls, ${DURATION}m elapsed. Performance may be degraded." >&2
+fi
+
+# Duration warning
+if [ "$DURATION" -ge 120 ] && [ $((calls % 100)) -eq 0 ]; then
+    echo "⏰ Session running for ${DURATION}m. Long sessions accumulate context drift." >&2
+fi
+
+exit 0

package/examples/session-memory-watchdog.sh

@@ -0,0 +1,17 @@
+MAX_RSS_MB="${CC_MAX_RSS_MB:-4096}"
+CHECK_INTERVAL=300
+(
+    while true; do
+        sleep "$CHECK_INTERVAL"
+        pgrep -f "claude" | while read pid; do
+            RSS_KB=$(ps -o rss= -p "$pid" 2>/dev/null | tr -d ' ')
+            [ -z "$RSS_KB" ] && continue
+            RSS_MB=$((RSS_KB / 1024))
+            if [ "$RSS_MB" -gt "$MAX_RSS_MB" ]; then
+                echo "[$(date -Iseconds)] PID $pid: ${RSS_MB}MB > ${MAX_RSS_MB}MB limit" >> ~/.claude/memory-watchdog.log
+                kill -15 "$pid" 2>/dev/null
+            fi
+        done
+    done
+) &
+exit 0

package/examples/session-permission-reset-guard.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# session-permission-reset-guard.sh — Override session-cached permissions
+#
+# Solves: Sandbox mode caching session-level permissions (#40384).
+#         After approving a command once, sandbox caches the approval
+#         for the entire session, bypassing the allow list.
+#
+# How it works: PreToolUse hook that enforces per-invocation checks
+#   for specified commands, regardless of session cache state.
+#   Acts as a secondary permission layer outside the caching system.
+#
+# CONFIG:
+#   CC_ALWAYS_CHECK_COMMANDS="git commit:git push:npm publish:cargo install"
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Commands that should always require hook-level check
+ALWAYS_CHECK="${CC_ALWAYS_CHECK_COMMANDS:-git commit:git push:npm publish:cargo install:pip install}"
+
+IFS=':' read -ra PATTERNS <<< "$ALWAYS_CHECK"
+for pattern in "${PATTERNS[@]}"; do
+  # Match the pattern anywhere in the command (including chained commands)
+  if echo "$COMMAND" | grep -qiF "$pattern"; then
+    echo "HOOK CHECK: '$pattern' detected — hook-level review." >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "This hook enforces per-invocation checks regardless of" >&2
+    echo "session permission caching. To allow, remove this pattern" >&2
+    echo "from CC_ALWAYS_CHECK_COMMANDS." >&2
+    exit 2
+  fi
+done
+
+exit 0

package/examples/session-resume-env-fix.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# session-resume-env-fix.sh — Fix CLAUDE_ENV_FILE path on session resume
+#
+# Solves: CLAUDE_ENV_FILE points to startup session directory, but Bash
+#         tool loads from resumed session directory (#40391, #24775).
+#         Environment variables written by SessionStart hooks are lost.
+#
+# How it works: SessionStart hook that detects resume (source="resume")
+#   and copies/symlinks env files from the startup session directory
+#   to the resumed session directory.
+#
+# TRIGGER: SessionStart
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+SOURCE=$(echo "$INPUT" | jq -r '.source // empty' 2>/dev/null)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty' 2>/dev/null)
+
+# Only act on resume events
+[ "$SOURCE" = "resume" ] || exit 0
+[ -n "$SESSION_ID" ] || exit 0
+[ -n "${CLAUDE_ENV_FILE:-}" ] || exit 0
+
+# Extract the startup session directory from CLAUDE_ENV_FILE
+STARTUP_DIR=$(dirname "$CLAUDE_ENV_FILE")
+ENV_BASE=$(dirname "$STARTUP_DIR")
+
+# Construct the resumed session directory
+RESUME_DIR="${ENV_BASE}/${SESSION_ID}"
+
+# If they're the same, no fix needed
+[ "$STARTUP_DIR" != "$RESUME_DIR" ] || exit 0
+
+# Create resumed session directory if missing
+mkdir -p "$RESUME_DIR"
+
+# Copy all env files from startup dir to resumed dir
+for envfile in "$STARTUP_DIR"/*.sh; do
+    [ -f "$envfile" ] || continue
+    BASENAME=$(basename "$envfile")
+    if [ ! -f "$RESUME_DIR/$BASENAME" ]; then
+        cp "$envfile" "$RESUME_DIR/$BASENAME"
+        echo "Copied env file to resumed session: $BASENAME" >&2
+    fi
+done
+
+exit 0

