cc-safe-setup 29.6.39 → 29.7.0

package/examples/deny-bypass-detector.sh

@@ -0,0 +1,143 @@
+#!/bin/bash
+# deny-bypass-detector.sh — Detect when Claude circumvents a hook denial
+#
+# Solves: After a PreToolUse hook blocks a command (exit 2), Claude
+# reformulates the same operation as a script wrapper, eval, or
+# bash -c to evade pattern matching. (#46991)
+#
+# How it works: Two-phase detection:
+#   Phase 1 (PostToolUse): When a Bash command is blocked (tool_result
+#     contains deny/block signals), log the dangerous substrings.
+#   Phase 2 (PreToolUse): Before each Bash command, check if it
+#     contains a recently-denied substring wrapped in bash -c, sh -c,
+#     eval, or a temp script.
+#
+# Denied commands expire after 60 seconds to avoid permanent lockout.
+#
+# Usage: Add TWO hooks — PostToolUse to log denials, PreToolUse to detect bypass
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/deny-bypass-detector.sh" }]
+#     }],
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/deny-bypass-detector.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PostToolUse+PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+DENY_LOG="/tmp/cc-deny-bypass-log"
+mkdir -p "$(dirname "$DENY_LOG")" 2>/dev/null || true
+
+INPUT=$(cat)
+HOOK_EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // empty' 2>/dev/null)
+
+# --- Phase 1: PostToolUse — log denied commands ---
+if [[ "$HOOK_EVENT" == "PostToolUse" ]]; then
+    RESULT=$(echo "$INPUT" | jq -r '.tool_result // empty' 2>/dev/null)
+    # Detect denial signals in tool result
+    if echo "$RESULT" | grep -qiE 'BLOCKED|exit.*(code|status).*2|hook.*denied|hook.*blocked'; then
+        CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+        [ -z "$CMD" ] && exit 0
+        # Extract dangerous substrings: the core operation
+        # e.g., from "rm -rf node_modules" extract "rm -rf" and "node_modules"
+        TIMESTAMP=$(date +%s)
+        # Log the full command and key fragments
+        echo "${TIMESTAMP}|${CMD}" >> "$DENY_LOG"
+        # Also extract individual dangerous tokens
+        for token in $(echo "$CMD" | grep -oE '(rm\s+-rf|git\s+push\s+--force|git\s+reset\s+--hard|git\s+clean|chmod\s+777|curl.*\|.*sh|wget.*\|.*sh)' 2>/dev/null); do
+            echo "${TIMESTAMP}|PATTERN:${token}" >> "$DENY_LOG"
+        done
+    fi
+    exit 0
+fi
+
+# --- Phase 2: PreToolUse — detect bypass attempts ---
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+[ ! -f "$DENY_LOG" ] && exit 0
+
+NOW=$(date +%s)
+CUTOFF=$((NOW - 60))
+
+# Clean expired entries
+if [ -f "$DENY_LOG" ]; then
+    awk -F'|' -v cutoff="$CUTOFF" '$1 >= cutoff' "$DENY_LOG" > "${DENY_LOG}.tmp" 2>/dev/null
+    mv "${DENY_LOG}.tmp" "$DENY_LOG" 2>/dev/null || true
+fi
+
+# Check if current command wraps a denied command
+BYPASS_DETECTED=0
+DENIED_CMD=""
+
+while IFS='|' read -r ts denied_cmd; do
+    [ "$ts" -lt "$CUTOFF" ] 2>/dev/null && continue
+    [ -z "$denied_cmd" ] && continue
+
+    # Skip pattern entries for this check
+    [[ "$denied_cmd" == PATTERN:* ]] && continue
+
+    # Check 1: bash -c / sh -c / eval wrapping the denied command
+    if echo "$CMD" | grep -qE '(bash|sh)\s+-c\s' || echo "$CMD" | grep -qE '\beval\s'; then
+        # Extract the inner command from the wrapper
+        INNER=$(echo "$CMD" | sed -E "s/.*(bash|sh)\s+-c\s+['\"]?//" | sed -E "s/['\"]?\s*$//")
+        # Check if inner command is similar to denied command
+        # Use key fragments: first word + arguments
+        DENIED_CORE=$(echo "$denied_cmd" | awk '{print $1}')
+        if echo "$INNER" | grep -qF "$DENIED_CORE"; then
+            BYPASS_DETECTED=1
+            DENIED_CMD="$denied_cmd"
+            break
+        fi
+    fi
+
+    # Check 2: Writing denied command to a temp script then executing
+    if echo "$CMD" | grep -qE '(cat|echo|printf).*>.*\.(sh|bash|tmp)' || \
+       echo "$CMD" | grep -qE 'python3?\s+-c|node\s+-e'; then
+        DENIED_CORE=$(echo "$denied_cmd" | awk '{print $1}')
+        if echo "$CMD" | grep -qF "$DENIED_CORE"; then
+            BYPASS_DETECTED=1
+            DENIED_CMD="$denied_cmd"
+            break
+        fi
+    fi
+
+    # Check 3: Direct re-execution (same command within 60s)
+    if [ "$CMD" = "$denied_cmd" ]; then
+        BYPASS_DETECTED=1
+        DENIED_CMD="$denied_cmd"
+        break
+    fi
+
+done < "$DENY_LOG"
+
+# Also check pattern-based detection
+if [ "$BYPASS_DETECTED" -eq 0 ]; then
+    while IFS='|' read -r ts pattern_entry; do
+        [ "$ts" -lt "$CUTOFF" ] 2>/dev/null && continue
+        [[ "$pattern_entry" != PATTERN:* ]] && continue
+        PATTERN="${pattern_entry#PATTERN:}"
+        if echo "$CMD" | grep -qiE "$PATTERN"; then
+            BYPASS_DETECTED=1
+            DENIED_CMD="(pattern: $PATTERN)"
+            break
+        fi
+    done < "$DENY_LOG"
+fi
+
+if [ "$BYPASS_DETECTED" -eq 1 ]; then
+    echo "BLOCKED: Bypass attempt detected." >&2
+    echo "  A similar command was denied <60 seconds ago: $DENIED_CMD" >&2
+    echo "  Wrapping denied commands in scripts or eval does not change the policy." >&2
+    echo "  Ask the user for explicit permission before retrying." >&2
+    exit 2
+fi
+
+exit 0

