cc-safe-setup 29.6.39 → 29.7.0

package/examples/auto-compact-context-monitor.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# auto-compact-context-monitor.sh — Detect unexpected auto-compaction via context size drops
+#
+# PreCompact hooks do NOT fire on auto-compaction (only on manual /compact).
+# This PostToolUse hook monitors for sudden context size drops that indicate
+# auto-compaction occurred without PreCompact firing.
+#
+# Born from: https://github.com/anthropics/claude-code/issues/50467
+# Related: https://github.com/anthropics/claude-code/issues/50492 (24% early fire)
+#
+# TRIGGER: PostToolUse  MATCHER: ""
+# Runs after every tool use to track context size changes.
+
+INPUT=$(cat)
+
+# Track context tokens (approximate via tool input size)
+MONITOR_FILE="/tmp/cc-context-monitor-$$"
+CURRENT_SIZE=$(echo "$INPUT" | wc -c)
+
+if [ -f "$MONITOR_FILE" ]; then
+    PREV_SIZE=$(cat "$MONITOR_FILE")
+    # If current input is significantly smaller than previous (>50% drop),
+    # auto-compaction likely occurred
+    if [ "$PREV_SIZE" -gt 1000 ] && [ "$CURRENT_SIZE" -gt 0 ]; then
+        RATIO=$((CURRENT_SIZE * 100 / PREV_SIZE))
+        if [ "$RATIO" -lt 30 ]; then
+            echo "⚠ AUTO-COMPACTION DETECTED: Context dropped ${RATIO}% (${PREV_SIZE}→${CURRENT_SIZE} bytes)" >&2
+            echo "  PreCompact hooks did NOT fire for this compaction (#50467)" >&2
+            echo "  Important context may have been lost. Verify key facts." >&2
+        fi
+    fi
+fi
+
+echo "$CURRENT_SIZE" > "$MONITOR_FILE"
+exit 0

package/examples/auto-mode-safety-enforcer.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# auto-mode-safety-enforcer.sh — Block dangerous operations in auto/acceptEdits mode
+#
+# Solves: Auto mode safety classifier hardcoded to opus-4-6, fails with Opus 4.7
+#   - #49618: Safety classifier doesn't work with non-opus-4-6 models
+#   - #49554: auto mode approved ~/.ssh deletion
+#   - #18740: Auto-allow mode data loss without warning
+#
+# How it works: PreToolUse hook on Bash that blocks destructive commands
+#   regardless of which model or permission mode is active. Acts as a
+#   user-space safety net when the built-in classifier fails.
+#
+# What it blocks:
+#   - rm -rf on non-safe paths (/, ~, .., /home, /etc, /usr, /var, .git)
+#   - Credential file deletion (.ssh, .git-credentials, .env, .npmrc)
+#   - dd/mkfs/fdisk (disk operations)
+#   - kill -9 on system processes
+#   - chmod 777 on sensitive paths
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# --- Critical rm operations ---
+if echo "$COMMAND" | grep -qE '(^|\s|;|&&|\|)(sudo\s+)?rm\s'; then
+    # Always block rm on root-level and home-level critical paths
+    if echo "$COMMAND" | grep -qE 'rm\s.*(/\s|/;|/$|~\/?\s|~\/?$|~\/\.|/home\b|/etc\b|/usr\b|/var\b|/opt\b|/root\b)'; then
+        echo "BLOCKED: rm targeting critical system/home path" >&2
+        echo "This operation would cause irreversible data loss." >&2
+        echo "Command: $COMMAND" >&2
+        exit 2
+    fi
+    # Block rm on dotfiles in home directory
+    if echo "$COMMAND" | grep -qE "rm\s.*(${HOME}|\~)/\."; then
+        echo "BLOCKED: rm targeting home dotfile" >&2
+        echo "Command: $COMMAND" >&2
+        exit 2
+    fi
+fi
+
+# --- Disk-level operations ---
+if echo "$COMMAND" | grep -qE '(^|\s)(sudo\s+)?(dd\s+.*of=/dev|mkfs\.|fdisk\s|parted\s)'; then
+    echo "BLOCKED: Disk-level operation (dd/mkfs/fdisk/parted)" >&2
+    exit 2
+fi
+
+# --- Kill system processes ---
+if echo "$COMMAND" | grep -qE 'kill\s+(-9\s+)?1$|killall\s+(init|systemd)'; then
+    echo "BLOCKED: Killing system process" >&2
+    exit 2
+fi
+
+exit 0

