cc-safe-setup 29.6.39 → 29.7.0

package/examples/move-delete-sequence-guard.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# move-delete-sequence-guard.sh — Detect move+delete sequences that cause data loss
+#
+# Solves: Agent moves files to a temp location, then deletes the parent directory,
+#   effectively destroying the moved files' original context and siblings.
+#   - #49129: mv files to /tmp && rm -rf parent/ — lost 50GB of data
+#   - #49792: Opus 4.7 moves files, then deletes the source directory
+#
+# Pattern detected:
+#   mv <source> <dest> && rm -rf <source_parent>
+#   mv <source> <dest> ; rm -rf <source_parent>
+#   mv <source> <dest> || rm -rf <source_parent>
+#   Any compound command containing both mv and rm -r on related paths
+#
+# This is distinct from rm-safety-net.sh (blocks rm on critical paths)
+# and bulk-file-delete-guard.sh (blocks large recursive deletes).
+# This hook specifically targets the mv+rm compound pattern.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check compound commands that contain both mv and rm
+if ! echo "$COMMAND" | grep -qE '\bmv\s' || ! echo "$COMMAND" | grep -qE '\brm\s'; then
+    exit 0
+fi
+
+# Extract mv source directory and rm target, check for overlap
+# Pattern: mv <src> <dst> [&&;||] rm [-rf] <target>
+# We check if the rm target is a parent of, or the same as, the mv source
+
+# Get all mv source paths (first arg after mv and optional flags)
+MV_SOURCES=$(echo "$COMMAND" | grep -oP '\bmv\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+# Get all rm targets
+RM_TARGETS=$(echo "$COMMAND" | grep -oP '\brm\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+
+[ -z "$MV_SOURCES" ] && exit 0
+[ -z "$RM_TARGETS" ] && exit 0
+
+# Normalize: get parent directory of mv source
+for mv_src in $MV_SOURCES; do
+    mv_parent=$(dirname "$mv_src" 2>/dev/null || echo "")
+    [ -z "$mv_parent" ] && continue
+
+    for rm_target in $RM_TARGETS; do
+        # Check if rm target matches the mv source's parent or the mv source itself
+        # Normalize trailing slashes
+        rm_clean="${rm_target%/}"
+        mv_parent_clean="${mv_parent%/}"
+        mv_src_clean="${mv_src%/}"
+
+        # Case 1: rm deletes the parent of the moved file
+        if [ "$rm_clean" = "$mv_parent_clean" ]; then
+            echo "BLOCKED: Move+delete sequence detected — rm target ($rm_target) is parent of mv source ($mv_src)" >&2
+            echo "This pattern destroys sibling files. Move files individually instead." >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+            exit 2
+        fi
+
+        # Case 2: rm deletes the exact path that was moved from
+        if [ "$rm_clean" = "$mv_src_clean" ]; then
+            # mv a dir then rm -rf the same dir — likely the user moved the dir,
+            # but rm -rf on the source after mv is suspicious if recursive
+            if echo "$COMMAND" | grep -qE "rm\s+.*-[rRf]*[rR].*$rm_target|rm\s+.*-[rRf]*[rR]\s+$rm_target"; then
+                echo "BLOCKED: Move+delete sequence detected — rm -r on the same path as mv source ($mv_src)" >&2
+                echo "If the directory was already moved, rm -r should not be needed." >&2
+                echo "Command: $COMMAND" >&2
+                echo "" >&2
+                echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+                exit 2
+            fi
+        fi
+
+        # Case 3: rm deletes an ancestor directory of the mv source
+        if echo "$mv_src_clean" | grep -qE "^${rm_clean}/"; then
+            echo "BLOCKED: Move+delete sequence detected — rm target ($rm_target) is ancestor of mv source ($mv_src)" >&2
+            echo "This pattern destroys the source tree. Use targeted operations instead." >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+            exit 2
+        fi
+    done
+done
+
+exit 0

