cc-safe-setup 29.6.32 → 29.6.36

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.32",
-  "description": "One command to make Claude Code safe. 539 example hooks + 8 built-in. 56 CLI commands. 7789 tests. Works with Auto Mode.",
+  "version": "29.6.36",
+  "description": "One command to make Claude Code safe. 634 example hooks + 8 built-in. 56 CLI commands. 11933 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"

package/scripts/generate-categories.mjs

@@ -0,0 +1,206 @@
+#!/usr/bin/env node
+/**
+ * generate-categories.mjs
+ *
+ * Scans examples/*.sh to generate the CATEGORIES object for index.mjs --examples.
+ *
+ * Why: The manual CATEGORIES list falls behind (147 of 634 hooks registered).
+ * This script auto-generates from the actual files so --examples always shows all hooks.
+ *
+ * Usage:
+ *   node scripts/generate-categories.mjs          # preview JSON
+ *   node scripts/generate-categories.mjs --apply   # update index.mjs in-place
+ */
+
+import { readdirSync, readFileSync, writeFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT = join(__dirname, '..');
+const EXAMPLES_DIR = join(ROOT, 'examples');
+const INDEX_PATH = join(ROOT, 'index.mjs');
+
+// ─── Category rules ───
+// Order matters: first match wins. Patterns are tested against the filename (without .sh).
+const CATEGORY_RULES = [
+  // Auto-Approve / Permissions (must be first — specific prefixes)
+  { pattern: /^auto-approve-/, category: 'Auto-Approve' },
+  { pattern: /^allow-/, category: 'Auto-Approve' },
+  { pattern: /^permission-/, category: 'Auto-Approve' },
+  { pattern: /^edit-always-allow|^classifier-fallback-allow|^webfetch-domain-allow/, category: 'Auto-Approve' },
+
+  // Recovery / Session State
+  { pattern: /checkpoint|snapshot|backup|restore|recover|rollback|revert|stash-before|session-handoff|recycle-bin|session-state-saver|session-resume|session-summary|pre-compact-knowledge|pre-compact-transcript|file-change-undo|context-compact-advisor/, category: 'Recovery' },
+
+  // Monitoring / Observability
+  { pattern: /tracker|counter|monitor|logger|log$|budget-alert|health-monitor|watchdog|quota|usage-cache|token-counter|token-usage|cost-tracker|daily-usage|session-end-logger|session-error-rate|cross-session-error|tool-file-logger|file-change-monitor|file-change-tracker|read-audit|tool-call-rate-limiter|mcp-tool-audit/, category: 'Monitoring' },
+
+  // Quality / Linting / Code Standards
+  { pattern: /^enforce-|^require-|lint-on-edit|^branch-name|^commit-message|^commit-quality|^commit-scope|^pr-description|^no-console|^no-eval|^no-wildcard|^no-todo-ship|^test-coverage|^ci-skip|^debug-leftover|^typescript-strict|^sensitive-regex|^git-author|^git-blame|^import-cycle|^env-drift|^package-script|^lockfile|^git-lfs|^python-ruff|^typescript-lint|^fact-check|^conflict-marker|^test-deletion|^license-check|^changelog-reminder|^branch-naming|^verify-before-commit|^prefer-const|^prefer-optional|^prefer-builtin|^prefer-dedicated|^max-function-length|^max-import-count|^dockerfile-lint|^dotenv-example|^dotenv-validate|^dotenv-watch|^env-naming|^readme-update|^write-test-ratio|^edit-counter-test|^test-after-edit|^test-before-commit|^test-before-push|^push-requires-test|^git-message-length|^console-log-count|^go-vet|^java-compile|^swift-build|^dotnet-build|^rust-clippy|^edit-old-string-validator/, category: 'Quality' },
+
+  // UX / Developer Experience
+  { pattern: /^prompt-length|^prompt-injection-detect|^auto-answer|^notify-|^tmp-cleanup|^hook-debug|^loop-detector|^diff-size|^dependency-audit|^binary-file|^stale-branch|^read-before-edit|^compact-reminder|^context-snapshot|^post-compact-restore|^reinject-claudemd|^output-length|^error-memory|^parallel-edit|^large-read|^max-session|^dangling-process|^encoding-guard|^disk-space|^rate-limit-guard|^stale-env|^node-version|^max-file-count|^file-size-limit|^token-budget|^long-session|^cwd-reminder|^virtual-cwd|^hook-stdout|^fish-shell|^system-message|^plan-mode|^plan-repo|^skill-gate|^git-show-flag|^consecutive-error|^consecutive-failure|^session-time-limit|^temp-file-cleanup|^plugin-process|^context-threshold|^five-hundred|^session-budget/, category: 'UX' },