package/examples/background-task-guard.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# background-task-guard.sh — Audit background Bash execution
+#
+# Solves: run_in_background:true on Bash tool skips the approval
+# prompt, allowing dangerous commands to execute without user
+# confirmation. (#46950)
+#
+# How it works: Checks if a Bash command is running in background
+# mode. If the command matches dangerous patterns (destructive ops,
+# network access, file deletion), blocks it. Background execution
+# should only be used for safe, read-only operations.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Check if this is a background execution
+# Note: run_in_background is in tool_input for Bash
+IS_BG=$(echo "$INPUT" | jq -r '.tool_input.run_in_background // false' 2>/dev/null)
+[ "$IS_BG" != "true" ] && exit 0
+
+# Background execution detected — apply strict safety rules
+# Only allow read-only commands in background
+
+# Block destructive operations
+if echo "$CMD" | grep -qiE '\brm\s+-rf\b|\bgit\s+(push|reset|clean|checkout\s+--)\b|\bchmod\b|\bchown\b'; then
+    echo "BLOCKED: Destructive command not allowed in background mode." >&2
+    echo "  Background tasks skip approval prompts — run this in foreground." >&2
+    exit 2
+fi
+
+# Block network writes
+if echo "$CMD" | grep -qiE 'curl\s+.*-X\s*(POST|PUT|PATCH|DELETE)|curl\s+.*--data|curl\s+.*-d\s|wget\s+.*--post'; then
+    echo "BLOCKED: Network write operation not allowed in background mode." >&2
+    echo "  Background tasks skip approval prompts — run this in foreground." >&2
+    exit 2
+fi
+
+# Block file writes to sensitive locations
+if echo "$CMD" | grep -qiE '>\s*(/etc/|/usr/|/var/|~/.ssh/|~/.gnupg/|~/.claude/settings)'; then
+    echo "BLOCKED: Write to sensitive path not allowed in background mode." >&2
+    echo "  Background tasks skip approval prompts — run this in foreground." >&2
+    exit 2
+fi
+
+# Block process killing
+if echo "$CMD" | grep -qiE '\bkill\b|\bkillall\b|\bpkill\b'; then
+    echo "BLOCKED: Process termination not allowed in background mode." >&2
+    exit 2
+fi
+
+exit 0

package/examples/bash-heuristic-approver.sh

@@ -51,7 +51,7 @@ SAFE_COMMANDS="git|npm|npx|bun|yarn|pnpm|docker|make|cargo|go|pip|python3|node|t
 BASE_CMD=$(echo "$COMMAND" | tr '\n' ' ' | sed 's/^[[:space:]]*//' | sed 's/^[A-Z_]*=[^ ]* //' | sed 's/^cd [^&;]* *[&;]* *//' | awk '{print $1}' | sed 's|.*/||')
 
 if echo "$BASE_CMD" | grep -qE "^($SAFE_COMMANDS)$"; then
-  echo '{"permissionDecision":"allow"}'
+  jq -n '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","decision":{"behavior":"allow"}}}'
   exit 0
 fi
 

package/examples/broad-find-guard.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# broad-find-guard.sh — Block overly broad find/locate commands that scan the entire home directory
+#
+# Solves: Claude Code running `find $HOME` or `find /` which scans all user files,
+#         triggering OneDrive/iCloud/Dropbox to download synced files (#51010)
+#
+# Detects patterns like:
+#   find / -name "CLAUDE.md"
+#   find ~ -name "*.py"
+#   find $HOME -type f
+#   find /c/Users/username -name "*.md"
+#   locate "CLAUDE.md"
+#
+# Why: On Windows/macOS, cloud sync folders (OneDrive, iCloud, Dropbox) are
+#      under the home directory. A broad `find` traverses them and triggers
+#      downloading of ALL synced files — potentially gigabytes of data.
+#      Claude Code should only search project-scoped directories.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/broad-find-guard.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Pattern 1: find starting from root
+if echo "$COMMAND" | grep -qE 'find\s+/\s'; then
+    echo "BLOCKED: find from root (/) scans entire filesystem. Use a project-scoped path instead." >&2
+    exit 2
+fi
+
+# Pattern 2: find starting from home directory (various forms)
+if echo "$COMMAND" | grep -qE 'find\s+(~|\$HOME|/home/[a-zA-Z0-9_]+|/Users/[a-zA-Z0-9_]+|/c/Users/[a-zA-Z0-9_]+)\s'; then
+    echo "BLOCKED: find from home directory scans all user files including cloud sync folders (OneDrive/iCloud/Dropbox). Use a specific project path instead." >&2
+    exit 2
+fi
+
+# Pattern 3: find with -maxdepth 0 or 1 from home is OK (shallow), but deep scans are not
+# This pattern catches find ~ without further path restriction
+if echo "$COMMAND" | grep -qE 'find\s+(~|\$HOME|/home/|/Users/|/c/Users/)\b' && ! echo "$COMMAND" | grep -qE '\-maxdepth\s+[01]'; then
+    echo "BLOCKED: broad find from home directory. Add -maxdepth or use a specific subdirectory to avoid scanning cloud sync folders." >&2
+    exit 2
+fi
+
+# Pattern 4: locate without project-scoping (scans entire DB)
+if echo "$COMMAND" | grep -qE '^\s*locate\s' && ! echo "$COMMAND" | grep -qE 'locate.*--database|locate.*-d\s'; then
+    echo "BLOCKED: locate searches the entire filesystem index. Use find with a specific directory instead." >&2
+    exit 2
+fi
+
+exit 0