package/examples/session-state-saver.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 STATE_DIR="${HOME}/.claude"

package/examples/session-summary-stop.sh

@@ -17,6 +17,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 

package/examples/session-summary.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 echo "" >&2
 echo "=== Session Summary ===" >&2
 BRANCH=$(git branch --show-current 2>/dev/null)

package/examples/session-token-counter.sh

@@ -24,6 +24,8 @@
 #   CC_TOOL_WARN_100  — threshold 1 (default: 100)
 #   CC_TOOL_WARN_200  — threshold 2 (default: 200)
 #   CC_TOOL_WARN_500  — threshold 3 (default: 500)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)

package/examples/shell-wrapper-guard.sh

@@ -13,6 +13,8 @@
 # This hook unwraps interpreter one-liners and checks the inner command.
 #
 # Usage: PreToolUse hook on "Bash"
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/skill-gate.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 [[ "$TOOL" != "Skill" ]] && exit 0

package/examples/skill-injection-detector.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# skill-injection-detector.sh — Detect silently injected skills/plugins
+#
+# Solves: Skills and plugins from claude.ai silently injected into Claude Code
+#         sessions (#39686). External tool definitions bloat context and
+#         can override local behavior without user awareness.
+#
+# How it works: Notification hook that monitors for unexpected skill/plugin
+#   loading messages. Warns when tools are loaded from external sources.
+#   Also checks MCP config for unexpected servers.
+#
+# TRIGGER: PreToolUse
+# MATCHER: ""
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Check MCP tool calls for unexpected servers
+if [ "$TOOL" = "Bash" ]; then
+  COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+  # Detect MCP server addition
+  if echo "$COMMAND" | grep -qE 'claude\s+mcp\s+add'; then
+    echo "WARNING: MCP server addition detected." >&2
+    echo "Command: $COMMAND" >&2
+    echo "Verify this server is expected before proceeding." >&2
+  fi
+fi
+
+# Check for skill/plugin invocation from unexpected sources
+if echo "$INPUT" | jq -e '.tool_input.skill // empty' 2>/dev/null | grep -qv '^$'; then
+  SKILL=$(echo "$INPUT" | jq -r '.tool_input.skill' 2>/dev/null)
+  # Check if skill is local
+  if [ ! -f ".claude/skills/${SKILL}/SKILL.md" ] && [ ! -f ".claude/skills/${SKILL}.md" ]; then
+    echo "WARNING: Skill '$SKILL' invoked but not found locally." >&2
+    echo "This may be an externally injected skill." >&2
+  fi
+fi
+
+exit 0

package/examples/spec-file-scope-guard.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# spec-file-scope-guard.sh — Restrict edits to files mentioned in a spec document
+#
+# Solves: Agent ignoring specification across multiple sessions (#40383).
+#         Claude modifies files not mentioned in the spec, introduces
+#         fabricated data, and drifts from the stated objective.
+#
+# How it works: Reads a spec/requirements file, extracts file paths and
+#   directory names mentioned in it, then blocks Edit/Write to files
+#   outside that scope.
+#
+# Setup:
+#   echo "spec.md" > .claude/spec-file.txt
+#   # Or set CC_SPEC_FILE=spec.md
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Find spec file
+SPEC_FILE="${CC_SPEC_FILE:-}"
+if [ -z "$SPEC_FILE" ] && [ -f ".claude/spec-file.txt" ]; then
+    SPEC_FILE=$(head -1 ".claude/spec-file.txt" | tr -d '\n')
+fi
+[ -z "$SPEC_FILE" ] && exit 0
+[ -f "$SPEC_FILE" ] || exit 0
+
+# Extract paths/directories mentioned in spec
+# Matches: path/to/file.ext, src/components/, ./config.ts, etc.
+MENTIONED=$(grep -oE '(\.?/?[a-zA-Z0-9_-]+/)+[a-zA-Z0-9_.-]*' "$SPEC_FILE" | sort -u || true)
+
+if [ -z "$MENTIONED" ]; then
+    # No paths found in spec — don't restrict
+    exit 0
+fi
+
+# Check if the target file matches any mentioned path
+BASENAME=$(basename "$FILE")
+DIRNAME=$(dirname "$FILE")
+
+for path in $MENTIONED; do
+    # Match if file path contains the spec path
+    if echo "$FILE" | grep -qF "$path"; then
+        exit 0
+    fi
+    # Match if basename matches
+    if echo "$BASENAME" | grep -qF "$path"; then
+        exit 0
+    fi
+done
+
+echo "WARNING: Editing file not mentioned in spec ($SPEC_FILE):" >&2
+echo "  File: $FILE" >&2
+echo "  Spec mentions: $(echo "$MENTIONED" | head -5 | tr '\n' ', ')" >&2
+echo "  Stay focused on the specification." >&2
+# Warning only — change to exit 2 to block
+exit 0