package/examples/direnv-auto-reload.sh

@@ -24,8 +24,15 @@ OLD_CWD=$(echo "$INPUT" | jq -r '.old_cwd // empty' 2>/dev/null)
 if [ -f "${NEW_CWD}/.envrc" ]; then
     echo "📂 Directory changed: found .envrc in ${NEW_CWD}" >&2
     if command -v direnv &>/dev/null; then
-        echo "  direnv: auto-allowing and loading" >&2
-        cd "$NEW_CWD" && direnv allow . 2>/dev/null && eval "$(direnv export bash 2>/dev/null)"
+        # Write exports to CLAUDE_ENV_FILE so Claude Code picks them up
+        # (eval in a subshell would be lost — CLAUDE_ENV_FILE persists to BashTool)
+        if [ -n "$CLAUDE_ENV_FILE" ]; then
+            echo "  direnv: auto-allowing and writing to CLAUDE_ENV_FILE" >&2
+            cd "$NEW_CWD" && direnv allow . 2>/dev/null && \
+                direnv export bash > "$CLAUDE_ENV_FILE" 2>/dev/null
+        else
+            echo "  ⚠ CLAUDE_ENV_FILE not set — direnv exports won't persist" >&2
+        fi
     else
         echo "  ⚠ direnv not installed — .envrc found but not loaded" >&2
     fi

package/examples/dotenv-commit-guard.sh

@@ -28,15 +28,21 @@ if echo "$COMMAND" | grep -qE 'git\s+add\s+.*\.env'; then
     exit 2
 fi
 
