cc-safe-setup 29.6.32 → 29.6.36

package/examples/ci-workflow-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# ci-workflow-guard.sh — Prevent dangerous CI/CD workflow modifications
+#
+# Solves: Claude modifying CI workflows to add `--no-verify`, skip tests,
+#         disable security scanning, or add overly broad permissions.
+#         A compromised workflow can exfiltrate secrets or deploy malicious code.
+#
+# How it works: PostToolUse hook on Edit/Write that checks workflow files
+#   for dangerous patterns after modification.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+case "$TOOL" in Edit|Write) ;; *) exit 0 ;; esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check CI workflow files
+case "$FILE" in
+    .github/workflows/*.yml|.github/workflows/*.yaml) ;;
+    .gitlab-ci.yml|.circleci/config.yml|Jenkinsfile) ;;
+    */.github/workflows/*.yml) ;;
+    *) exit 0 ;;
+esac
+
+[ -f "$FILE" ] || exit 0
+
+WARNINGS=""
+
+# Check for dangerous patterns
+if grep -qE 'permissions:\s*write-all|permissions:\s*\{[^}]*contents:\s*write' "$FILE" 2>/dev/null; then
+    WARNINGS="${WARNINGS}  - Broad write permissions detected\n"
+fi
+
+if grep -qE '--no-verify|--skip-tests|--no-check|SKIP_CI|skip ci|\[ci skip\]' "$FILE" 2>/dev/null; then
+    WARNINGS="${WARNINGS}  - Test/verification skip detected\n"
+fi
+
+if grep -qE 'curl.*\|.*sh|wget.*\|.*bash|bash\s*<\(curl' "$FILE" 2>/dev/null; then
+    WARNINGS="${WARNINGS}  - Remote script execution (curl|sh) detected\n"
+fi
+
+if grep -qE 'dangerously-skip-permissions|--force|--no-verify' "$FILE" 2>/dev/null; then
+    WARNINGS="${WARNINGS}  - Safety bypass flags detected\n"
+fi
+
+if [ -n "$WARNINGS" ]; then
+    echo "WARNING: Potentially dangerous CI workflow changes:" >&2
+    echo "  File: $FILE" >&2
+    echo -e "$WARNINGS" >&2
+    echo "  Review these changes carefully before committing." >&2
+fi
+
+exit 0

package/examples/classifier-fallback-allow.sh

@@ -19,6 +19,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/claude-cache-gc.sh

@@ -0,0 +1,15 @@
+CLAUDE_DIR="$HOME/.claude"
+MAX_AGE_DAYS="${CC_GC_MAX_AGE:-30}"
+MAX_SIZE_MB="${CC_GC_MAX_SIZE:-500}"
+DRY_RUN="${CC_GC_DRY_RUN:-0}"
+find "$CLAUDE_DIR/projects" -name "*.jsonl" -mtime +"$MAX_AGE_DAYS" -type f 2>/dev/null | while read f; do
+    [ "$DRY_RUN" = "1" ] && echo "  [dry-run] would delete: $f" >&2 && continue
+    rm "$f"
+done
+find "$CLAUDE_DIR/projects" -maxdepth 1 -type d -empty -delete 2>/dev/null
+find "$CLAUDE_DIR" -path "*/tool-results/*" -mtime +"$MAX_AGE_DAYS" -type f -delete 2>/dev/null
+TOTAL_MB=$(du -sm "$CLAUDE_DIR" 2>/dev/null | cut -f1)
+if [ "$TOTAL_MB" -gt "$MAX_SIZE_MB" ] 2>/dev/null; then
+    echo "~/.claude is ${TOTAL_MB}MB (cap: ${MAX_SIZE_MB}MB)" >&2
+fi
+exit 0