package/examples/pii-upload-guard.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# pii-upload-guard.sh — Detect PII in outbound data before upload
+#
+# Solves: Claude uploaded physical coordinates to a public website
+# despite CLAUDE.md stating "no PII" for 17 sessions. CLAUDE.md
+# instructions are suggestions; hooks are enforcement. (#46910)
+#
+# How it works: Scans Bash commands for outbound data operations
+# (curl POST/PUT, scp, rsync to remote, git push with config files)
+# and checks if the data being sent contains PII patterns:
+# coordinates, emails, phone numbers, API keys, addresses.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Only check outbound data commands
+IS_OUTBOUND=0
+if echo "$CMD" | grep -qiE 'curl\s+.*-X\s*(POST|PUT|PATCH)|curl\s+.*--data|curl\s+.*-d\s'; then
+    IS_OUTBOUND=1
+elif echo "$CMD" | grep -qiE '\bscp\b.*:|\brsync\b.*:|\bsftp\b'; then
+    IS_OUTBOUND=1
+elif echo "$CMD" | grep -qiE 'curl\s+.*upload|wget\s+.*--post'; then
+    IS_OUTBOUND=1
+fi
+
+[ "$IS_OUTBOUND" -eq 0 ] && exit 0
+
+# Check for PII patterns in the command
+PII_FOUND=""
+
+# GPS coordinates (latitude/longitude pairs)
+if echo "$CMD" | grep -qE '[-]?[0-9]{1,3}\.[0-9]{4,}.*[-]?[0-9]{1,3}\.[0-9]{4,}'; then
+    PII_FOUND="GPS coordinates"
+fi
+
+# Email addresses
+if echo "$CMD" | grep -qiE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }email address"
+fi
+
+# Phone numbers (various formats)
+if echo "$CMD" | grep -qE '\+?[0-9]{1,4}[-. ]?\(?[0-9]{1,4}\)?[-. ]?[0-9]{3,4}[-. ]?[0-9]{3,4}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }phone number"
+fi
+
+# API keys / tokens (long hex or base64 strings in data)
+if echo "$CMD" | grep -qE '(key|token|secret|password|api_key|apikey)=[A-Za-z0-9+/=_-]{20,}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }API key/token"
+fi
+
+# Physical addresses (street patterns)
+if echo "$CMD" | grep -qiE '[0-9]+\s+(street|st|avenue|ave|road|rd|boulevard|blvd|drive|dr|lane|ln)\b'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }physical address"
+fi
+
+if [ -n "$PII_FOUND" ]; then
+    echo "WARNING: Possible PII detected in outbound data: $PII_FOUND" >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Review the data being sent before proceeding." >&2
+    echo "  If this is intentional, acknowledge the PII and re-run." >&2
+    # exit 1 = warning (allow with notice), not exit 2 (block)
+    # Some legitimate uses send coordinates/emails
+    exit 1
+fi
+
+exit 0

package/examples/pr-duplicate-guard.sh

@@ -0,0 +1,14 @@
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '\bgh\s+pr\s+create\b' || exit 0
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+[ -z "$BRANCH" ] && exit 0
+EXISTING=$(gh pr list --head "$BRANCH" --state open --json number,title --jq '.[0].number' 2>/dev/null)
+if [ -n "$EXISTING" ]; then
+    TITLE=$(gh pr list --head "$BRANCH" --state open --json title --jq '.[0].title' 2>/dev/null)
+    echo "BLOCKED: An open PR already exists for branch '$BRANCH'." >&2
+    echo "  PR #$EXISTING: $TITLE" >&2
+    echo "  Update the existing PR instead of creating a new one." >&2
+    exit 2
+fi
+exit 0