-# Check for git add -A/-f that might include .env
-if echo "$COMMAND" | grep -qE 'git\s+add\s+(-A|--all|-f|--force)\b'; then
-    # Check if .env exists in the working directory
+# Check for git add -f/--force (bypasses .gitignore — can stage secrets)
+# GitHub Issue anthropics/claude-code#44730: auto-mode used git add -f to
+# force-add .gitignore'd secret files, exposing credentials in a commit.
+if echo "$COMMAND" | grep -qE 'git\s+add\s+.*(-f|--force)\b'; then
+    echo "BLOCKED: 'git add --force' bypasses .gitignore and can stage secret files." >&2
+    echo "  Use 'git add <specific-file>' without --force instead." >&2
+    exit 2
+fi
+
+# Check for git add -A/--all that might include .env
+if echo "$COMMAND" | grep -qE 'git\s+add\s+(-A|--all)\b'; then
     if [ -f ".env" ] || [ -f ".env.local" ] || [ -f ".env.production" ]; then
-        # Check if .gitignore excludes it
         if ! git check-ignore -q .env 2>/dev/null; then
             echo "WARNING: 'git add -A' with .env file not in .gitignore." >&2
             echo "  Add .env to .gitignore before staging all files." >&2
-            # Warning only for git add -A
         fi
     fi
 fi

package/examples/dotenv-read-guard.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# dotenv-read-guard.sh — Block Read/Glob/Grep of .env files
+#
+# Solves: Sub-agents (especially Explore) reading .env files and exposing
+#         API keys, tokens, and secrets in the conversation transcript.
+#         (#51030 — Explore agent read .env, exposed 5 API keys, $50 damage)
+#         (#30731 — credentials exposed in output)
+#
+# This hook catches the Read tool accessing .env files, which
+# credential-file-cat-guard.sh misses (it only covers Bash cat commands).
+# Sub-agents inherit hooks but NOT memory/security instructions, making
+# this hook essential for preventing secret leaks in multi-agent workflows.
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Read",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/dotenv-read-guard.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PreToolUse  MATCHER: "Read"
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+[ -z "$FILE_PATH" ] && exit 0
+
+BASENAME=$(basename "$FILE_PATH")
+
+# Block .env and all variants (.env.local, .env.production, .env.staging, etc.)
+# Allow .env.example, .env.sample, .env.template (safe reference files)
+if echo "$BASENAME" | grep -qE '^\.env(\.example|\.sample|\.template)$'; then
+    exit 0
+fi
+
+if echo "$BASENAME" | grep -qE '^\.env(\..+)?$'; then
+    echo "BLOCKED: Reading $BASENAME — contains secrets (API keys, tokens)" >&2
+    echo "  .env files should never be read by Claude Code." >&2
+    echo "  If you need to check which variables are set, read .env.example instead." >&2
+    echo "  Related: GitHub Issue #51030 (sub-agent exposed 5 API keys)" >&2
+    exit 2
+fi
+
+exit 0

package/examples/dotfile-protection-guard.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# dotfile-protection-guard.sh — Block writes to critical dotfiles
+#
+# Solves: Claude Code modifying or truncating critical user dotfiles
+#   - #49615: Installer auto-update zeroed ~/.bash_profile and ~/.zshrc
+#   - #49539: ~/.git-credentials PATs deleted without confirmation
+#   - #49554: auto mode approved ~/.ssh deletion
+#
+# What it blocks (Write/Edit tool):
+#   ~/.bash_profile, ~/.bashrc, ~/.zshrc, ~/.profile
+#   ~/.ssh/*, ~/.git-credentials, ~/.gitconfig
+#   ~/.gnupg/*, ~/.npmrc (may contain auth tokens)
+#   ~/.aws/credentials, ~/.config/gh/hosts.yml
+#
+# What it allows:
+#   Files in project directories (not under ~/ root)
+#   ~/.claude/* (Claude Code's own config)
+#
+# TRIGGER: PreToolUse  MATCHER: "Write|Edit"
+
+set -euo pipefail
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Expand ~ to actual home directory
+HOME_DIR="$HOME"
+RESOLVED=$(echo "$FILE" | sed "s|^~|$HOME_DIR|")
+
+# Allow Claude Code's own config
+if echo "$RESOLVED" | grep -qE "^${HOME_DIR}/\.claude(/|$)"; then
+    exit 0
+fi
+
+# Critical dotfiles — block any modification
+CRITICAL_PATTERNS=(
+    "^${HOME_DIR}/\.(bash_profile|bashrc|zshrc|zshenv|profile|login|logout)$"
+    "^${HOME_DIR}/\.ssh(/|$)"
+    "^${HOME_DIR}/\.git-credentials$"
+    "^${HOME_DIR}/\.gitconfig$"
+    "^${HOME_DIR}/\.gnupg(/|$)"
+    "^${HOME_DIR}/\.npmrc$"
+    "^${HOME_DIR}/\.aws/(credentials|config)$"
+    "^${HOME_DIR}/\.config/gh/hosts\.yml$"
+    "^${HOME_DIR}/\.netrc$"
+    "^${HOME_DIR}/\.docker/config\.json$"
+    "^${HOME_DIR}/\.kube/config$"
+)
+
+for PATTERN in "${CRITICAL_PATTERNS[@]}"; do
+    if echo "$RESOLVED" | grep -qE "$PATTERN"; then
+        echo "BLOCKED: Modifying critical dotfile: $FILE" >&2
+        echo "This file contains shell config or credentials that should not be altered by AI." >&2
+        echo "If you need to modify this file, do it manually." >&2
+        exit 2
+    fi
+done
+
+exit 0