+
+  // Subagent / MCP Controls
+  { pattern: /^subagent-|^mcp-|^max-concurrent-agents|^max-subagent/, category: 'Agent Controls' },
+
+  // Safety Guards (broad catch — must be last among specifics)
+  { pattern: /guard|block|protect|^no-|^strip-|^scope-|^allowlist|^strict-allowlist|^secret|^staged-secret|^output-credential|^output-secret|^network|^path-traversal|^timeout|^session-drift|^post-compact-safety|^read-budget|^hook-permission|^response-budget|^deploy|^env-var-check|^env-source|^overwrite|^write-overwrite|^memory-write|^worktree|^docker-prune|^pip-venv|^variable-expansion|^bash-trace|^work-hours|^case-sensitive|^compound-command|^uncommitted|^rm-safety|^absolute-rule|^claudemd-enforcer|^read-all-files|^concurrent-edit|^git-operations-require|^core-file-protect|^api-overload|^api-rate-limit|^api-retry|^npm-script-injection|^dependency-version|^package-lock-frozen|^migration-safety|^git-merge-conflict|^git-index-lock|^bash-domain-allowlist|^claude-cache-gc|^deployment-verify|^max-file-delete/, category: 'Safety Guards' },
+];
+
+// ─── Description extraction ───
+function extractDescription(filepath, filename) {
+  const content = readFileSync(filepath, 'utf8');
+  const lines = content.split('\n');
+
+  // Strategy 1: "# filename — description" on line 2 or nearby
+  for (let i = 1; i < Math.min(lines.length, 8); i++) {
+    const m = lines[i].match(/^#\s*\S+\.sh\s*[—–-]+\s*(.+)/);
+    if (m) return m[1].trim();
+  }
+
+  // Strategy 2: "# ===...=== \n # filename — description"
+  for (let i = 1; i < Math.min(lines.length, 10); i++) {
+    const m = lines[i].match(/^#\s*\S+\.sh\s*[—–-]+\s*(.+)/);
+    if (m) return m[1].trim();
+  }
+
+  // Strategy 3: First non-empty, non-shebang, non-separator comment line
+  for (let i = 1; i < Math.min(lines.length, 15); i++) {
+    const line = lines[i];
+    if (!line.startsWith('#')) continue;
+    const text = line.replace(/^#\s*/, '').trim();
+    if (!text) continue;
+    if (/^=+$/.test(text)) continue;  // separator line
+    if (/^TRIGGER:/i.test(text)) continue;
+    if (/^MATCHER:/i.test(text)) continue;
+    if (/^Usage:/i.test(text)) continue;
+    if (/^\{/.test(text)) continue; // JSON
+    if (/^"hooks"/.test(text)) continue;
+    // If it looks like "PURPOSE:" grab what follows
+    const purposeMatch = text.match(/^PURPOSE:\s*(.+)/i);
+    if (purposeMatch) return purposeMatch[1].trim();
+    // Skip the filename echo
+    if (text.startsWith(filename)) continue;
+    // Use this line
+    return text;
+  }
+
+  // Fallback: derive from filename
+  const base = filename.replace('.sh', '');
+  return base.replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+}
+
+// ─── Categorize ───
+function categorize(filename) {
+  const base = filename.replace('.sh', '');
+  for (const rule of CATEGORY_RULES) {
+    if (rule.pattern.test(base)) return rule.category;
+  }
+  // Fallback heuristics
+  if (base.includes('warn') || base.includes('check') || base.includes('detect') || base.includes('verify')) return 'Quality';
+  if (base.includes('auto-') || base.includes('approve')) return 'Auto-Approve';
+  // Default
+  return 'Other';
+}
+
+// ─── Main ───
+const files = readdirSync(EXAMPLES_DIR)
+  .filter(f => f.endsWith('.sh'))
+  .sort();
+
+const categories = {};
+
+for (const file of files) {
+  const cat = categorize(file);
+  const desc = extractDescription(join(EXAMPLES_DIR, file), file);
+  if (!categories[cat]) categories[cat] = {};
+  categories[cat][file] = desc;
+}
+
+// Desired category order
+const ORDER = ['Safety Guards', 'Auto-Approve', 'Quality', 'Monitoring', 'Recovery', 'UX', 'Agent Controls', 'Other'];
+const ordered = {};
+for (const cat of ORDER) {
+  if (categories[cat] && Object.keys(categories[cat]).length > 0) {
+    ordered[cat] = categories[cat];
+  }
+}
+// Add any categories not in ORDER