package/examples/cache-creation-spike-detector.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# cache-creation-spike-detector.sh — cache_creationスパイクを検知して警告
+# Why: smooshSystemReminderSiblings関数がsystem-reminderを毎ターンtool_result.contentに
+#      折り込むことで、プロンプトキャッシュのプレフィックスが変わり、cache_creationが
+#      数十万トークン単位でスパイクする (#49585)。5xの消費率上昇報告あり (#49593)
+# Event: PostToolUse (全ツール実行後にチェック)
+# Action: cache_creation_input_tokensが閾値を超えた場合に警告
+
+INPUT=$(cat)
+# PostToolUseではusageデータにアクセスできないため、
+# /costコマンド出力のログファイルで累積cache_creationを追跡する
+CACHE_LOG="/tmp/cc-cache-creation-tracker.log"
+THRESHOLD=100000  # 100Kトークン以上でcache_creation警告
+
+# 10回に1回だけチェック（パフォーマンス配慮）
+COUNTER_FILE="/tmp/cache-spike-check-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 10)) -ne 0 ] && exit 0
+
+# セッション開始からの経過時間をチェック
+SESSION_START=$(stat -c %Y /tmp/cache-spike-check-counter 2>/dev/null || echo "0")
+NOW=$(date +%s)
+ELAPSED=$((NOW - SESSION_START))
+
+# セッション開始10分以内はスキップ（初期キャッシュ構築は正常）
+[ "$ELAPSED" -lt 600 ] && exit 0
+
+echo "INFO: cache_creationスパイク検知hookが動作中。異常なトークン消費を感じたら /cost で確認してください。" >&2
+echo "詳細: https://github.com/anthropics/claude-code/issues/49585" >&2
+exit 0