package/examples/effort-tracking-logger.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# effort-tracking-logger.sh — ツール使用ごとのエフォートログを記録
+# Why: OTEL互換のエフォート追跡への要望が急増 (#49893, 18👍)。
+#      公式対応を待たずに、hookでツール呼び出しごとのログを残す。
+#      コスト分析・セッション振り返り・ボトルネック特定に使える。
+# Event: PostToolUse  MATCHER: ""
+# Output: ~/.claude/effort-log/YYYY-MM-DD.jsonl
+
+LOG_DIR="${HOME}/.claude/effort-log"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/$(date +%Y-%m-%d).jsonl"
+
+# stdinからツール情報を取得
+TOOL_INPUT=$(cat)
+TOOL_NAME=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('tool_name','unknown'))" 2>/dev/null)
+TOOL_STATUS=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('was_error','false'))" 2>/dev/null)
+
+# JSONLログに追記
+python3 -c "
+import json, datetime
+entry = {
+    'timestamp': datetime.datetime.now().isoformat(),
+    'tool': '$TOOL_NAME',
+    'error': '$TOOL_STATUS' == 'true',
+    'session_pid': $(echo $$)
+}
+print(json.dumps(entry))
+" >> "$LOG_FILE"
+
+exit 0

package/examples/financial-operation-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# financial-operation-guard.sh — Block unauthorized financial operations
+#
+# Solves: Claude Code transferred $1,446 from spot to futures without
+# authorization when told to "close a position". Financial APIs
+# should never be called without explicit per-transaction approval. (#46828)
+#
+# How it works: Detects commands that interact with exchange APIs,
+# wallet transfers, payment processors, or any operation involving
+# fund movement. Blocks with exit 2 and requires explicit user
+# confirmation.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Detect financial API calls
+# Exchange APIs
+if echo "$CMD" | grep -qiE '(binance|bitget|bybit|kraken|coinbase|ftx|okx|kucoin|gate\.io|huobi).*(transfer|withdraw|swap|order|trade|margin|futures|spot|deposit)'; then
+    echo "BLOCKED: Financial exchange operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Fund transfers require explicit user approval for EACH transaction." >&2
+    exit 2
+fi
+
+# Generic payment/transfer patterns
+if echo "$CMD" | grep -qiE '(transfer|withdraw|send|swap|bridge)[^a-z].*\b(usdt|usdc|eth|btc|sol|bnb|funds|balance|wallet)\b'; then
+    echo "BLOCKED: Cryptocurrency transfer operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Wallet/fund operations require explicit user approval." >&2
+    exit 2
+fi
+
+# Payment processor APIs
+if echo "$CMD" | grep -qiE 'stripe.*(charges?|transfers?|payouts?)|paypal.*(payments?|send|transfers?)|square.*(payments?|charges?)'; then
+    echo "BLOCKED: Payment processor operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Payment operations require explicit user approval." >&2
+    exit 2
+fi
+
+exit 0