package/examples/production-port-kill-guard.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# production-port-kill-guard.sh — Block commands that kill processes by port number
+#
+# Solves: Claude Code killing production services running on ports without
+#         understanding their purpose. Real incident: user's CLAUDE.md said
+#         port 7000, but Claude killed the process on port 8000 — $1,000 loss.
+#         (GitHub Issue #50971)
+#
+# Detects:
+#   lsof -ti :PORT | xargs kill      (find process by port, then kill)
+#   lsof -t -i :PORT | kill          (same, different flag style)
+#   fuser -k PORT/tcp                (directly kill process on port)
+#   fuser --kill PORT/tcp            (same, long flag)
+#   kill $(lsof -ti :PORT)           (subshell variant)
+#
+# Does NOT block:
+#   lsof -i :PORT                    (just listing, no kill)
+#   fuser PORT/tcp                   (just checking, no kill)
+#   netstat / ss                     (read-only port inspection)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block lsof-to-kill pipeline (lsof -ti :PORT piped to kill/xargs kill)
+# Covers: -ti :PORT, -t -i :PORT, -i :PORT -t, and combined flags like -sti
+if echo "$COMMAND" | grep -qE 'lsof\s.*-[a-zA-Z]*t.*:'; then
+    if echo "$COMMAND" | grep -qE '\|\s*(xargs\s+)?kill|kill\s+\$\('; then
+        PORT=$(echo "$COMMAND" | grep -oP ':\K\d+' | head -1)
+        echo "BLOCKED: Killing process by port number is dangerous." >&2
+        echo "  Port ${PORT} may be running a production service." >&2
+        echo "  First check what's running: lsof -i :${PORT}" >&2
+        echo "  Then decide manually whether to stop it." >&2
+        echo "  Command: $COMMAND" >&2
+        exit 2
+    fi
+fi
+
+# Block kill $(lsof ...) subshell pattern
+if echo "$COMMAND" | grep -qE 'kill\s+\$\(lsof\s'; then
+    echo "BLOCKED: Killing process found by lsof is dangerous." >&2
+    echo "  Verify the process identity before terminating." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Block fuser -k (directly kills process on port)
+if echo "$COMMAND" | grep -qE '\bfuser\s+(-[a-zA-Z]*k|--kill)\s'; then
+    PORT=$(echo "$COMMAND" | grep -oP '\d+(?=/tcp)' | head -1)
+    echo "BLOCKED: fuser -k kills the process on port ${PORT:-unknown} immediately." >&2
+    echo "  First check: fuser ${PORT:-PORT}/tcp" >&2
+    echo "  Then stop the service gracefully if needed." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/proof-log-session.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# proof-log-session.sh — Generate session summary on Stop event
+#
+# Solves: "What did the AI do last week?" — activity logs exist but are unreadable
+# Creates a human-readable 5W1H summary from the activity log at session end.
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/proof-log-session.sh" }]
+#     }]
+#   }
+# }
+#
+# Output: ~/ops/proof-log/YYYY-MM-DD.md (appended)
+# Requires: activity-logger.sh to be running as a PostToolUse hook
+
+set -u
+
+LOG_FILE="${HOME}/.claude/activity-log.jsonl"
+DATE=$(date +"%Y-%m-%d")
+PROOF_DIR="${HOME}/ops/proof-log"
+PROOF_FILE="${PROOF_DIR}/${DATE}.md"
+
+mkdir -p "$PROOF_DIR"
+
+[ ! -f "$LOG_FILE" ] && exit 0
+
+# Count today's activity
+TODAY_START=$(date -u -d "today 00:00:00" +"%Y-%m-%dT" 2>/dev/null || date -u +"%Y-%m-%dT")
+EDIT_COUNT=$(grep -c '"tool":"Edit"' "$LOG_FILE" 2>/dev/null) || EDIT_COUNT=0
+WRITE_COUNT=$(grep -c '"tool":"Write"' "$LOG_FILE" 2>/dev/null) || WRITE_COUNT=0
+BASH_COUNT=$(grep -c '"tool":"Bash"' "$LOG_FILE" 2>/dev/null) || BASH_COUNT=0
+READ_COUNT=$(grep -c '"tool":"Read"' "$LOG_FILE" 2>/dev/null) || READ_COUNT=0
+ERROR_COUNT=$(grep -c '"error_pattern":"[^"]*[a-zA-Z]' "$LOG_FILE" 2>/dev/null) || ERROR_COUNT=0
+
+# Get edited files
+FILES=$(grep '"tool":"Edit\|Write"' "$LOG_FILE" 2>/dev/null | jq -r '.file // empty' 2>/dev/null | sort -u | head -10)
+
+{
+  echo ""
+  echo "## Session $(date +"%H:%M")"
+  echo "- Edit: ${EDIT_COUNT}, Write: ${WRITE_COUNT}, Bash: ${BASH_COUNT}, Read: ${READ_COUNT}"
+  [ "$ERROR_COUNT" -gt 0 ] && echo "- Errors detected: ${ERROR_COUNT}"
+  if [ -n "$FILES" ]; then
+    echo "- Files touched:"
+    echo "$FILES" | while read -r f; do
+      [ -n "$f" ] && echo "  - $f"
+    done
+  fi
+} >> "$PROOF_FILE"
+
+# Rotate activity log (keep last 1000 lines)
+LINE_COUNT=$(wc -l < "$LOG_FILE" 2>/dev/null) || LINE_COUNT=0
+if [ "$LINE_COUNT" -gt 1000 ]; then
+  tail -1000 "$LOG_FILE" > "${LOG_FILE}.tmp" && mv "${LOG_FILE}.tmp" "$LOG_FILE"
+fi
+
+exit 0