+for (const cat of Object.keys(categories)) {
+  if (!ordered[cat]) ordered[cat] = categories[cat];
+}
+
+// ─── Generate code ───
+function generateCode(cats) {
+  let code = '  const CATEGORIES = {\n';
+  const catEntries = Object.entries(cats);
+  for (let ci = 0; ci < catEntries.length; ci++) {
+    const [cat, hooks] = catEntries[ci];
+    code += `    '${cat}': {\n`;
+    const hookEntries = Object.entries(hooks);
+    for (let hi = 0; hi < hookEntries.length; hi++) {
+      const [file, desc] = hookEntries[hi];
+      // Escape single quotes in description
+      const safeDesc = desc.replace(/'/g, "\\'");
+      code += `      '${file}': '${safeDesc}',\n`;
+    }
+    code += '    },\n';
+  }
+  code += '  };';
+  return code;
+}
+
+const newCode = generateCode(ordered);
+
+// Stats
+const totalHooks = Object.values(ordered).reduce((s, c) => s + Object.keys(c).length, 0);
+console.log(`Categories: ${Object.keys(ordered).length}`);
+for (const [cat, hooks] of Object.entries(ordered)) {
+  console.log(`  ${cat}: ${Object.keys(hooks).length} hooks`);
+}
+console.log(`Total: ${totalHooks} hooks from ${files.length} .sh files`);
+
+if (process.argv.includes('--apply')) {
+  const src = readFileSync(INDEX_PATH, 'utf8');
+
+  // Match the CATEGORIES block: "  const CATEGORIES = {" ... "  };"
+  const startMarker = '  const CATEGORIES = {';
+  const startIdx = src.indexOf(startMarker);
+  if (startIdx === -1) {
+    console.error('ERROR: Could not find "const CATEGORIES = {" in index.mjs');
+    process.exit(1);
+  }
+
+  // Find the closing "};" that matches - it's "  };" at the same indentation
+  let endIdx = -1;
+  let depth = 0;
+  for (let i = startIdx + startMarker.length; i < src.length; i++) {
+    if (src[i] === '{') depth++;
+    if (src[i] === '}') {
+      if (depth === 0) {
+        // Check this is "  };"
+        endIdx = i;
+        // Include the semicolon
+        if (src[i + 1] === ';') endIdx = i + 1;
+        break;
+      }
+      depth--;
+    }
+  }
+
+  if (endIdx === -1) {
+    console.error('ERROR: Could not find closing of CATEGORIES block');
+    process.exit(1);
+  }
+
+  const before = src.substring(0, startIdx);
+  const after = src.substring(endIdx + 1);
+  const updated = before + newCode + after;
+
+  writeFileSync(INDEX_PATH, updated, 'utf8');
+  console.log(`\nUpdated index.mjs: ${totalHooks} hooks in CATEGORIES`);
+} else {
+  console.log('\nRun with --apply to update index.mjs');
+}

package/scripts.json

@@ -6,5 +6,8 @@
   "comment-strip": "#!/bin/bash\n# ================================================================\n# comment-strip.sh — Strip bash comments that break permissions\n# ================================================================\n# PURPOSE:\n#   Claude Code sometimes adds comments to bash commands like:\n#     # Check the diff\n#     git diff HEAD~1\n#   This breaks permission allowlists (e.g. Bash(git:*)) because\n#   the matcher sees \"# Check the diff\" instead of \"git diff\".\n#\n#   This hook strips leading comment lines and returns the clean\n#   command via updatedInput, so permissions match correctly.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #29582 (18 reactions)\n#   Users on linux/vscode report that bash comments added by Claude\n#   cause permission prompts even when the command is allowlisted.\n#\n# HOW IT WORKS:\n#   - Reads the command from tool_input\n#   - Strips leading lines that start with #\n#   - Strips trailing comments (everything after # on command lines)\n#   - Returns updatedInput with the cleaned command\n#   - Uses hookSpecificOutput.permissionDecision = \"allow\" only if\n#     the command was modified (so it doesn't override other hooks)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Strip leading comment lines and empty lines\nCLEAN=$(echo \"$COMMAND\" | sed '/^[[:space:]]*#/d; /^[[:space:]]*$/d')\n\n# If nothing changed, pass through\nif [[ \"$CLEAN\" == \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# If command is empty after stripping, don't modify\nif [[ -z \"$CLEAN\" ]]; then\n    exit 0\nfi\n\n# Return cleaned command via hookSpecificOutput\n# permissionDecision is not set — let the normal permission flow handle it\n# We only modify the input so the permission matcher sees the real command\njq -n --arg cmd \"$CLEAN\" '{\n  hookSpecificOutput: {\n    hookEventName: \"PreToolUse\",\n    updatedInput: {\n      command: $cmd\n    }\n  }\n}'\n",