package/examples/claudeignore-enforce-guard.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# claudeignore-enforce-guard.sh — Enforce .claudeignore at the tool level
+#
+# Solves: .claudeignore patterns not blocking Read/Edit/Grep tool calls (#16704).
+#         Claude can directly access files listed in .claudeignore via tool calls.
+#         This hook enforces ignore rules that the built-in system misses.
+#
+# How it works: PreToolUse hook on Read/Edit/Write/Grep that checks if the
+#   target file matches any pattern in .claudeignore. Uses glob-style matching.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Read|Edit|Write|Grep|Glob"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Extract file path based on tool type
+case "$TOOL" in
+  Read|Edit|Write)
+    FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    ;;
+  Grep|Glob)
+    FILE=$(echo "$INPUT" | jq -r '.tool_input.path // empty' 2>/dev/null)
+    ;;
+  *) exit 0 ;;
+esac
+
+[ -z "$FILE" ] && exit 0
+
+# Find .claudeignore in project root or current directory
+IGNORE_FILE=""
+for candidate in ".claudeignore" "../.claudeignore" "../../.claudeignore"; do
+  if [ -f "$candidate" ]; then
+    IGNORE_FILE="$candidate"
+    break
+  fi
+done
+
+[ -z "$IGNORE_FILE" ] && exit 0
+
+# Check each pattern in .claudeignore
+while IFS= read -r pattern || [ -n "$pattern" ]; do
+  # Skip empty lines and comments
+  [[ -z "$pattern" || "$pattern" == \#* ]] && continue
+  # Strip trailing whitespace
+  pattern=$(echo "$pattern" | sed 's/[[:space:]]*$//')
+  [ -z "$pattern" ] && continue
+
+  # Match: exact path, basename, or glob
+  BASENAME=$(basename "$FILE")
+  if [[ "$FILE" == $pattern ]] || [[ "$BASENAME" == $pattern ]] || [[ "$FILE" == */$pattern ]]; then
+    echo "BLOCKED: File '$FILE' matches .claudeignore pattern '$pattern'." >&2
+    echo "This file is excluded from Claude Code access." >&2
+    exit 2
+  fi
+done < "$IGNORE_FILE"
+
+exit 0

package/examples/claudemd-enforcer.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PostToolUse  MATCHER: "Bash"
 INPUT=$(cat)
 TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/claudemd-violation-detector.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# claudemd-violation-detector.sh — Remind critical CLAUDE.md rules after tool use
+#
+# Solves: Claude ignores CLAUDE.md instructions, especially after
+#         context compaction or in long sessions (#40930).
+#
+# How it works: After each tool use, extracts and prints
+#   critical rules (ABSOLUTE/MUST NEVER/NEVER/禁止) from CLAUDE.md
+#   as a reminder. Runs every N tool calls to avoid noise.
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+
+set -euo pipefail
+
+# Rate limit: only remind every 20 tool calls
+COUNTER_FILE="/tmp/claudemd-reminder-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 20)) -ne 0 ] && exit 0
+
+# Find CLAUDE.md
+CLAUDEMD=""
+for candidate in "CLAUDE.md" ".claude/CLAUDE.md" "../CLAUDE.md"; do
+  [ -f "$candidate" ] && CLAUDEMD="$candidate" && break
+done
+[ -z "$CLAUDEMD" ] && exit 0
+
+# Extract critical rules
+RULES=$(grep -iE '(ABSOLUTE|MUST NEVER|NEVER DO|禁止|絶対)' "$CLAUDEMD" 2>/dev/null | head -5 || true)
+[ -z "$RULES" ] && exit 0
+
+echo "📋 CLAUDE.md critical rules reminder:" >&2
+echo "$RULES" >&2
+exit 0

package/examples/clear-command-confirm-guard.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# clear-command-confirm-guard.sh — Block accidental /clear command
+#
+# Solves: /clear destroys all conversation context with zero
+#         confirmation. Prefix matching means /c + Enter can
+#         accidentally trigger /clear instead of /commit or /compact (#40931).
+#
+# How it works: Blocks /clear entirely. Use /compact to reduce
+#   context without losing it.
+#
+# TRIGGER: UserPromptSubmit
+# MATCHER: "^/clear$"
+
+INPUT=$(cat)
+PROMPT=$(echo "$INPUT" | jq -r '.prompt // empty' 2>/dev/null)
+
+if echo "$PROMPT" | grep -qE '^/clear$'; then
+  echo "BLOCKED: /clear permanently destroys all context. Use /compact instead to reduce context safely." >&2
+  exit 2
+fi
+exit 0

package/examples/commit-message-check.sh

@@ -24,6 +24,8 @@
 #
 # The "if" field (v2.1.85+) skips this hook for non-commit commands.
 # Without "if", the hook still works — it checks internally and exits early.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/compact-blocker.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# ================================================================
+# compact-blocker.sh — Block auto-compaction entirely
+# ================================================================
+# PURPOSE:
+#   Power users who manage context manually (file-backed plans,
+#   checkpoint scripts) lose nuanced context when auto-compaction
+#   fires. This hook blocks compaction via exit code 2.
+#
+#   For conditional blocking (e.g., only during plan mode), modify
+#   the guard condition below.
+#
+# TRIGGER: PreCompact
+# MATCHER: (none — PreCompact has no matcher)
+#
+# DECISION: exit 2 = block compaction
+#
+# See: https://github.com/anthropics/claude-code/issues/6689
+# ================================================================
+
+# Unconditional block — compaction never fires
+# To make it conditional, add logic here:
+#   e.g., [ -f /tmp/allow-compact ] && exit 0
+echo '{"decision":"block","reason":"auto-compaction disabled by compact-blocker hook"}' >&2
+exit 2

package/examples/composer-guard.sh

@@ -17,6 +17,8 @@
 #   }
 # }
 # ================================================================
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/compound-command-allow.sh