package/examples/case-insensitive-path-guard.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# case-insensitive-path-guard.sh — Detect path case mismatches on case-insensitive filesystems
+#
+# Solves: Claude Code resolving paths with wrong case on macOS APFS (case-insensitive),
+#   causing rm -rf to destroy unintended directories
+#   - #48792: rm -rf WebstormProjects/ destroyed webstormprojects/ (10 years of work)
+#   - #49102: Same APFS bug, second catastrophic loss in 48 hours
+#
+# How it works:
+#   For rm/mv/cp commands targeting paths under $HOME, resolves the ACTUAL
+#   filesystem path and compares case. If the specified path exists only via
+#   case-insensitive matching (e.g., "Projects" matches "projects/"), blocks
+#   the command because the user likely intended a different directory.
+#
+# Platform: macOS only (APFS case-insensitive is default). On Linux (ext4, case-sensitive),
+#   the guard exits cleanly since case mismatches simply won't resolve.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check destructive commands
+echo "$COMMAND" | grep -qE '\b(rm|mv|cp)\s' || exit 0
+
+# Skip if not macOS (Linux filesystems are case-sensitive by default)
+if [ "$(uname)" != "Darwin" ]; then
+    exit 0
+fi
+
+# Extract target paths from destructive commands
+# Handles: rm -rf path, mv path dest, cp -r path dest
+TARGETS=""
+
+# rm: all non-flag arguments
+if echo "$COMMAND" | grep -qE '\brm\s'; then
+    TARGETS=$(echo "$COMMAND" | grep -oP '\brm\s+(-[a-zA-Z]+\s+)*\K[^\s;&|]+(\s+[^\s;&|]+)*' 2>/dev/null || true)
+fi
+
+# mv: first non-flag argument (source)
+if echo "$COMMAND" | grep -qE '\bmv\s'; then
+    MV_TARGET=$(echo "$COMMAND" | grep -oP '\bmv\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+    TARGETS="$TARGETS $MV_TARGET"
+fi
+
+[ -z "$TARGETS" ] && exit 0
+
+# Expand ~ to $HOME
+TARGETS=$(echo "$TARGETS" | sed "s|~|$HOME|g")
+
+for target in $TARGETS; do
+    # Skip flags
+    echo "$target" | grep -q '^-' && continue
+
+    # Skip safe disposable paths
+    echo "$target" | grep -qE '(node_modules|\.cache|__pycache__|/tmp/|dist/|build/)' && continue
+
+    # Only check paths under home directory (most risk)
+    echo "$target" | grep -qE "^($HOME|~)" || continue
+
+    # Resolve the canonical path using the filesystem
+    # On case-insensitive APFS, /Users/me/Projects resolves even if actual is /Users/me/projects
+    CANONICAL=$(python3 -c "
+import os, sys
+p = os.path.expanduser('$target')
+# Walk up to find the longest existing prefix
+check = p
+while check and not os.path.exists(check):
+    check = os.path.dirname(check)
+if not check:
+    sys.exit(0)
+# Get the real path (canonical case)
+real = os.path.realpath(check)
+# Get the suffix that was beyond the existing part
+suffix = p[len(check):]
+print(real + suffix)
+" 2>/dev/null || echo "")
+
+    [ -z "$CANONICAL" ] && continue
+
+    # Compare: if the specified path differs in case from the canonical path
+    if [ "$target" != "$CANONICAL" ] && [ "${target,,}" = "${CANONICAL,,}" ] 2>/dev/null; then
+        echo "BLOCKED: Case mismatch detected on case-insensitive filesystem" >&2
+        echo "  Specified: $target" >&2
+        echo "  Actual:    $CANONICAL" >&2
+        echo "  On macOS APFS, these resolve to the SAME directory." >&2
+        echo "  This mismatch has caused catastrophic data loss (#48792, #49102)." >&2
+        echo "  Verify the path case matches the actual filesystem before proceeding." >&2
+        exit 2
+    fi
+done
+
+exit 0

package/examples/cjk-punctuation-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# cjk-punctuation-guard.sh — Detect CJK punctuation corruption after Write/Edit
+#
+# Solves: Claude Code's Write and Edit tools silently convert full-width CJK
+#         punctuation to half-width ASCII (，→, 。→. 「→" etc.) without warning.
+#         This corrupts Chinese, Japanese, and Korean text.
+#         (GitHub Issue #50975)
+#
+# How it works:
+#   After Write or Edit, checks if the file contains CJK characters.
+#   If yes, runs git diff to see if any full-width punctuation was replaced
+#   with half-width equivalents in the same commit.
+#
+# TRIGGER: PostToolUse  MATCHER: "Write|Edit"
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.file // empty' 2>/dev/null)
+
+[ -z "$FILE" ] || [ ! -f "$FILE" ] && exit 0
+
+# Only check files that contain CJK characters
+if ! grep -Pq '[\p{Han}\p{Hiragana}\p{Katakana}\p{Hangul}]' "$FILE" 2>/dev/null; then
+    exit 0
+fi
+
+# Check git diff for punctuation changes (full-width → half-width)
+DIFF=$(git diff -- "$FILE" 2>/dev/null)
+[ -z "$DIFF" ] && exit 0
+
+# Detect suspicious patterns: removed full-width, added half-width in same hunk
+# Common corruptions: ，→, 。→. 、→, ：→: ；→; ！→! ？→? 「→" 」→" （→( ）→)
+REMOVED_FW=$(echo "$DIFF" | grep '^-' | grep -Pc '[，。、：；！？「」（）【】『』]' 2>/dev/null || echo 0)
+ADDED_HW=$(echo "$DIFF" | grep '^+' | grep -Pc '[,\.;:!\?\(\)\[\]]' 2>/dev/null || echo 0)
+
+if [ "$REMOVED_FW" -gt 0 ] && [ "$ADDED_HW" -gt 0 ]; then
+    echo "⚠ WARNING: CJK punctuation may have been corrupted in $FILE" >&2
+    echo "  $REMOVED_FW lines with full-width punctuation removed" >&2
+    echo "  $ADDED_HW lines with half-width punctuation added" >&2
+    echo "  Review: git diff -- \"$FILE\"" >&2
+    echo "  Undo:   git checkout -- \"$FILE\"" >&2
+    # Warning only (exit 0), not blocking — the write already happened
+fi
+
+exit 0