   "cd-git-allow": "#!/bin/bash\n# ================================================================\n# cd-git-allow.sh — Auto-approve cd+git compound commands\n# ================================================================\n# PURPOSE:\n#   Claude Code shows \"Compound commands with cd and git require\n#   approval\" for commands like: cd /path && git log\n#   This is safe in trusted project directories but causes\n#   constant permission prompts.\n#\n#   This hook auto-approves cd+git compounds when the git operation\n#   is read-only (log, diff, status, branch, show, etc.)\n#   Destructive git operations (push, reset, clean) are NOT\n#   auto-approved — they still require manual approval.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# INCIDENT: GitHub Issue #32985 (9 reactions)\n#\n# WHAT IT AUTO-APPROVES:\n#   - cd /path && git log\n#   - cd /path && git diff\n#   - cd /path && git status\n#   - cd /path && git branch\n#   - cd /path && git show\n#   - cd /path && git rev-parse\n#\n# WHAT IT DOES NOT APPROVE (still prompts):\n#   - cd /path && git push\n#   - cd /path && git reset --hard\n#   - cd /path && git clean\n#   - cd /path && git checkout (could discard changes)\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# Only handle cd + git compounds\nif ! echo \"$COMMAND\" | grep -qE '^\\s*cd\\s+.*&&\\s*git\\s'; then\n    exit 0\nfi\n\n# Extract the git subcommand\nGIT_CMD=$(echo \"$COMMAND\" | grep -oP '&&\\s*git\\s+\\K\\S+')\n\n# Read-only git operations — safe to auto-approve\nSAFE_GIT=\"log diff status branch show rev-parse tag remote stash-list describe name-rev\"\n\nfor safe in $SAFE_GIT; do\n    if [[ \"$GIT_CMD\" == \"$safe\" ]]; then\n        jq -n '{\n          hookSpecificOutput: {\n            hookEventName: \"PreToolUse\",\n            permissionDecision: \"allow\",\n            permissionDecisionReason: \"cd+git compound auto-approved (read-only git operation)\"\n          }\n        }'\n        exit 0\n    fi\ndone\n\n# Not a read-only git op — let normal permission flow handle it\nexit 0\n",
   "secret-guard": "#!/bin/bash\n# ================================================================\n# secret-guard.sh — Secret/Credential Leak Prevention\n# ================================================================\n# PURPOSE:\n#   Prevents accidental exposure of secrets, API keys, and\n#   credentials through git commits or shell output.\n#\n#   Catches the most common ways secrets leak:\n#   - git add .env (committing env files)\n#   - git add credentials.json / *.pem / *.key\n#   - echo $API_KEY or printenv (exposing secrets in output)\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Bash\"\n#\n# WHAT IT BLOCKS (exit 2):\n#   - git add .env / .env.local / .env.production\n#   - git add *credentials* / *secret* / *.pem / *.key\n#   - git add -A or git add . when .env exists (warns)\n#\n# WHAT IT ALLOWS (exit 0):\n#   - git add specific safe files\n#   - Reading .env for application use (not committing)\n#   - All non-git-add commands\n#\n# CONFIGURATION:\n#   CC_SECRET_PATTERNS — colon-separated additional patterns to block\n#     default: \".env:.env.local:.env.production:credentials:secret:*.pem:*.key:*.p12\"\n# ================================================================\n\nINPUT=$(cat)\nCOMMAND=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null)\n\nif [[ -z \"$COMMAND\" ]]; then\n    exit 0\nfi\n\n# --- Check 1: git add of secret files ---\nif echo \"$COMMAND\" | grep -qE '^\\s*git\\s+add'; then\n    # Direct .env file staging\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*\\.env(\\s|$|\\.