package/examples/quota-reset-cycle-monitor.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# quota-reset-cycle-monitor.sh — quotaリセット周期の変更を検知
+# Why: ユーザーのquotaリセット周期が予告なく月曜→金曜に変更された (#49599, 2r/4c)。
+#      リセット日を追跡し、周期変更時に警告する。
+#      突然のquota枯渇の原因究明に役立つ。
+# Event: Notification  MATCHER: ""
+# Action: 日次でquotaリセット日を記録、周期変更を検知
+
+RESET_LOG="/tmp/cc-quota-reset-history"
+TODAY=$(date +%u)  # 1=Monday, 7=Sunday
+TODAY_DATE=$(date +%Y-%m-%d)
+
+# 1日1回だけチェック（日付で制御）
+LAST_CHECK=$(head -1 "$RESET_LOG" 2>/dev/null | cut -d'|' -f1)
+[ "$LAST_CHECK" = "$TODAY_DATE" ] && exit 0
+
+# /costの出力からリセット情報を取得する方法の案内
+# 実際のリセット検知は手動確認が必要だが、ログを残すことで追跡可能
+echo "$TODAY_DATE|$TODAY" >> "$RESET_LOG"
+
+# リセット履歴が2件以上ある場合、周期を分析
+ENTRIES=$(wc -l < "$RESET_LOG" 2>/dev/null || echo "0")
+if [ "$ENTRIES" -ge 7 ]; then
+  # 過去7日の曜日パターンを表示（週末にquotaが増えたら次週リセット=正常）
+  echo "📊 Quota tracking: $ENTRIES days logged. Run '/cost' to check current reset day." >&2
+  echo "Known issue: reset cycle may change without notice (#49599)." >&2
+  echo "If your quota resets on a different day than expected, report to Anthropic support." >&2
+fi
+
+exit 0

package/examples/repo-visibility-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# repo-visibility-guard.sh — Block repository visibility changes
+# Prevents Claude Code from making private repos public (or vice versa).
+# Incident: #50353 — Opus 4.7 ran `gh repo edit --visibility public` autonomously,
+# exposing a hardcoded private key. Wallet drained $413 in 60-90 seconds.
+#
+# Hook config (settings.json):
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/repo-visibility-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block gh repo edit --visibility (public/private/internal)
+if echo "$COMMAND" | grep -qE 'gh\s+repo\s+edit\s+--visibility'; then
+    echo "BLOCKED: repository visibility change requires manual confirmation. See #50353." >&2
+    exit 2
+fi
+
+# Block git push with --set-upstream to unknown remotes (potential exfiltration)
+if echo "$COMMAND" | grep -qE 'git\s+remote\s+add\s' && echo "$COMMAND" | grep -qE 'git\s+push'; then
+    echo "BLOCKED: adding remote and pushing in one command. Review the remote URL first." >&2
+    exit 2
+fi
+
+exit 0

package/examples/sandbox-relative-path-audit.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# sandbox-relative-path-audit.sh — Detect relative paths in sandbox settings that are silently ignored
+#
+# CRITICAL: denyWrite, denyRead, and allowWrite in settings.json only work
+# with ABSOLUTE paths. Relative paths are SILENTLY IGNORED — no error, no
+# warning, and zero protection. Users who think they've protected sensitive
+# directories may have no actual protection.
+#
+# Born from: https://github.com/anthropics/claude-code/issues/50454
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash|Write|Edit"
+# Best used as a Notification hook (exit 0 always) to alert without blocking.
+
+INPUT=$(cat)
+# Only run once per session (check marker file)
+MARKER="/tmp/cc-sandbox-audit-$$"
+[ -f "$MARKER" ] && exit 0
+touch "$MARKER"
+
+# Find settings.json locations
+SETTINGS_FILES=""
+[ -f "$HOME/.claude/settings.json" ] && SETTINGS_FILES="$HOME/.claude/settings.json"
+[ -f ".claude/settings.json" ] && SETTINGS_FILES="$SETTINGS_FILES .claude/settings.json"
+[ -f "$HOME/.claude/settings.local.json" ] && SETTINGS_FILES="$SETTINGS_FILES $HOME/.claude/settings.local.json"
+
+[ -z "$SETTINGS_FILES" ] && exit 0
+
+FOUND_RELATIVE=0
+for SFILE in $SETTINGS_FILES; do
+    for KEY in denyWrite denyRead allowWrite; do
+        PATHS=$(jq -r ".permissions.${KEY}[]? // empty" "$SFILE" 2>/dev/null)
+        [ -z "$PATHS" ] && continue
+        while IFS= read -r P; do
+            [ -z "$P" ] && continue
+            if [[ "$P" != /* ]] && [[ "$P" != "~"* ]]; then
+                echo "⚠ SANDBOX WARNING: Relative path in ${KEY} is SILENTLY IGNORED" >&2
+                echo "  File: $SFILE" >&2
+                echo "  Path: \"$P\" → has NO effect" >&2
+                echo "  Fix:  Use absolute path: \"$(realpath -m "$P" 2>/dev/null || echo "$PWD/$P")\"" >&2
+                FOUND_RELATIVE=1
+            fi
+        done <<< "$PATHS"
+    done
+done
+
+if [ "$FOUND_RELATIVE" -eq 1 ]; then
+    echo "" >&2
+    echo "See: https://github.com/anthropics/claude-code/issues/50454" >&2
+fi
+
+exit 0

