cc-safe-setup 29.6.39 → 29.6.40

package/README.md

@@ -4,7 +4,7 @@
 [![npm downloads](https://img.shields.io/npm/dw/cc-safe-setup)](https://www.npmjs.com/package/cc-safe-setup)
 [![tests](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml/badge.svg)](https://github.com/yurukusa/cc-safe-setup/actions/workflows/test.yml)
 
-**One command to make Claude Code safe for autonomous operation.** 650 example hooks · 14,078 tests · 1,000+ installs/day · [日本語](docs/README.ja.md)
+**One command to make Claude Code safe for autonomous operation.** 653 example hooks · 9,200+ tests · 1,200+ installs/week · [日本語](docs/README.ja.md)
 
 ```bash
 npx cc-safe-setup
@@ -14,7 +14,7 @@ Installs 8 safety hooks in ~10 seconds. Blocks `rm -rf /`, prevents pushes to ma
 
 > **What's a hook?** A checkpoint that runs before Claude executes a command. Like airport security — it inspects what's about to happen and blocks anything dangerous before it reaches the gate.
 
-[**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**All Tools**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Validate your settings.json](https://yurukusa.github.io/cc-safe-setup/validator.html) · [**Check your score**](https://yurukusa.github.io/cc-health-check/) (`npx cc-health-check`)
+[**Getting Started**](https://yurukusa.github.io/cc-safe-setup/getting-started.html) · [**Hook Selector**](https://yurukusa.github.io/cc-safe-setup/hook-selector.html) · [**All Tools**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [**Recipes**](https://yurukusa.github.io/cc-safe-setup/recipes.html) · [Validate your settings.json](https://yurukusa.github.io/cc-safe-setup/validator.html) · [**Check your score**](https://yurukusa.github.io/cc-health-check/) (`npx cc-health-check`)
 
 ```
   cc-safe-setup
@@ -29,6 +29,8 @@ Installs 8 safety hooks in ~10 seconds. Blocks `rm -rf /`, prevents pushes to ma
   ✗ API keys committed to public repos via git add .
   ✗ Syntax errors cascading through 30+ files
   ✗ Sessions losing all context with no warning
+  ✗ CLAUDE.md rules silently ignored after context compaction
+  ✗ Subagents ignoring all CLAUDE.md rules since v2.1.84 (#40459)
 
   Hooks to install:
 
@@ -47,12 +49,16 @@ Installs 8 safety hooks in ~10 seconds. Blocks `rm -rf /`, prevents pushes to ma
 
 ## Why This Exists
 
-A Claude Code user [lost their entire C:\Users directory](https://github.com/anthropics/claude-code/issues/36339) when `rm -rf` followed NTFS junctions. Another [lost all source code](https://github.com/anthropics/claude-code/issues/37331) when Claude ran `Remove-Item -Recurse -Force *` on a repo. Others had untested code pushed to main at 3am. API keys got committed via `git add .`. Syntax errors cascaded through 30+ files before anyone noticed.
+A Claude Code user [lost their entire C:\Users directory](https://github.com/anthropics/claude-code/issues/36339) when `rm -rf` followed NTFS junctions. Another [lost all source code](https://github.com/anthropics/claude-code/issues/37331) when Claude ran `Remove-Item -Recurse -Force *` on a repo. Others had untested code pushed to main at 3am. API keys got committed via `git add .`. Syntax errors cascaded through 30+ files before anyone noticed. And [CLAUDE.md rules get silently dropped](https://github.com/anthropics/claude-code/issues/6354) after context compaction — your instructions vanish mid-session.
+
+One user [analyzed 6,852 sessions](https://github.com/anthropics/claude-code/issues/42796) and found the Read:Edit ratio dropped from 6.6 to 2.0 — Claude editing files it never read jumped from 6% to 34%. That issue has over 1,000 reactions. The `read-before-edit` example hook catches this pattern before damage happens.
 
 Claude Code ships with no safety hooks by default. This tool fixes that.
 
 **Works with Auto Mode.** Claude Code's [Auto Mode sandboxing](https://www.anthropic.com/engineering/claude-code-sandboxing) provides container-level isolation. cc-safe-setup adds process-level hooks as defense-in-depth — catching destructive commands even outside sandboxed environments.
 