|/)'; then\n        echo \"BLOCKED: Attempted to stage .env file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \".env files contain secrets and should never be committed.\" >&2\n        echo \"Add .env to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # Credential/key files\n    if echo \"$COMMAND\" | grep -qiE 'git\\s+add\\s+.*(credentials|\\.pem|\\.key|\\.p12|\\.pfx|id_rsa|id_ed25519)'; then\n        echo \"BLOCKED: Attempted to stage credential/key file.\" >&2\n        echo \"\" >&2\n        echo \"Command: $COMMAND\" >&2\n        echo \"\" >&2\n        echo \"Key and credential files should never be committed to git.\" >&2\n        echo \"Add them to .gitignore instead.\" >&2\n        exit 2\n    fi\n\n    # git add -A or git add . when .env exists — warn but check\n    if echo \"$COMMAND\" | grep -qE 'git\\s+add\\s+(-A|--all|\\.)(\\s|$)'; then\n        # Check if .env exists in the current or project directory\n        if [ -f \".env\" ] || [ -f \".env.local\" ] || [ -f \".env.production\" ]; then\n            echo \"BLOCKED: 'git add .' with .env file present.\" >&2\n            echo \"\" >&2\n            echo \"Command: $COMMAND\" >&2\n            echo \"\" >&2\n            echo \"An .env file exists in this directory. 'git add .' would stage it.\" >&2\n            echo \"Add specific files instead: git add src/ lib/ package.json\" >&2\n            echo \"Or add .env to .gitignore first.\" >&2\n            exit 2\n        fi\n    fi\nfi\n\nexit 0\n",
-  "api-error-alert": "#!/bin/bash\nINPUT=$(cat)\nREASON=$(echo \"$INPUT\" | jq -r '.stop_reason // \"unknown\"' 2>/dev/null)\nHOOK_EVENT=$(echo \"$INPUT\" | jq -r '.hook_event_name // \"\"' 2>/dev/null)\nif [[ \"$REASON\" == \"user\" || \"$REASON\" == \"normal\" || -z \"$REASON\" ]]; then\n    exit 0\nfi\nLOG=\"${CC_ERROR_ALERT_LOG:-$HOME/.claude/session-errors.log}\"\nMISSION=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\nTS=$(date -Iseconds)\nmkdir -p \"$(dirname \"$LOG\")\" 2>/dev/null\necho \"[$TS] Session stopped: reason=$REASON event=$HOOK_EVENT\" >> \"$LOG\"\nif [ -z \"$WSL_DISTRO_NAME\" ]; then\n    notify-send \"Claude Code\" \"Session stopped: $REASON\" 2>/dev/null || true\n    osascript -e \"display notification \\\"Session stopped: $REASON\\\" with title \\\"Claude Code\\\"\" 2>/dev/null || true\nelse\n    powershell.exe -Command \"Write-Host 'Claude Code: Session stopped - $REASON'\" 2>/dev/null || true\nfi\nexit 0\n"
+  "api-error-alert": "#!/bin/bash\nINPUT=$(cat)\nREASON=$(echo \"$INPUT\" | jq -r '.stop_reason // \"unknown\"' 2>/dev/null)\nHOOK_EVENT=$(echo \"$INPUT\" | jq -r '.hook_event_name // \"\"' 2>/dev/null)\nif [[ \"$REASON\" == \"user\" || \"$REASON\" == \"normal\" || -z \"$REASON\" ]]; then\n    exit 0\nfi\nLOG=\"${CC_ERROR_ALERT_LOG:-$HOME/.claude/session-errors.log}\"\nMISSION=\"${CC_CONTEXT_MISSION_FILE:-$HOME/mission.md}\"\nTS=$(date -Iseconds)\nmkdir -p \"$(dirname \"$LOG\")\" 2>/dev/null\necho \"[$TS] Session stopped: reason=$REASON event=$HOOK_EVENT\" >> \"$LOG\"\nif [ -z \"$WSL_DISTRO_NAME\" ]; then\n    notify-send \"Claude Code\" \"Session stopped: $REASON\" 2>/dev/null || true\n    osascript -e \"display notification \\\"Session stopped: $REASON\\\" with title \\\"Claude Code\\\"\" 2>/dev/null || true\nelse\n    powershell.exe -Command \"Write-Host 'Claude Code: Session stopped - $REASON'\" 2>/dev/null || true\nfi\nexit 0\n",
+  "clear-command-confirm-guard": "#!/bin/bash\n# clear-command-confirm-guard.sh — Block accidental /clear command\n#\n# Solves: /clear destroys all conversation context with zero\n#         confirmation. Prefix matching means /c + Enter can\n#         accidentally trigger /clear instead of /commit or /compact (#40931).\n#\n# How it works: Blocks /clear entirely. Use /compact to reduce\n#   context without losing it.\n#\n# TRIGGER: UserPromptSubmit\n# MATCHER: \"^/clear$\"\n\nINPUT=$(cat)\nPROMPT=$(echo \"$INPUT\" | jq -r '.prompt // empty' 2>/dev/null)\n\nif echo \"$PROMPT\" | grep -qE '^/clear$'; then\n  echo \"BLOCKED: /clear permanently destroys all context. Use /compact instead to reduce context safely.\" >&2\n  exit 2\nfi\nexit 0\n",