package/examples/session-agent-cost-limiter.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# session-agent-cost-limiter.sh — Cap total subagent spawns per session
+#
+# Solves: #47049 — User lost £140 overnight when Claude spawned 16+
+#   subagents. Each agent gets its own context window = 16x token cost.
+#   Existing max-concurrent-agents limits simultaneous agents, but not
+#   total spawns over a session. This hook limits the cumulative count.
+#
+# How it works: Tracks every Agent spawn in a session-scoped counter.
+#   After CC_MAX_SESSION_AGENTS total spawns, blocks further agents.
+#   Counter resets when the session ends (file keyed by PPID).
+#
+# CONFIG:
+#   CC_MAX_SESSION_AGENTS=10  (default: 10 total agents per session)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Agent" ] && exit 0
+
+MAX_TOTAL=${CC_MAX_SESSION_AGENTS:-10}
+# Use PPID to track the parent Claude Code process, not this subshell
+COUNTER_FILE="/tmp/cc-session-agents-${PPID}"
+
+# Initialize if missing
+[ -f "$COUNTER_FILE" ] || echo "0" > "$COUNTER_FILE"
+
+CURRENT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+
+if [ "$CURRENT" -ge "$MAX_TOTAL" ]; then
+    echo "BLOCKED: Session agent limit reached (${CURRENT}/${MAX_TOTAL} total spawns)." >&2
+    echo "  Each subagent opens a new context window and consumes tokens independently." >&2
+    echo "  Consider completing existing work before spawning more agents." >&2
+    echo "  Override: CC_MAX_SESSION_AGENTS=$((MAX_TOTAL + 5))" >&2
+    exit 2
+fi
+
+# Increment
+echo $((CURRENT + 1)) > "$COUNTER_FILE"
+exit 0

package/examples/session-cost-alert.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# session-cost-alert.sh — Alert when estimated session cost exceeds threshold
+#
+# Solves: #47049 — User lost £140 overnight without realizing costs were
+#   accumulating. This hook estimates token cost per tool call and warns
+#   when the session total exceeds a configurable threshold.
+#
+# How it works: PostToolUse hook that parses session_tokens from tool
+#   results (when available) and estimates cost using Anthropic pricing.
+#   Warns at $1 and blocks at $5 (configurable).
+#
+# CONFIG:
+#   CC_COST_WARN=1     (warn at $1, default)
+#   CC_COST_BLOCK=5    (block at $5, default)
+#   CC_MODEL_COST=5    ($/M input tokens for Opus, default)
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+
+WARN_THRESHOLD=${CC_COST_WARN:-1}
+BLOCK_THRESHOLD=${CC_COST_BLOCK:-5}
+COST_PER_M=${CC_MODEL_COST:-5}
+
+COST_FILE="/tmp/cc-session-cost-${PPID}"
+
+# Initialize
+if [ ! -f "$COST_FILE" ]; then
+    echo "0" > "$COST_FILE"
+fi
+
+# Try to extract token count from tool result
+# Note: Not all tool results contain token info. This is a best-effort estimate.
+TOKENS=$(echo "$INPUT" | jq -r '.tool_result // empty' 2>/dev/null | wc -c)
+# Rough estimate: 1 char ≈ 0.3 tokens (for tool output going into context)
+EST_TOKENS=$((TOKENS * 3 / 10))
+
+# Add to running total
+CURRENT=$(cat "$COST_FILE" 2>/dev/null || echo 0)
+TOTAL=$((CURRENT + EST_TOKENS))
+echo "$TOTAL" > "$COST_FILE"
+
+# Estimate cost
+COST=$(echo "scale=4; $TOTAL * $COST_PER_M / 1000000" | bc 2>/dev/null || echo "0")
+COST_CENTS=$(echo "scale=0; $TOTAL * $COST_PER_M / 10000" | bc 2>/dev/null || echo "0")
+
+# Check thresholds
+BLOCK_CENTS=$(echo "scale=0; $BLOCK_THRESHOLD * 100" | bc 2>/dev/null || echo "500")
+WARN_CENTS=$(echo "scale=0; $WARN_THRESHOLD * 100" | bc 2>/dev/null || echo "100")
+
+if [ "$COST_CENTS" -ge "$BLOCK_CENTS" ] 2>/dev/null; then
+    echo "BLOCKED: Estimated session cost \$${COST} exceeds \$${BLOCK_THRESHOLD} limit." >&2
+    echo "  Estimated tokens used: ${TOTAL}" >&2
+    echo "  Override: CC_COST_BLOCK=$((BLOCK_THRESHOLD * 2))" >&2
+    exit 2
+elif [ "$COST_CENTS" -ge "$WARN_CENTS" ] 2>/dev/null; then
+    echo "WARNING: Estimated session cost \$${COST} approaching \$${BLOCK_THRESHOLD} limit." >&2
+fi
+
+exit 0