package/examples/spring-profile-guard.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
 [[ -z "$COMMAND" ]] && exit 0

package/examples/sql-injection-detect.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
 [ -z "$CONTENT" ] && exit 0

package/examples/subagent-budget-guard.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 [[ "$TOOL" != "Agent" ]] && exit 0

package/examples/subagent-claudemd-inject.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# subagent-claudemd-inject.sh — Inject CLAUDE.md rules into subagent prompts
+#
+# Solves: Subagents lose CLAUDE.md context since v2.1.84 (#40459).
+#         omitClaudeMd:true strips project instructions from Explore/Plan agents,
+#         causing them to ignore language preferences, environment config, etc.
+#
+# How it works: PreToolUse hook on Agent that appends key CLAUDE.md rules
+#   to the subagent's prompt. Extracts critical rules (marked with SUBAGENT:
+#   prefix in CLAUDE.md) and injects them into the agent description/prompt.
+#
+# Setup: Mark critical rules in CLAUDE.md with "SUBAGENT:" prefix:
+#   ## SUBAGENT: Always respond in Japanese
+#   ## SUBAGENT: Use DEV environment for testing
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" = "Agent" ] || exit 0
+
+# Find CLAUDE.md
+CLAUDEMD=""
+for candidate in "CLAUDE.md" "../CLAUDE.md" "../../CLAUDE.md"; do
+    if [ -f "$candidate" ]; then
+        CLAUDEMD="$candidate"
+        break
+    fi
+done
+[ -n "$CLAUDEMD" ] || exit 0
+
+# Extract SUBAGENT-tagged rules
+RULES=$(grep -iE '^##?\s*SUBAGENT:' "$CLAUDEMD" 2>/dev/null | sed 's/^##\?\s*SUBAGENT:\s*//' | head -10 || true)
+[ -z "$RULES" ] && exit 0
+
+# Inject rules as a system message warning
+echo "REMINDER: Project rules from CLAUDE.md (apply to all subagents):" >&2
+echo "$RULES" | while IFS= read -r rule; do
+    echo "  - $rule" >&2
+done
+
+exit 0

package/examples/subagent-tool-call-limiter.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# subagent-tool-call-limiter.sh — Limit total tool calls per session
+#
+# Solves: Subagents making unbounded tool calls (#36727).
+#         One user reported 234 tool calls in 1.5 hours from a single subagent.
+#         Existing rate limiters check frequency, not total count.
+#
+# How it works: PreToolUse hook (all tools) that increments a counter file.
+#   When CC_MAX_TOOL_CALLS (default 200) is reached, blocks further calls.
+#
+# TRIGGER: PreToolUse
+# MATCHER: ""
+
+set -euo pipefail
+
+MAX_CALLS="${CC_MAX_TOOL_CALLS:-200}"
+COUNTER_FILE="/tmp/claude-tool-call-counter-$$"
+
+# Use session-based counter (PID of parent process)
+PPID_FILE="/tmp/claude-tool-call-counter-${PPID:-0}"
+[ -f "$PPID_FILE" ] && COUNTER_FILE="$PPID_FILE"
+
+# Initialize or read counter
+if [ -f "$COUNTER_FILE" ]; then
+  COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+else
+  COUNT=0
+  COUNTER_FILE="$PPID_FILE"
+fi
+
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+# Check limit
+if [ "$COUNT" -gt "$MAX_CALLS" ]; then
+  echo "BLOCKED: Tool call limit reached ($COUNT/$MAX_CALLS)." >&2
+  echo "This session has made $COUNT tool calls (limit: $MAX_CALLS)." >&2
+  echo "Consider starting a new session or increasing CC_MAX_TOOL_CALLS." >&2
+  exit 2
+fi
+
+# Warn at 80%
+WARN_AT=$((MAX_CALLS * 80 / 100))
+if [ "$COUNT" -eq "$WARN_AT" ]; then
+  echo "WARNING: $COUNT/$MAX_CALLS tool calls used (80%). Consider wrapping up." >&2
+fi
+
+exit 0

package/examples/svelte-lint-on-edit.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/swift-build-on-edit.sh

@@ -17,6 +17,8 @@
 #   }
 # }
 # ================================================================
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)