+  "claudemd-violation-detector": "#!/bin/bash\n# claudemd-violation-detector.sh — Remind critical CLAUDE.md rules after tool use\n#\n# Solves: Claude ignores CLAUDE.md instructions, especially after\n#         context compaction or in long sessions (#40930).\n#\n# How it works: After each tool use, extracts and prints\n#   critical rules (ABSOLUTE/MUST NEVER/NEVER/禁止) from CLAUDE.md\n#   as a reminder. Runs every N tool calls to avoid noise.\n#\n# TRIGGER: PostToolUse\n# MATCHER: \"\"\n\nset -euo pipefail\n\n# Rate limit: only remind every 20 tool calls\nCOUNTER_FILE=\"/tmp/claudemd-reminder-counter\"\nCOUNT=$(cat \"$COUNTER_FILE\" 2>/dev/null || echo \"0\")\nCOUNT=$((COUNT + 1))\necho \"$COUNT\" > \"$COUNTER_FILE\"\n[ $((COUNT % 20)) -ne 0 ] && exit 0\n\n# Find CLAUDE.md\nCLAUDEMD=\"\"\nfor candidate in \"CLAUDE.md\" \".claude/CLAUDE.md\" \"../CLAUDE.md\"; do\n  [ -f \"$candidate\" ] && CLAUDEMD=\"$candidate\" && break\ndone\n[ -z \"$CLAUDEMD\" ] && exit 0\n\n# Extract critical rules\nRULES=$(grep -iE '(ABSOLUTE|MUST NEVER|NEVER DO|禁止|絶対)' \"$CLAUDEMD\" 2>/dev/null | head -5 || true)\n[ -z \"$RULES\" ] && exit 0\n\necho \"📋 CLAUDE.md critical rules reminder:\" >&2\necho \"$RULES\" >&2\nexit 0\n",
+  "subagent-context-size-guard": "#!/bin/bash\n# subagent-context-size-guard.sh — Warn on thin subagent prompts\n#\n# Solves: Subagents get spawned with minimal context, leading to\n#         poor results because they lack necessary background (#40929).\n#         The parent agent assumes shared context, but each subagent\n#         starts fresh.\n#\n# How it works: Checks Agent tool's prompt parameter length.\n#   If under 100 characters, warns that the prompt may be too thin\n#   for a standalone agent to work effectively.\n#\n# TRIGGER: PreToolUse\n# MATCHER: \"Agent\"\n\nset -euo pipefail\nINPUT=$(cat)\nPROMPT=$(echo \"$INPUT\" | jq -r '.tool_input.prompt // empty' 2>/dev/null)\n\n[ -z \"$PROMPT\" ] && exit 0\n\nLEN=${#PROMPT}\nif [ \"$LEN\" -lt 100 ]; then\n  echo \"WARNING: Agent prompt is only ${LEN} chars. Subagents start with zero context — include enough background for them to work independently.\" >&2\nfi\nexit 0\n"
 }

package/tests/test-core-file-protect-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# Tests for core-file-protect-guard.sh
+# Run: bash tests/test-core-file-protect-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/core-file-protect-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+test_hook_env() {
+    local env_var="$1" input="$2" expected_exit="$3" desc="$4"
+    local actual_exit=0
+    echo "$input" | env "$env_var" bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "core-file-protect-guard.sh tests"
+echo ""
+
+# --- Edit/Write on protected files (exit 2) ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"src/game_rules.py"}}' 2 "Edit rules file blocked"
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"app/config.yaml"}}' 2 "Write config file blocked"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"lib/core_engine.py"}}' 2 "Edit core file blocked"
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"settings/core_settings.json"}}' 2 "Write core settings blocked"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"data/combat_rules.json"}}' 2 "Edit combat_rules blocked"
+
+# --- Edit/Write on non-protected files (exit 0) ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"src/main.py"}}' 0 "Edit non-protected file allowed"
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"src/utils.ts"}}' 0 "Write non-protected file allowed"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"README.md"}}' 0 "Edit README allowed"
+
+# --- Bash sed/awk on protected files (exit 2) ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"sed -i s/old/new/ game_rules.txt"}}' 2 "sed -i on rules file blocked"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"awk -i inplace {print} core_logic.py"}}' 2 "awk -i on core file blocked"