@@ -23,6 +23,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PermissionRequest  MATCHER: ""
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/consecutive-failure-circuit-breaker.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# consecutive-failure-circuit-breaker.sh — Stop after repeated failures
+#
+# Solves: Claude escalating to destructive actions after repeated failures (#31946).
+#         Without this, Claude retries failing commands dozens of times,
+#         eventually trying increasingly dangerous alternatives.
+#
+# How it works: PostToolUse hook on Bash that tracks consecutive non-zero
+#   exit codes. After CC_MAX_CONSECUTIVE_FAILURES (default 3), blocks
+#   further Bash calls until a success resets the counter.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Bash" ] && exit 0
+
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_result.exitCode // "0"' 2>/dev/null)
+MAX_FAILURES="${CC_MAX_CONSECUTIVE_FAILURES:-3}"
+COUNTER_FILE="/tmp/claude-consecutive-failures-${PPID:-0}"
+
+if [ "$EXIT_CODE" = "0" ]; then
+  # Success — reset counter
+  echo "0" > "$COUNTER_FILE"
+  exit 0
+fi
+
+# Failure — increment counter
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+if [ "$COUNT" -ge "$MAX_FAILURES" ]; then
+  echo "CIRCUIT BREAKER: $COUNT consecutive Bash failures detected." >&2
+  echo "" >&2
+  echo "Stop and reassess your approach. Repeated failures often lead to" >&2
+  echo "increasingly risky workarounds. Consider:" >&2
+  echo "  1. Read the error messages carefully" >&2
+  echo "  2. Check your assumptions" >&2
+  echo "  3. Try a completely different approach" >&2
+  echo "  4. Ask the user for help" >&2
+  # Don't block (exit 0) — just warn strongly via stderr
+  # PostToolUse can't block, but the warning enters context
+fi
+
+exit 0

package/examples/console-log-count.sh

@@ -1,3 +1,5 @@
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
 INPUT=$(cat)
 FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
 [[ -z "$FILE" ]] && exit 0

package/examples/context-compact-advisor.sh

@@ -0,0 +1,16 @@
+INPUT=$(cat)
+COUNTER="/tmp/cc-tool-count-$$"
+COUNT=$(cat "$COUNTER" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER"
+THRESHOLD="${CC_COMPACT_THRESHOLD:-50}"
+if [ "$((COUNT % THRESHOLD))" -eq 0 ]; then
+    TRANSCRIPT=$(ls -t ~/.claude/projects/*/sessions/*/transcript.jsonl 2>/dev/null | head -1)
+    if [ -f "$TRANSCRIPT" ]; then
+        SIZE_KB=$(($(wc -c < "$TRANSCRIPT") / 1024))
+        if [ "$SIZE_KB" -gt 200 ]; then
+            echo "Context ~${SIZE_KB}KB ($COUNT calls). Consider /compact." >&2
+        fi
+    fi
+fi
+exit 0