+**Works with subagents.** Since v2.1.84, subagents and teammates [don't receive CLAUDE.md](https://github.com/anthropics/claude-code/issues/40459) — your project rules are silently skipped. Hooks operate at the process level, but [subagent tool calls may bypass PreToolUse hooks](https://github.com/anthropics/claude-code/issues/21460) in some configurations. As defense-in-depth, cc-safe-setup installs hooks at the user level (`~/.claude/settings.json`). The `subagent-claudemd-inject` example hook re-injects critical rules into subagent prompts.
+
 ## What Gets Installed
 
 | Hook | Prevents | Related Issues |
@@ -120,6 +126,7 @@ Guards against issues that corrupt sessions or waste tokens silently.
 | `mcp-warmup-wait` | Waits for MCP servers to initialize on session start (fixes first-turn tool errors) | [#41778](https://github.com/anthropics/claude-code/issues/41778) |
 | `pre-compact-transcript-backup` | Full JSONL backup before compaction (protects against rate-limit data loss) | [#40352](https://github.com/anthropics/claude-code/issues/40352) |
 | `conversation-history-guard` | Blocks access to session JSONL files (prevents 20x cache poisoning) | [#40524](https://github.com/anthropics/claude-code/issues/40524) |
+| `read-before-edit` | Warns when Edit targets a file not recently Read (Read:Edit ratio dropped 70% — [#42796](https://github.com/anthropics/claude-code/issues/42796)) | [#42796](https://github.com/anthropics/claude-code/issues/42796) |
 | `replace-all-guard` | Warns/blocks Edit `replace_all:true` (prevents bulk data corruption) | [#41681](https://github.com/anthropics/claude-code/issues/41681) |
 | `ripgrep-permission-fix` | Auto-fixes vendored ripgrep +x permission on start (fixes broken commands/skills) | [#41933](https://github.com/anthropics/claude-code/issues/41933) |
 
@@ -146,7 +153,7 @@ Guards against issues that corrupt sessions or waste tokens silently.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 650 examples |
+| `--install-example <name>` | Install from 653 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |
@@ -245,7 +252,10 @@ Safe to run multiple times. Existing settings are preserved. A backup is created
 
 **Note:** Hooks are skipped when Claude Code runs with `--bare` or `--dangerously-skip-permissions`. These modes bypass all safety hooks by design.
 
-**Known limitation:** In headless mode (`-p` / `--print`), hook exit code 2 may not block tool execution ([#36071](https://github.com/anthropics/claude-code/issues/36071)). For CI pipelines, use interactive mode with hooks rather than `-p` mode.
+**Known limitations:**
+
+- In headless mode (`-p` / `--print`), hook exit code 2 may not block tool execution ([#36071](https://github.com/anthropics/claude-code/issues/36071)). For CI pipelines, use interactive mode with hooks rather than `-p` mode.
+- `FileChanged` notifications inject file contents into model context **before** hooks can intervene. If a sensitive file (`.env`, `credentials.json`) is modified externally during a session, its contents may appear in the conversation transcript regardless of hooks ([#44909](https://github.com/anthropics/claude-code/issues/44909)). Mitigation: use `dotenv-watch` to get alerted, and avoid editing sensitive files while Claude Code is running.
 
 ## Before / After
 

package/TROUBLESHOOTING.md

@@ -335,6 +335,32 @@ This prevents `ToolSearch` deferred loading and preserves the cache prefix acros
 
 **Related issues**: [#41249](https://github.com/anthropics/claude-code/issues/41249), [#41788](https://github.com/anthropics/claude-code/issues/41788), [#38335](https://github.com/anthropics/claude-code/issues/38335), [#40524](https://github.com/anthropics/claude-code/issues/40524), [#41617](https://github.com/anthropics/claude-code/issues/41617)
 