+
+# --- Bash on non-protected files (exit 0) ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"sed -i s/x/y/ main.py"}}' 0 "sed -i on non-protected allowed"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"cat config.yaml"}}' 0 "cat (read) on protected name allowed"
+
+# --- Custom CC_PROTECTED_FILES ---
+test_hook_env "CC_PROTECTED_FILES=*schema*:*migration*" '{"tool_name":"Edit","tool_input":{"file_path":"db/schema.rb"}}' 2 "custom env: schema file blocked"
+test_hook_env "CC_PROTECTED_FILES=*schema*:*migration*" '{"tool_name":"Edit","tool_input":{"file_path":"src/game_rules.py"}}' 0 "custom env: rules file allowed (not in custom patterns)"
+
+# --- Edge cases ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":""}}' 0 "empty file path passes"
+test_hook '{"tool_name":"Bash","tool_input":{"command":""}}' 0 "empty command passes"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"echo hello"}}' 0 "echo command allowed"
+test_hook '{"tool_input":{"command":"ls"}}' 0 "no tool_name passes"
+test_hook '{}' 0 "empty input passes"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -gt 0 ] && exit 1
+echo "All tests passed!"

package/tests/test-deployment-verify-guard.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+# Tests for deployment-verify-guard.sh
+# Run: bash tests/test-deployment-verify-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/deployment-verify-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+# Test that deploy command produces "Deploy detected" on stderr
+test_hook_stderr() {
+    local input="$1" pattern="$2" desc="$3"
+    local stderr
+    stderr=$(echo "$input" | bash "$HOOK" 2>&1 >/dev/null) || true
+    if echo "$stderr" | grep -qi "$pattern"; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected '$pattern' on stderr, got: $stderr)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "deployment-verify-guard.sh tests"
+echo ""
+
+# --- All commands exit 0 (non-blocking) ---
+test_hook '{"tool_input":{"command":"systemctl restart nginx"}}' 0 "deploy: systemctl restart exits 0"
+test_hook '{"tool_input":{"command":"docker restart myapp"}}' 0 "deploy: docker restart exits 0"
+test_hook '{"tool_input":{"command":"docker compose up -d"}}' 0 "deploy: docker compose up exits 0"
+test_hook '{"tool_input":{"command":"kubectl apply -f deploy.yaml"}}' 0 "deploy: kubectl apply exits 0"
+test_hook '{"tool_input":{"command":"terraform apply"}}' 0 "deploy: terraform apply exits 0"
+test_hook '{"tool_input":{"command":"fly deploy"}}' 0 "deploy: fly deploy exits 0"
+test_hook '{"tool_input":{"command":"heroku container:push web"}}' 0 "deploy: heroku push exits 0"
+
+# --- Verification commands exit 0 ---
+test_hook '{"tool_input":{"command":"curl http://localhost:3000/health"}}' 0 "verify: curl exits 0"
+test_hook '{"tool_input":{"command":"npm test"}}' 0 "verify: npm test exits 0"
+test_hook '{"tool_input":{"command":"pytest tests/"}}' 0 "verify: pytest exits 0"
+test_hook '{"tool_input":{"command":"docker logs myapp | tail"}}' 0 "verify: docker logs exits 0"
+test_hook '{"tool_input":{"command":"journalctl -u nginx --since 5min"}}' 0 "verify: journalctl exits 0"
+
+# --- Non-deploy non-verify commands ---
+test_hook '{"tool_input":{"command":"ls -la"}}' 0 "unrelated command exits 0"
+test_hook '{"tool_input":{"command":"git commit -m fix"}}' 0 "commit without deploy exits 0"
+
+# --- Edge cases ---
+test_hook '{"tool_input":{"command":"echo deploy"}}' 0 "echo deploy not tracked (echo skipped)"
+test_hook '{"tool_input":{"command":""}}' 0 "empty command passes"
+test_hook '{}' 0 "empty input passes"
+
+# --- Deploy detection stderr message ---
+test_hook_stderr \
+    '{"tool_input":{"command":"systemctl restart nginx"}}' \
+    "deploy detected" \
+    "deploy command emits detection message on stderr"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -gt 0 ] && exit 1
+echo "All tests passed!"