package/examples/core-file-protect-guard.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+# ================================================================
+# core-file-protect-guard.sh — Block edits to core/config/rules files
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes makes unprompted architectural changes to
+#   game rules, configuration files, and core logic files. This hook
+#   blocks modifications to files matching configurable glob patterns.
+#
+# Protects files matching CC_PROTECTED_FILES patterns (colon-separated).
+# Default: "*rules*:*config*:*core*"
+#
+# Catches:
+#   - Edit/Write tool targeting protected files
+#   - Bash commands using sed -i or awk -i on protected files
+#
+# See: https://github.com/anthropics/claude-code/issues/40788
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write|Bash"
+#
+# Configuration:
+#   CC_PROTECTED_FILES — colon-separated glob patterns
+#   Default: "*rules*:*config*:*core*"
+# ================================================================
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Configurable protected file patterns (colon-separated globs)
+PROTECTED="${CC_PROTECTED_FILES:-*rules*:*config*:*core*}"
+
+# Convert colon-separated globs to a function that checks a filename
+matches_protected() {
+    local filepath="$1"
+    local basename
+    basename=$(basename "$filepath")
+
+    IFS=':' read -ra PATTERNS <<< "$PROTECTED"
+    for pattern in "${PATTERNS[@]}"; do
+        # Use bash glob matching (case-insensitive via shopt)
+        if [[ "$basename" == $pattern ]] || [[ "$filepath" == *$pattern* ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+# Handle Edit/Write tools
+if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
+    FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    [ -z "$FILE" ] && exit 0
+
+    if matches_protected "$FILE"; then
+        echo "BLOCKED: Cannot modify protected file: $FILE" >&2
+        echo "" >&2
+        echo "Protected patterns: $PROTECTED" >&2
+        echo "Configure with CC_PROTECTED_FILES env var." >&2
+        echo "" >&2
+        echo "See: https://github.com/anthropics/claude-code/issues/40788" >&2
+        exit 2
+    fi
+    exit 0
+fi
+
+# Handle Bash tool — check for sed -i / awk -i targeting protected files
+if [[ "$TOOL" == "Bash" ]]; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$COMMAND" ] && exit 0
+
+    # Skip echo/printf
+    echo "$COMMAND" | grep -qE '^\s*(echo|printf)\s' && exit 0
+
+    # Check for sed -i or awk -i inplace targeting protected files
+    if echo "$COMMAND" | grep -qE '(sed\s+-i|awk\s+-i\s+inplace)'; then
+        # Extract potential file arguments from the command
+        IFS=':' read -ra PATTERNS <<< "$PROTECTED"
+        for pattern in "${PATTERNS[@]}"; do
+            if echo "$COMMAND" | grep -qE "$pattern"; then
+                echo "BLOCKED: In-place edit targets protected file pattern: $pattern" >&2
+                echo "" >&2
+                echo "Command: $COMMAND" >&2
+                echo "Protected patterns: $PROTECTED" >&2
+                echo "" >&2
+                echo "See: https://github.com/anthropics/claude-code/issues/40788" >&2
+                exit 2
+            fi
+        done
+    fi
+fi
+
+exit 0

package/examples/cors-star-warn.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
 [ -z "$COMMAND" ] && exit 0
 # PostToolUse matcher: Edit|Write

package/examples/credential-exfil-guard.sh

@@ -21,6 +21,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/credential-file-cat-guard.sh

@@ -18,6 +18,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/cron-modification-guard.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# cron-modification-guard.sh — Block unreviewed cron job modifications
+#
+# Solves: Claude creating cron jobs that sabotage live services (#40421).
+#         A cron job that polls 200 content IDs against a single-connection
+#         proxy caused stream resets every 10 minutes for days.
+#
+# Why this matters:
+#   Cron jobs are persistent, invisible, and run unattended. A bad cron
+#   can cause sustained damage long after the session ends. This hook
+#   blocks crontab edits, /etc/cron.d writes, and systemd timer creation.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Detect cron/timer modifications
+if echo "$COMMAND" | grep -qEi '(crontab\s+-[elr]|crontab\s+[^-]|systemctl\s+(enable|start|restart)\s+.*\.timer|(^|\s|;|&&|\|)at\s+)'; then
+  echo "BLOCKED: Cron/timer modification requires manual review." >&2
+  echo "" >&2
+  echo "Command: $COMMAND" >&2
+  echo "" >&2
+  echo "Cron jobs are persistent and run unattended. Before creating one:" >&2
+  echo "  1. Will this interfere with live services?" >&2
+  echo "  2. Does it access shared resources (DB, API, proxy)?" >&2
+  echo "  3. What happens if it fails silently?" >&2
+  exit 2
+fi
+
+# Also catch writing to cron directories
+if echo "$COMMAND" | grep -qE '>\s*/etc/cron\.|tee\s+/etc/cron\.'; then
+  echo "BLOCKED: Direct write to cron directory." >&2
+  echo "Command: $COMMAND" >&2
+  exit 2
+fi
+
+exit 0