package/examples/clipboard-secret-guard.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# clipboard-secret-guard.sh — Block secrets from being copied to clipboard
+#
+# Solves: Claude Code may pipe sensitive data (API keys, tokens, passwords)
+#   to clipboard utilities (pbcopy, xclip, xsel, wl-copy). This leaks
+#   secrets outside the terminal where they persist and may sync to cloud.
+#
+# How it works: PreToolUse hook that detects clipboard commands containing
+#   secret-like patterns. Blocks the operation.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+# CATEGORY: security
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Check if command pipes to clipboard
+if echo "$CMD" | grep -qiE '(pbcopy|xclip|xsel|wl-copy|clip\.exe)'; then
+    # Check if the piped content looks like it contains secrets
+    if echo "$CMD" | grep -qiE '(api.?key|secret|token|password|passwd|credential|private.?key|Bearer|AWS_|ANTHROPIC_|OPENAI_)'; then
+        echo "BLOCKED: Attempting to copy secret-like content to clipboard." >&2
+        echo "  Clipboard data may sync to cloud or persist after session." >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/examples/context-size-alert.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# context-size-alert.sh — Warn when context window usage exceeds threshold
+# Trigger: PostToolUse
+# Matcher: (empty — runs after every tool use)
+#
+# Since v2.1.100, the system prompt grew ~40-50% (~4,000 tokens).
+# This hook monitors context usage and warns before you hit limits.
+# See: https://github.com/anthropics/claude-code/issues/46339
+#
+# Optimization tips: https://zenn.dev/yurukusa/books/token-savings-guide
+#
+# TRIGGER: PostToolUse  MATCHER: ""
+
+INPUT=$(cat)
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty' 2>/dev/null)
+
+# Only check every 10th invocation to minimize overhead
+COUNTER_FILE="/tmp/context-size-alert-${SESSION_ID:-default}.count"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 10)) -ne 0 ] && exit 0
+
+# Check if /cost or /context data is available via transcript
+TRANSCRIPT=$(echo "$INPUT" | jq -r '.transcript_path // empty' 2>/dev/null)
+[ -z "$TRANSCRIPT" ] && exit 0
+
+# Count approximate context by transcript file size (rough proxy)
+if [ -f "$TRANSCRIPT" ]; then
+    SIZE_KB=$(du -k "$TRANSCRIPT" | cut -f1)
+    # Rough threshold: 500KB transcript ≈ approaching context limits
+    if [ "$SIZE_KB" -gt 500 ]; then
+        echo "⚠ Context is large (~${SIZE_KB}KB transcript). Consider /compact or /clear to reduce token cost." >&2
+        echo "  Tip: Run /context to see exact usage breakdown." >&2
+    fi
+fi
+
+exit 0

package/examples/context-usage-drift-alert.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# context-usage-drift-alert.sh — コンテキスト使用率の急増を検知
+# Why: 1Mコンテキストモデルで実際124%使用中にUI上60%と表示される問題 (#50204)。
+#      予告なくauto-compactが発火してコンテキストが消失する。
+#      ツール呼び出し回数でコンテキスト消費を推定し、警告する。
+# Event: PostToolUse  MATCHER: ""
+# Action: セッション内のツール呼び出し回数が閾値を超えたら警告
+
+COUNTER_FILE="/tmp/cc-context-usage-counter-$$"
+# セッションPIDが変わると新しいカウンターになる
+# フォールバック: 親PIDでグループ化
+if [ ! -f "$COUNTER_FILE" ]; then
+  COUNTER_FILE="/tmp/cc-context-usage-counter-$(date +%Y%m%d)"
+fi
+
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+# 50回: 注意喚起、100回: 強い警告、150回: compact推奨
+if [ "$COUNT" -eq 50 ]; then
+  echo "📊 Session checkpoint: $COUNT tool calls. Context may be growing large." >&2
+  echo "Run /cost to check actual usage. UI display may undercount by 2x (#50204)." >&2
+elif [ "$COUNT" -eq 100 ]; then
+  echo "⚠ HIGH CONTEXT USAGE: $COUNT tool calls this session." >&2
+  echo "UI may show ~50% when actual usage is near 100%. Consider /compact." >&2
+  echo "Unexpected auto-compact can erase your working context. See: #50204" >&2
+elif [ "$COUNT" -eq 150 ]; then
+  echo "🚨 VERY HIGH CONTEXT: $COUNT tool calls. Auto-compact likely imminent." >&2
+  echo "Save important state to files NOW. Run /compact manually to control what's kept." >&2
+fi
+
+exit 0