package/examples/session-memory-watchdog.sh

@@ -1,6 +1,15 @@
 MAX_RSS_MB="${CC_MAX_RSS_MB:-4096}"
 CHECK_INTERVAL=300
+PID_FILE="/tmp/cc-memory-watchdog.pid"
+
+# Prevent duplicate instances — only one watchdog should run at a time
+if [ -f "$PID_FILE" ] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
+    exit 0
+fi
+
 (
+    echo $$ > "$PID_FILE"
+    trap 'rm -f "$PID_FILE"' EXIT
     while true; do
         sleep "$CHECK_INTERVAL"
         pgrep -f "claude" | while read pid; do

package/examples/settings-integrity-monitor.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# settings-integrity-monitor.sh — Detect unexpected settings.json changes
+# Trigger: PreToolUse
+# Matcher: (empty — runs on every tool use)
+#
+# The /model command silently rewrites settings.json from scratch,
+# removing sandbox restrictions and hook configurations.
+# See: https://github.com/anthropics/claude-code/issues/44791
+#
+# This hook maintains a checksum of settings.json and warns when
+# it changes outside your control. It also creates automatic backups
+# so you can restore your configuration.
+#
+# TRIGGER: PreToolUse  MATCHER: ""
+
+SETTINGS="${CLAUDE_SETTINGS_FILE:-$HOME/.claude/settings.json}"
+BACKUP_DIR="$HOME/.claude/settings-backups"
+CHECKSUM_FILE="$BACKUP_DIR/.checksum"
+
+# Exit silently if settings.json doesn't exist
+[ -f "$SETTINGS" ] || exit 0
+
+mkdir -p "$BACKUP_DIR"
+
+CURRENT_HASH=$(sha256sum "$SETTINGS" 2>/dev/null | cut -d' ' -f1)
+
+if [ ! -f "$CHECKSUM_FILE" ]; then
+    # First run: save baseline
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.baseline"
+    exit 0
+fi
+
+SAVED_HASH=$(cat "$CHECKSUM_FILE" 2>/dev/null)
+
+if [ "$CURRENT_HASH" != "$SAVED_HASH" ]; then
+    # Settings changed — create timestamped backup of PREVIOUS version
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    if [ -f "$BACKUP_DIR/settings.json.latest" ]; then
+        cp "$BACKUP_DIR/settings.json.latest" "$BACKUP_DIR/settings.json.$TIMESTAMP"
+    fi
+    # Save current as latest
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.latest"
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+
+    # Count hooks in old vs new
+    OLD_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$BACKUP_DIR/settings.json.$TIMESTAMP" 2>/dev/null || echo "?")
+    NEW_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$SETTINGS" 2>/dev/null || echo "?")
+
+    echo "⚠ settings.json was modified (hooks: $OLD_HOOKS → $NEW_HOOKS)" >&2
+    echo "  Backup saved: $BACKUP_DIR/settings.json.$TIMESTAMP" >&2
+    echo "  Restore: cp $BACKUP_DIR/settings.json.$TIMESTAMP $SETTINGS" >&2
+fi
+
+exit 0