+## Multiple Hook Sources: stdin Race Condition
+
+**Symptom**: Safety hooks appear installed but don't block dangerous commands. No errors, no warnings — hooks just silently allow everything.
+
+**Root cause**: When multiple `PreToolUse` hooks match the same tool (e.g., two hooks both matching `Bash`), only the first hook receives stdin. The second hook gets empty input, all guard conditions fail, and it exits 0 (allow). This is an upstream Claude Code bug ([#42702](https://github.com/anthropics/claude-code/issues/42702)).
+
+**When this happens**:
+- cc-safe-setup hooks + another hook provider (e.g., project-level `.claude/settings.json` hooks)
+- cc-safe-setup hooks + manually added hooks in `~/.claude/settings.json` that match the same trigger
+
+**When this does NOT happen**:
+- cc-safe-setup is the only hook source (default install)
+
+**How to verify your hooks receive input**:
+
+Add a temporary debug line to the top of a hook:
+
+```bash
+INPUT=$(cat)
+echo "DEBUG: input length = ${#INPUT}" >&2
+```
+
+If you see `input length = 0`, that hook is not receiving stdin.
+
+**Workaround**: Ensure only one hook source matches each trigger+matcher combination. If you need multiple hooks on the same trigger, combine them into a single script.
+
 ## Still Stuck?
 