package/examples/full-rewrite-detector.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# ================================================================
+# full-rewrite-detector.sh — Warn on full-file rewrites
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes rewrites entire files when a small edit
+#   would suffice. AMD's analysis of 6,852 sessions found this
+#   pattern increasing over time — a sign of quality degradation.
+#   This hook detects when >80% of a file's lines were changed
+#   and warns the user.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write"
+#
+# HOW IT WORKS:
+#   After a Write operation, checks git diff for the target file.
+#   If the ratio of changed lines to total lines exceeds the
+#   threshold (default 80%), emits a warning.
+#
+# CONFIGURATION:
+#   CC_REWRITE_THRESHOLD=80  — percentage threshold (default 80)
+#
+# NOTE: Only works in git repositories. No-op outside git repos.
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip if no file path
+[ -z "$FILE" ] && exit 0
+
+# Skip if not in a git repo
+git rev-parse --is-inside-work-tree &>/dev/null || exit 0
+
+# Skip if file doesn't exist (new file creation is fine)
+[ -f "$FILE" ] || exit 0
+
+# Get change stats from git
+STATS=$(git diff --numstat -- "$FILE" 2>/dev/null)
+[ -z "$STATS" ] && exit 0
+
+ADDED=$(echo "$STATS" | awk '{print $1}')
+DELETED=$(echo "$STATS" | awk '{print $2}')
+
+# Handle binary files (git outputs "-" for binary)
+[ "$ADDED" = "-" ] && exit 0
+
+CHANGED=$((ADDED + DELETED))
+TOTAL=$(wc -l < "$FILE" 2>/dev/null || echo 0)
+
+# Avoid division by zero; skip very small files
+[ "$TOTAL" -lt 5 ] && exit 0
+
+RATIO=$((CHANGED * 100 / TOTAL))
+THRESHOLD=${CC_REWRITE_THRESHOLD:-80}
+
+if [ "$RATIO" -gt "$THRESHOLD" ]; then
+    echo "WARNING: Full rewrite detected on $(basename "$FILE")" >&2
+    echo "  ${RATIO}% of lines changed (${CHANGED} lines changed / ${TOTAL} total)" >&2
+    echo "  Consider: was a partial edit sufficient?" >&2
+fi
+
+exit 0

package/examples/home-critical-bash-guard.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# home-critical-bash-guard.sh — Block Bash commands that delete/modify critical home files
+#
+# Solves: Bash commands that rm/mv/truncate critical dotfiles and directories
+#   - #49554: auto mode approved ~/.ssh directory deletion
+#   - #49539: ~/.git-credentials PATs deleted without confirmation
+#   - #49464: ./~ misinterpreted as ~/ leading to home directory deletion attempt
+#
+# Complements dotfile-protection-guard.sh (which covers Write/Edit tools).
+# This hook covers the Bash tool path — rm, mv, truncate, > redirect on dotfiles.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+HOME_DIR="$HOME"
+
+# Critical paths (regex patterns)
+CRITICAL="(${HOME_DIR}|\~)/\.(bashrc|bash_profile|zshrc|zshenv|profile|login|logout|ssh|git-credentials|gitconfig|gnupg|npmrc|netrc|docker|kube|aws)"
+
+# Check for rm/unlink targeting critical paths
+if echo "$COMMAND" | grep -qE "(rm|unlink)\s" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Deleting critical home directory file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Check for mv (rename/move) of critical paths
+if echo "$COMMAND" | grep -qE "mv\s" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Moving/renaming critical home directory file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Check for truncation via redirect (> ~/.bashrc or : > ~/.bashrc)
+if echo "$COMMAND" | grep -qE ">\s*(${HOME_DIR}|\~)/\."; then
+    TARGET=$(echo "$COMMAND" | grep -oP ">\s*\K(${HOME_DIR}|~)/\.[^\s;|&]+")
+    if echo "$TARGET" | grep -qE "$CRITICAL"; then
+        echo "BLOCKED: Truncating critical home directory file" >&2
+        echo "Command: $COMMAND" >&2
+        exit 2
+    fi
+fi
+
+# Check for chmod on critical credential files
+if echo "$COMMAND" | grep -qE "chmod\s.*777" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Removing permissions on critical file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/idle-session-cost-alert.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# idle-session-cost-alert.sh — Warn when session has been idle too long
+# An idle session can still consume tokens via background processes.
+# Incident: #50389 — Idle session consumed 18% usage limit over 2 hours with zero user input.
+#
+# This hook runs on Notification events and warns if the session has been
+# idle for more than 5 minutes, reminding the user to exit if not actively working.
+#
+# Hook config (settings.json):
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/idle-session-cost-alert.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+
+# Track last activity timestamp
+IDLE_FILE="/tmp/claude-idle-tracker-$$"
+CURRENT_TIME=$(date +%s)
+
+if [ -f "$IDLE_FILE" ]; then
+    LAST_ACTIVE=$(cat "$IDLE_FILE")
+    IDLE_SECONDS=$((CURRENT_TIME - LAST_ACTIVE))
+
+    if [ "$IDLE_SECONDS" -gt 300 ]; then
+        IDLE_MINUTES=$((IDLE_SECONDS / 60))
+        echo "WARNING: Session idle for ${IDLE_MINUTES} minutes. Idle sessions can consume tokens via background processes (#50389). Consider exiting if not actively working." >&2
+    fi
+fi
+
+echo "$CURRENT_TIME" > "$IDLE_FILE"
+exit 0