package/examples/cwd-drift-detector.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# cwd-drift-detector.sh — Warn when destructive commands run outside project root
+#
+# Solves: Claude frequently loses track of which directory
+#         it is in, risking destructive commands in the wrong
+#         location (#1669). git reset --hard in the wrong
+#         directory can destroy unrelated work.
+#
+# How it works: For destructive commands (git reset, rm -rf,
+#   git clean, git checkout -- .), checks if the current
+#   directory looks like a project root (has .git, package.json,
+#   etc). Warns if it doesn't.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+INPUT=$(cat)
+
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check destructive commands
+if ! echo "$COMMAND" | grep -qE '(git\s+(reset|clean|checkout\s+--|push\s+--force)|rm\s+-rf|DROP\s+TABLE|DROP\s+DATABASE)'; then
+  exit 0
+fi
+
+# Check if we're in a project root
+CWD=$(pwd)
+IS_PROJECT=false
+
+for marker in .git package.json Cargo.toml go.mod pyproject.toml Makefile; do
+  if [ -e "$CWD/$marker" ]; then
+    IS_PROJECT=true
+    break
+  fi
+done
+
+if [ "$IS_PROJECT" = false ]; then
+  echo "WARNING: Destructive command detected outside project root." >&2
+  echo "  CWD: $CWD" >&2
+  echo "  Command: $(echo "$COMMAND" | head -c 100)" >&2
+  echo "  No project markers (.git, package.json, etc) found." >&2
+  echo "  Verify you are in the correct directory." >&2
+fi
+
+exit 0

package/examples/cwd-project-boundary-guard.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# cwd-project-boundary-guard.sh — Warn when cd leaves the project directory
+#
+# Solves: Claude navigating to system directories or other projects
+#         and making changes outside the intended scope. Especially
+#         dangerous with auto-approve, where writes to /etc or
+#         other projects go unchallenged.
+#
+# How it works: CwdChanged hook that tracks the project root and warns
+#   when the working directory moves outside it.
+#
+# CONFIG:
+#   CC_PROJECT_ROOT (auto-detected if not set)
+#
+# TRIGGER: CwdChanged
+# MATCHER: "" (CwdChanged has no matcher support)
+
+set -euo pipefail
+
+INPUT=$(cat)
+NEW_CWD=$(echo "$INPUT" | jq -r '.cwd // empty' 2>/dev/null)
+[ -z "$NEW_CWD" ] && exit 0
+
+# Determine project root
+PROJECT_ROOT="${CC_PROJECT_ROOT:-}"
+if [ -z "$PROJECT_ROOT" ]; then
+    # Auto-detect: find nearest .git directory
+    PROJECT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || echo "")
+fi
+[ -z "$PROJECT_ROOT" ] && exit 0
+
+# Normalize paths
+PROJECT_ROOT=$(realpath "$PROJECT_ROOT" 2>/dev/null || echo "$PROJECT_ROOT")
+NEW_CWD=$(realpath "$NEW_CWD" 2>/dev/null || echo "$NEW_CWD")
+
+# Check if new cwd is inside project
+case "$NEW_CWD" in
+    "$PROJECT_ROOT"|"$PROJECT_ROOT"/*)
+        # Inside project — OK
+        exit 0
+        ;;
+    *)
+        echo "WARNING: Working directory left project boundary." >&2
+        echo "  Project: $PROJECT_ROOT" >&2
+        echo "  New cwd: $NEW_CWD" >&2
+        echo "  Changes outside the project may affect other systems." >&2
+        ;;
+esac
+
+exit 0

package/examples/denied-action-retry-guard.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# denied-action-retry-guard.sh — Block re-attempts of denied tool calls
+#
+# Solves: Model retries the same operation after user explicitly denied it (#40156).
+#         Claude asks "shall I git push?", user says no, Claude tries git push anyway.
+#
+# How it works: PreToolUse hook that tracks denied operations via a state file.
+#   When a tool call is blocked (exit 2 from any hook), the command signature
+#   is recorded. If the same signature appears again, it's auto-blocked.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash|Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+COMMAND=""
+
+case "$TOOL" in
+  Bash) COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null) ;;
+  Edit|Write) COMMAND=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null) ;;
+  *) exit 0 ;;
+esac
+
+[ -z "$COMMAND" ] && exit 0
+
+DENY_FILE="/tmp/claude-denied-actions-${PPID:-0}"
+
+# Check if this action was previously denied
+if [ -f "$DENY_FILE" ]; then
+  # Normalize: take first 80 chars as signature
+  SIG=$(echo "$COMMAND" | head -c 80 | md5sum | cut -d' ' -f1)
+  if grep -q "$SIG" "$DENY_FILE" 2>/dev/null; then
+    echo "BLOCKED: This action was previously denied in this session." >&2
+    echo "Do not retry denied actions. Try a different approach." >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/examples/dependency-install-guard.sh

@@ -16,6 +16,8 @@
 # - Packages in ALLOWLIST (customize below)
 #
 # Usage: Add to settings.json as a PreToolUse hook on "Bash"
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)

package/examples/deploy-guard.sh

@@ -17,6 +17,8 @@
 #     }]
 #   }
 # }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
 
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)