 1. Wrap the hook with debug wrapper: `npx cc-safe-setup --install-example hook-debug-wrapper`

package/examples/README.md

@@ -1,6 +1,6 @@
 # Example Hooks
 
-518 installable hooks. Each solves a real problem from GitHub Issues or autonomous operation. 7,603 tests.
+658 installable hooks. Each solves a real problem from GitHub Issues or autonomous operation. 9,200+ tests.
 
 ```bash
 npx cc-safe-setup --install-example <name>   # install one

package/examples/activity-logger.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# activity-logger.sh — Log all tool uses to JSONL for audit and debugging
+#
+# Solves: "What did Claude do overnight?" — no activity trail after long sessions
+# Also useful for: error tracking, cost analysis, compliance auditing
+#
+# Records every tool call with timestamp, tool name, and key metadata.
+# Error patterns in Bash output are flagged for downstream guards.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/activity-logger.sh" }]
+#     }]
+#   }
+# }
+#
+# Output: ~/.claude/activity-log.jsonl
+# Each line is a JSON object with ts, tool, and tool-specific fields.
+
+set -u
+
+INPUT=$(cat)
+TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ -z "$TOOL" ] && exit 0
+
+LOG_FILE="${HOME}/.claude/activity-log.jsonl"
+TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+case "$TOOL" in
+  Edit|Write)
+    FILE=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    printf '{"ts":"%s","tool":"%s","file":"%s"}\n' "$TS" "$TOOL" "$FILE" >> "$LOG_FILE"
+    ;;
+  Bash)
+    CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null | head -c 200)
+    STDOUT=$(printf '%s' "$INPUT" | jq -r '.stdout // empty' 2>/dev/null | head -c 500)
+    EXIT_CODE=$(printf '%s' "$INPUT" | jq -r '.tool_result.exit_code // "0"' 2>/dev/null)
+    ERROR_PATTERN=""
+    if echo "$STDOUT" | grep -qiE '(error|ENOENT|EACCES|EPERM|fatal|panic|segfault)'; then
+      ERROR_PATTERN=$(echo "$STDOUT" | grep -oiE '(error|ENOENT|EACCES|EPERM|fatal|panic|segfault)' | head -1)
+    fi
+    printf '{"ts":"%s","tool":"%s","cmd":"%s","exit_code":%s,"error_pattern":"%s"}\n' \
+      "$TS" "$TOOL" "$(echo "$CMD" | tr '"' "'")" "$EXIT_CODE" "$ERROR_PATTERN" >> "$LOG_FILE"
+    ;;
+  Read)
+    FILE=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    printf '{"ts":"%s","tool":"%s","file":"%s"}\n' "$TS" "$TOOL" "$FILE" >> "$LOG_FILE"
+    ;;
+  *)
+    printf '{"ts":"%s","tool":"%s"}\n' "$TS" "$TOOL" >> "$LOG_FILE"
+    ;;
+esac
+
+exit 0

package/examples/allow-claude-settings.sh

@@ -25,8 +25,9 @@ if echo "$FILE_PATH" | grep -qE '\.claude/'; then
   jq -n '{
     hookSpecificOutput: {
       hookEventName: "PermissionRequest",
-      permissionDecision: "allow",
-      permissionDecisionReason: "Allowed: .claude/ directory (isolated environment)"
+      decision: {
+        behavior: "allow"
+      }
     }
   }'
   exit 0

package/examples/allow-git-hooks-dir.sh

@@ -21,8 +21,9 @@ if echo "$FILE_PATH" | grep -qE '\.git/hooks/[^/]+$'; then
   jq -n '{
     hookSpecificOutput: {
       hookEventName: "PermissionRequest",
-      permissionDecision: "allow",
-      permissionDecisionReason: "Allowed: git hooks directory"
+      decision: {
+        behavior: "allow"
+      }
     }
   }'
   exit 0

package/examples/allow-protected-dirs.sh

@@ -24,8 +24,9 @@ if echo "$FILE_PATH" | grep -qE '\.(claude|git|vscode|idea)/'; then
   jq -n '{
     hookSpecificOutput: {
       hookEventName: "PermissionRequest",
-      permissionDecision: "allow",
-      permissionDecisionReason: "Allowed: protected directory (full bypass)"
+      decision: {
+        behavior: "allow"
+      }
     }
   }'
   exit 0

package/examples/bash-heuristic-approver.sh

@@ -51,7 +51,7 @@ SAFE_COMMANDS="git|npm|npx|bun|yarn|pnpm|docker|make|cargo|go|pip|python3|node|t
 BASE_CMD=$(echo "$COMMAND" | tr '\n' ' ' | sed 's/^[[:space:]]*//' | sed 's/^[A-Z_]*=[^ ]* //' | sed 's/^cd [^&;]* *[&;]* *//' | awk '{print $1}' | sed 's|.*/||')
 
 if echo "$BASE_CMD" | grep -qE "^($SAFE_COMMANDS)$"; then
-  echo '{"permissionDecision":"allow"}'
+  jq -n '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","decision":{"behavior":"allow"}}}'
   exit 0
 fi
 

package/examples/decision-warn.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# decision-warn.sh — Warn and log irreversible operations
+#
+# Solves: "Why did Claude push to production?" — no decision trail for critical actions