package/tests/test-git-operations-require-approval.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Tests for git-operations-require-approval.sh
+# Run: bash tests/test-git-operations-require-approval.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/git-operations-require-approval.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "git-operations-require-approval.sh tests"
+echo ""
+
+# --- Safe commands (exit 0) ---
+test_hook '{"tool_input":{"command":"git status"}}' 0 "git status allowed"
+test_hook '{"tool_input":{"command":"git log --oneline"}}' 0 "git log allowed"
+test_hook '{"tool_input":{"command":"git diff HEAD"}}' 0 "git diff allowed"
+test_hook '{"tool_input":{"command":"git show HEAD"}}' 0 "git show allowed"
+test_hook '{"tool_input":{"command":"git add src/main.ts"}}' 0 "git add allowed"
+test_hook '{"tool_input":{"command":"git stash"}}' 0 "git stash allowed"
+test_hook '{"tool_input":{"command":"git fetch origin"}}' 0 "git fetch allowed"
+test_hook '{"tool_input":{"command":"git branch -a"}}' 0 "git branch -a (list) allowed"
+test_hook '{"tool_input":{"command":"git branch --list"}}' 0 "git branch --list allowed"
+test_hook '{"tool_input":{"command":"git branch -d old-branch"}}' 0 "git branch -d (delete) allowed"
+test_hook '{"tool_input":{"command":"npm install"}}' 0 "non-git command allowed"
+
+# --- Blocked commands (exit 2) ---
+test_hook '{"tool_input":{"command":"git commit -m \"fix bug\""}}' 2 "git commit blocked"
+test_hook '{"tool_input":{"command":"git commit --amend"}}' 2 "git commit --amend blocked"
+test_hook '{"tool_input":{"command":"git push origin main"}}' 2 "git push blocked"
+test_hook '{"tool_input":{"command":"git push --force origin main"}}' 2 "git push --force blocked"
+test_hook '{"tool_input":{"command":"git push -f origin feature"}}' 2 "git push -f blocked"
+test_hook '{"tool_input":{"command":"git checkout -b new-branch"}}' 2 "git checkout -b blocked"
+test_hook '{"tool_input":{"command":"git switch -c feature"}}' 2 "git switch -c blocked"
+test_hook '{"tool_input":{"command":"git switch --create feature"}}' 2 "git switch --create blocked"
+test_hook '{"tool_input":{"command":"git branch feature-x"}}' 2 "git branch <name> blocked"
+
+# --- Compound commands ---
+test_hook '{"tool_input":{"command":"ls && git commit -m test"}}' 2 "compound && with commit blocked"
+test_hook '{"tool_input":{"command":"git add . ; git push origin main"}}' 2 "compound ; with push blocked"
+test_hook '{"tool_input":{"command":"test -f x || git commit -m y"}}' 2 "compound || with commit blocked"
+test_hook '{"tool_input":{"command":"git status && git log"}}' 0 "compound safe commands allowed"
+
+# --- Edge cases ---
+test_hook '{"tool_input":{"command":"echo git commit -m test"}}' 0 "echo git commit not blocked"
+test_hook '{"tool_input":{"command":"printf git push"}}' 0 "printf git push not blocked"
+test_hook '{"tool_input":{"command":""}}' 0 "empty command passes"
+test_hook '{}' 0 "empty input passes"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -gt 0 ] && exit 1
+echo "All tests passed!"