package/examples/model-version-alert.sh

@@ -0,0 +1,18 @@
+INPUT=$(cat)
+COUNTER_FILE="/tmp/.cc-model-check-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+if [ $((COUNT % 50)) -ne 0 ]; then
+    exit 0
+fi
+SESSION_FILE=$(ls -t ~/.claude/projects/*/session.jsonl 2>/dev/null | head -1)
+if [ -n "$SESSION_FILE" ]; then
+    MODEL=$(grep -o '"model":"[^"]*"' "$SESSION_FILE" 2>/dev/null | tail -1 | cut -d'"' -f4)
+    if echo "$MODEL" | grep -qi "opus-4-7\|opus-4.7"; then
+        echo "⚠ Model alert: You're using $MODEL which may consume 3x more tokens than Opus 4.6."
+        echo "Consider: claude --model claude-opus-4-6 or add \"model\": \"claude-opus-4-6\" to settings.json"
+        echo "See: https://github.com/anthropics/claude-code/issues/49601"
+    fi
+fi
+exit 0

package/examples/model-version-change-alert.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# model-version-change-alert.sh — モデルバージョン変更を検知して警告
+# Why: Opus 4.6がモデルピッカーから突然削除された (#49689, 14👍)。
+#      ユーザーが意図せず別モデルに切り替えられるケースが多発。
+#      モデルが変わるとhookの挙動・トークン消費・品質が全て変わる。
+# Event: Notification  MATCHER: ""
+# Action: 前回のモデルと現在のモデルを比較し、変更時に警告
+
+MODEL_HISTORY="/tmp/cc-model-version-history"
+CURRENT_MODEL="${CLAUDE_MODEL:-unknown}"
+
+# Notificationイベントのbodyからモデル情報を取得試行
+if [ -n "$1" ]; then
+  BODY_MODEL=$(echo "$1" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('model',''))" 2>/dev/null)
+  [ -n "$BODY_MODEL" ] && CURRENT_MODEL="$BODY_MODEL"
+fi
+
+# 前回のモデルを読み取り
+PREV_MODEL=$(cat "$MODEL_HISTORY" 2>/dev/null || echo "")
+
+if [ -n "$PREV_MODEL" ] && [ "$PREV_MODEL" != "$CURRENT_MODEL" ] && [ "$CURRENT_MODEL" != "unknown" ]; then
+  echo "⚠ MODEL CHANGED: $PREV_MODEL → $CURRENT_MODEL" >&2
+  echo "Your model was switched. This affects token consumption, quality, and hook behavior." >&2
+  echo "If unintended, check your settings: claude --model $PREV_MODEL" >&2
+  echo "Known issue: Opus 4.6 was removed from the Desktop picker (#49689)" >&2
+fi
+
+# 現在のモデルを記録
+[ "$CURRENT_MODEL" != "unknown" ] && echo "$CURRENT_MODEL" > "$MODEL_HISTORY"
+
+exit 0