+# Detects dangerous operations (git push, rm -rf, database commands) and logs them
+# to a decision log for post-incident analysis.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/decision-warn.sh" }]
+#     }]
+#   }
+# }
+#
+# Output: ~/.claude/decision-log.jsonl
+# Each entry logs the command, timestamp, and detected risk category.
+
+set -u
+
+INPUT=$(cat)
+TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" = "Bash" ] || exit 0
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+LOG_FILE="${HOME}/.claude/decision-log.jsonl"
+TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+RISK=""
+
+# Detect irreversible operations
+if echo "$CMD" | grep -qE 'git\s+push'; then
+  RISK="git-push"
+elif echo "$CMD" | grep -qE 'git\s+reset\s+--hard'; then
+  RISK="git-reset-hard"
+elif echo "$CMD" | grep -qE 'rm\s+(-rf|--recursive)'; then
+  RISK="destructive-delete"
+elif echo "$CMD" | grep -qiE '(DROP\s+(TABLE|DATABASE)|TRUNCATE|DELETE\s+FROM)'; then
+  RISK="database-destructive"
+elif echo "$CMD" | grep -qE 'npm\s+publish'; then
+  RISK="npm-publish"
+elif echo "$CMD" | grep -qE 'curl\s+.*-X\s*(DELETE|PUT|POST)'; then
+  RISK="api-mutation"
+fi
+
+[ -z "$RISK" ] && exit 0
+
+printf '{"ts":"%s","risk":"%s","cmd":"%s"}\n' \
+  "$TS" "$RISK" "$(echo "$CMD" | head -c 200 | tr '"' "'")" >> "$LOG_FILE"
+
+echo "[DECISION] $RISK: $(echo "$CMD" | head -c 100)" >&2
+echo "  → Logged to: $LOG_FILE" >&2
+
+exit 0

package/examples/direnv-auto-reload.sh

@@ -24,8 +24,15 @@ OLD_CWD=$(echo "$INPUT" | jq -r '.old_cwd // empty' 2>/dev/null)
 if [ -f "${NEW_CWD}/.envrc" ]; then
     echo "📂 Directory changed: found .envrc in ${NEW_CWD}" >&2
     if command -v direnv &>/dev/null; then
-        echo "  direnv: auto-allowing and loading" >&2
-        cd "$NEW_CWD" && direnv allow . 2>/dev/null && eval "$(direnv export bash 2>/dev/null)"
+        # Write exports to CLAUDE_ENV_FILE so Claude Code picks them up
+        # (eval in a subshell would be lost — CLAUDE_ENV_FILE persists to BashTool)
+        if [ -n "$CLAUDE_ENV_FILE" ]; then
+            echo "  direnv: auto-allowing and writing to CLAUDE_ENV_FILE" >&2
+            cd "$NEW_CWD" && direnv allow . 2>/dev/null && \
+                direnv export bash > "$CLAUDE_ENV_FILE" 2>/dev/null
+        else
+            echo "  ⚠ CLAUDE_ENV_FILE not set — direnv exports won't persist" >&2
+        fi
     else
         echo "  ⚠ direnv not installed — .envrc found but not loaded" >&2
     fi

package/examples/dotenv-commit-guard.sh

@@ -28,15 +28,21 @@ if echo "$COMMAND" | grep -qE 'git\s+add\s+.*\.env'; then
     exit 2
 fi
 
-# Check for git add -A/-f that might include .env
-if echo "$COMMAND" | grep -qE 'git\s+add\s+(-A|--all|-f|--force)\b'; then
-    # Check if .env exists in the working directory
+# Check for git add -f/--force (bypasses .gitignore — can stage secrets)
+# GitHub Issue anthropics/claude-code#44730: auto-mode used git add -f to
+# force-add .gitignore'd secret files, exposing credentials in a commit.
+if echo "$COMMAND" | grep -qE 'git\s+add\s+.*(-f|--force)\b'; then
+    echo "BLOCKED: 'git add --force' bypasses .gitignore and can stage secret files." >&2
+    echo "  Use 'git add <specific-file>' without --force instead." >&2
+    exit 2
+fi
+
+# Check for git add -A/--all that might include .env
+if echo "$COMMAND" | grep -qE 'git\s+add\s+(-A|--all)\b'; then
     if [ -f ".env" ] || [ -f ".env.local" ] || [ -f ".env.production" ]; then
-        # Check if .gitignore excludes it
         if ! git check-ignore -q .env 2>/dev/null; then
             echo "WARNING: 'git add -A' with .env file not in .gitignore." >&2
             echo "  Add .env to .gitignore before staging all files." >&2
-            # Warning only for git add -A
         fi
     fi
 fi

package/examples/proof-log-session.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# proof-log-session.sh — Generate session summary on Stop event
+#
+# Solves: "What did the AI do last week?" — activity logs exist but are unreadable
+# Creates a human-readable 5W1H summary from the activity log at session end.
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/proof-log-session.sh" }]
+#     }]
+#   }
+# }
+#
+# Output: ~/ops/proof-log/YYYY-MM-DD.md (appended)
+# Requires: activity-logger.sh to be running as a PostToolUse hook
+
+set -u
+
+LOG_FILE="${HOME}/.claude/activity-log.jsonl"