package/examples/dangerous-pip-flag-guard.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# dangerous-pip-flag-guard.sh — Block dangerous pip flags that bypass safety
+#
+# Solves: Claude Code using pip install with dangerous flags in auto mode
+#   - #48992: pip install --break-system-packages passed through auto mode
+#   - Breaks system Python installations, can render OS tools unusable
+#
+# What it blocks:
+#   --break-system-packages (bypasses PEP 668 externally-managed check)
+#   --force-reinstall combined with system paths
+#   pip install targeting /usr/lib or /usr/local/lib directly
+#
+# What it allows:
+#   pip install in virtual environments (venv/conda)
+#   pip install --user (installs to user directory)
+#   pip install in project directories
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check pip commands
+echo "$COMMAND" | grep -qE '\bpip[3]?\s+install\b' || exit 0
+
+# Block --break-system-packages
+if echo "$COMMAND" | grep -qE '\-\-break-system-packages'; then
+    echo "BLOCKED: --break-system-packages flag detected" >&2
+    echo "This flag bypasses PEP 668 protection and can break your system Python." >&2
+    echo "Use a virtual environment instead: python3 -m venv .venv && source .venv/bin/activate" >&2
+    exit 2
+fi
+
+# Block sudo pip install (system-wide install without venv)
+if echo "$COMMAND" | grep -qE '\bsudo\s+pip[3]?\s+install\b'; then
+    echo "BLOCKED: sudo pip install detected" >&2
+    echo "System-wide pip install can break OS tools. Use a virtual environment." >&2
+    exit 2
+fi
+
+# Block pip targeting system directories
+if echo "$COMMAND" | grep -qE '\bpip[3]?\s+install\b.*\-\-target\s*=?\s*/(usr|opt|lib)'; then
+    echo "BLOCKED: pip install targeting system directory" >&2
+    echo "Installing packages to system directories can break OS tools." >&2
+    exit 2
+fi
+
+exit 0

package/examples/decision-warn.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# decision-warn.sh — Warn and log irreversible operations
+#
+# Solves: "Why did Claude push to production?" — no decision trail for critical actions
+# Detects dangerous operations (git push, rm -rf, database commands) and logs them
+# to a decision log for post-incident analysis.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/decision-warn.sh" }]
+#     }]
+#   }
+# }
+#
+# Output: ~/.claude/decision-log.jsonl
+# Each entry logs the command, timestamp, and detected risk category.
+
+set -u
+
+INPUT=$(cat)
+TOOL=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" = "Bash" ] || exit 0
+
+CMD=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+LOG_FILE="${HOME}/.claude/decision-log.jsonl"
+TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+RISK=""
+
+# Detect irreversible operations
+if echo "$CMD" | grep -qE 'git\s+push'; then
+  RISK="git-push"
+elif echo "$CMD" | grep -qE 'git\s+reset\s+--hard'; then
+  RISK="git-reset-hard"
+elif echo "$CMD" | grep -qE 'rm\s+(-rf|--recursive)'; then
+  RISK="destructive-delete"
+elif echo "$CMD" | grep -qiE '(DROP\s+(TABLE|DATABASE)|TRUNCATE|DELETE\s+FROM)'; then
+  RISK="database-destructive"
+elif echo "$CMD" | grep -qE 'npm\s+publish'; then
+  RISK="npm-publish"
+elif echo "$CMD" | grep -qE 'curl\s+.*-X\s*(DELETE|PUT|POST)'; then
+  RISK="api-mutation"
+fi
+
+[ -z "$RISK" ] && exit 0
+
+printf '{"ts":"%s","risk":"%s","cmd":"%s"}\n' \
+  "$TS" "$RISK" "$(echo "$CMD" | head -c 200 | tr '"' "'")" >> "$LOG_FILE"
+
+echo "[DECISION] $RISK: $(echo "$CMD" | head -c 100)" >&2
+echo "  → Logged to: $LOG_FILE" >&2
+
+exit 0