+DATE=$(date +"%Y-%m-%d")
+PROOF_DIR="${HOME}/ops/proof-log"
+PROOF_FILE="${PROOF_DIR}/${DATE}.md"
+
+mkdir -p "$PROOF_DIR"
+
+[ ! -f "$LOG_FILE" ] && exit 0
+
+# Count today's activity
+TODAY_START=$(date -u -d "today 00:00:00" +"%Y-%m-%dT" 2>/dev/null || date -u +"%Y-%m-%dT")
+EDIT_COUNT=$(grep -c '"tool":"Edit"' "$LOG_FILE" 2>/dev/null) || EDIT_COUNT=0
+WRITE_COUNT=$(grep -c '"tool":"Write"' "$LOG_FILE" 2>/dev/null) || WRITE_COUNT=0
+BASH_COUNT=$(grep -c '"tool":"Bash"' "$LOG_FILE" 2>/dev/null) || BASH_COUNT=0
+READ_COUNT=$(grep -c '"tool":"Read"' "$LOG_FILE" 2>/dev/null) || READ_COUNT=0
+ERROR_COUNT=$(grep -c '"error_pattern":"[^"]*[a-zA-Z]' "$LOG_FILE" 2>/dev/null) || ERROR_COUNT=0
+
+# Get edited files
+FILES=$(grep '"tool":"Edit\|Write"' "$LOG_FILE" 2>/dev/null | jq -r '.file // empty' 2>/dev/null | sort -u | head -10)
+
+{
+  echo ""
+  echo "## Session $(date +"%H:%M")"
+  echo "- Edit: ${EDIT_COUNT}, Write: ${WRITE_COUNT}, Bash: ${BASH_COUNT}, Read: ${READ_COUNT}"
+  [ "$ERROR_COUNT" -gt 0 ] && echo "- Errors detected: ${ERROR_COUNT}"
+  if [ -n "$FILES" ]; then
+    echo "- Files touched:"
+    echo "$FILES" | while read -r f; do
+      [ -n "$f" ] && echo "  - $f"
+    done
+  fi
+} >> "$PROOF_FILE"
+
+# Rotate activity log (keep last 1000 lines)
+LINE_COUNT=$(wc -l < "$LOG_FILE" 2>/dev/null) || LINE_COUNT=0
+if [ "$LINE_COUNT" -gt 1000 ]; then
+  tail -1000 "$LOG_FILE" > "${LOG_FILE}.tmp" && mv "${LOG_FILE}.tmp" "$LOG_FILE"
+fi
+
+exit 0

package/index.mjs

@@ -690,6 +690,14 @@ function examples() {
       'write-overwrite-confirm.sh': 'Warn when Write tool overwrites large files',
       'write-secret-guard.sh': 'Block secrets from being written to files',
       'write-shrink-guard.sh': 'Block writes that drastically shrink files',
+      'cch-cache-guard.sh': 'Block reads of session files to prevent cache poisoning',
+      'conversation-history-guard.sh': 'Block modifications to conversation history',
+      'image-file-validator.sh': 'Block reads of fake image files that corrupt sessions',
+      'permission-denial-enforcer.sh': 'Block alternative write methods after permission denial',
+      'read-only-mode.sh': 'Block all file modifications and destructive commands',
+      'replace-all-guard.sh': 'Warn when Edit uses replace_all: true',
+      'task-integrity-guard.sh': 'Prevent Claude from deleting tasks to hide unfinished work',
+      'working-directory-fence.sh': 'Block file operations outside current working directory',
     },
     'Auto-Approve': {
       'allow-claude-settings.sh': 'PermissionRequest hook',
@@ -927,6 +935,9 @@ function examples() {
       'tool-call-rate-limiter.sh': 'Prevent runaway tool calls',
       'tool-file-logger.sh': 'Log file paths from Read/Write/Edit to stderr',
       'usage-cache-local.sh': 'Cache usage info locally to avoid API calls',
+      'compact-alert-notification.sh': 'Warn when context compaction is imminent',
+      'prompt-usage-logger.sh': 'Log every prompt with timestamps',
+      'subagent-error-detector.sh': 'Detect failed subagent results',
     },
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after every edit for rollback protection',
@@ -956,6 +967,10 @@ function examples() {
       'session-summary.sh': 'Session Summary',
       'settings-auto-backup.sh': 'Auto-backup settings on session start',
       'terminal-state-restore.sh': 'terminal-state-restore — restore terminal to clean state on session exit',
+      'pre-compact-transcript-backup.sh': 'Backup transcript before compaction',
+      'ripgrep-permission-fix.sh': 'Auto-fix ripgrep execute permission on session start',
+      'session-backup-on-start.sh': 'Backup session JSONL files on start',
+      'session-index-repair.sh': 'Rebuild sessions-index.json on exit',
     },
     'UX': {
       'auto-answer-question.sh': 'Auto-answer AskUserQuestion for headless/autonomous mode',
@@ -1028,6 +1043,7 @@ function examples() {
     },
     'Other': {
       'token-spike-alert.sh': 'Alert on abnormal token consumption per turn',
+      'mcp-warmup-wait.sh': 'Wait for MCP servers to be ready on session start',
     },
   };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.39",
+  "version": "29.6.40",
   "description": "One command to make Claude Code safe. 650 example hooks + 8 built-in. 56 CLI commands. Token consumption diagnosis. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {