cc-safe-setup 29.6.39 → 29.7.0

package/examples/settings-json-model-guard.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# settings-json-model-guard.sh — Backup settings.json before /model changes
+#
+# Solves: The /model slash command rewrites settings.json completely,
+# wiping all hook configurations and custom settings. (#46921)
+#
+# How it works: PreToolUse(Bash) detects commands that modify
+# settings.json (especially from /model). Creates a timestamped
+# backup before allowing the write. If hooks are lost after the
+# write, the PostToolUse phase restores them.
+#
+# Usage: Add TWO hooks
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }],
+#     "PostToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PreToolUse+PostToolUse  MATCHER: "Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+HOOK_EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // empty' 2>/dev/null)
+
+# Only care about settings.json writes
+case "$FILE" in
+    */.claude/settings.json|*/.claude/settings.local.json) ;;
+    *) exit 0 ;;
+esac
+
+BACKUP_DIR="$HOME/.claude/settings-backups"
+mkdir -p "$BACKUP_DIR"
+
+SETTINGS_FILE="$FILE"
+[ ! -f "$SETTINGS_FILE" ] && exit 0
+
+# --- PreToolUse: backup before modification ---
+if [[ "$HOOK_EVENT" == "PreToolUse" ]]; then
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    BASENAME=$(basename "$SETTINGS_FILE" .json)
+    BACKUP="$BACKUP_DIR/${BASENAME}-pre-model-${TIMESTAMP}.json"
+    cp "$SETTINGS_FILE" "$BACKUP"
+
+    # Count hooks in current settings
+    HOOK_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+    if [ "$HOOK_COUNT" -gt 0 ]; then
+        echo "Settings backup created: $BACKUP ($HOOK_COUNT hooks preserved)" >&2
+        # Store hook count for PostToolUse comparison
+        echo "$HOOK_COUNT" > "/tmp/cc-settings-hook-count-pre"
+    fi
+    exit 0
+fi
+
+# --- PostToolUse: verify hooks survived ---
+if [[ "$HOOK_EVENT" == "PostToolUse" ]]; then
+    PRE_COUNT_FILE="/tmp/cc-settings-hook-count-pre"
+    [ ! -f "$PRE_COUNT_FILE" ] && exit 0
+
+    PRE_COUNT=$(cat "$PRE_COUNT_FILE" 2>/dev/null || echo 0)
+    rm -f "$PRE_COUNT_FILE"
+
+    [ "$PRE_COUNT" -eq 0 ] && exit 0
+
+    # Count hooks after modification
+    POST_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+
+    if [ "$POST_COUNT" -lt "$PRE_COUNT" ]; then
+        LATEST_BACKUP=$(ls -t "$BACKUP_DIR"/settings-pre-model-*.json 2>/dev/null | head -1)
+        echo "WARNING: Hook count dropped from $PRE_COUNT to $POST_COUNT after settings modification!" >&2
+        echo "  This typically happens when /model rewrites settings.json." >&2
+        if [ -n "$LATEST_BACKUP" ]; then
+            echo "  Restore hooks: jq -s '.[0] * {hooks: .[1].hooks}' '$SETTINGS_FILE' '$LATEST_BACKUP' > /tmp/merged.json && mv /tmp/merged.json '$SETTINGS_FILE'" >&2
+        fi
+    fi
+    exit 0
+fi
+
+exit 0

package/examples/shell-config-truncation-guard.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# shell-config-truncation-guard.sh — Block writes that would truncate shell config files
+#
+# Solves: Claude Code installer auto-update truncating ~/.bash_profile and
+# ~/.zshrc to 0 bytes, destroying all user shell configuration (#49615).
+# Also catches Claude itself attempting to overwrite these files with
+# minimal or empty content.
+#
+# How it works: PreToolUse hook intercepts Write/Bash operations targeting
+# shell config files. If the new content would be significantly shorter
+# than the existing file (>60% reduction), the operation is blocked.
+# Empty/near-empty writes are always blocked.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash|Write"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/shell-config-truncation-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Shell config files to protect
+PROTECTED_FILES=(
+    "$HOME/.bashrc"
+    "$HOME/.bash_profile"
+    "$HOME/.zshrc"
+    "$HOME/.zprofile"
+    "$HOME/.profile"
+    "$HOME/.zshenv"
+)
+
+check_file_truncation() {
+    local target_file="$1"
+    local new_size="$2"
+
+    for protected in "${PROTECTED_FILES[@]}"; do
+        if [ "$target_file" = "$protected" ] || [ "$(realpath "$target_file" 2>/dev/null)" = "$(realpath "$protected" 2>/dev/null)" ]; then
+            if [ ! -f "$protected" ]; then
+                return 0
+            fi
+            local current_size
+            current_size=$(wc -c < "$protected" 2>/dev/null || echo 0)
+
+            # Block if writing 0 bytes or near-empty (< 10 bytes)
+            if [ "$new_size" -lt 10 ] && [ "$current_size" -gt 50 ]; then
+                echo "BLOCKED: Attempted to truncate $protected to $new_size bytes (current: $current_size bytes)" >&2
+                echo "This would destroy your shell configuration. See: github.com/anthropics/claude-code/issues/49615" >&2
+                exit 2
+            fi
+
+            # Block if >60% size reduction
+            if [ "$current_size" -gt 100 ]; then
+                local threshold=$((current_size * 40 / 100))
+                if [ "$new_size" -lt "$threshold" ]; then
+                    echo "BLOCKED: Write to $protected would reduce size by >60% ($current_size → $new_size bytes)" >&2
+                    echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+                    exit 2
+                fi
+            fi
+            return 0
+        fi
+    done
+    return 0
+}
+
+if [ "$TOOL" = "Write" ]; then
+    FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
+    if [ -n "$FILE_PATH" ]; then
+        NEW_SIZE=${#CONTENT}
+        check_file_truncation "$FILE_PATH" "$NEW_SIZE"
+    fi
+elif [ "$TOOL" = "Bash" ]; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$COMMAND" ] && exit 0
+
+    # Detect redirect truncation: > ~/.bashrc, >~/.zshrc, etc.
+    for protected in "${PROTECTED_FILES[@]}"; do
+        base=$(basename "$protected")
+        # Match: > file, >file, truncate file, : > file, echo "" > file
+        if echo "$COMMAND" | grep -qE "(^|[;&|])\s*(>|truncate\s+-s\s*0|:\s*>)\s*~?(/[^;]*)?${base}"; then
+            echo "BLOCKED: Command would truncate $protected" >&2
+            echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+            exit 2
+        fi
+    done
+fi
+
+exit 0

package/examples/shell-wrapper-guard.sh

@@ -34,8 +34,8 @@ if echo "$COMMAND" | grep -qE '(sh|bash|zsh|dash)\s+-c\s+'; then
 fi
 
 # === Check 2: Python one-liners ===
-if echo "$COMMAND" | grep -qE 'python[23]?\s+-c\s+'; then
-    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
+if echo "$COMMAND" | grep -qE 'python[23]?(\.[0-9]+)?\s+-c\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?(\.[0-9]+)?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
     if echo "$INNER" | grep -qiE "os\.system\(.*($DESTRUCT_PATTERN)|subprocess\.(run|call|Popen)\(.*($DESTRUCT_PATTERN)|shutil\.rmtree\s*\(\s*['\"/~]"; then
         echo "BLOCKED: Destructive command in Python one-liner" >&2
         exit 2
@@ -69,9 +69,9 @@ if echo "$COMMAND" | grep -qE '(sh|bash)\s+-c\s+.*(sh|bash)\s+-c'; then
 fi
 
 # === Check 6: Pipe to shell (echo "rm -rf /" | sh) ===
-if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)\s*$'; then
+if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)(\s|$)'; then
     # Extract the piped content
-    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)\s*$//')
+    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)(\s.*)?$//')
     if echo "$PIPED" | grep -qE "$DESTRUCT_PATTERN"; then
         echo "BLOCKED: Destructive command piped to shell" >&2
         exit 2

package/examples/subagent-spawn-rate-monitor.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# subagent-spawn-rate-monitor.sh — サブエージェントの過剰spawn検知
+# Why: サブエージェントは毎回spawnされるたびに~4.7Kトークンがcache_creation
+#      (1.25xコスト)として課金される。spawn-heavyなワークフローでは線形に増大し、
+#      ユーザーが気づかないうちにquotaを消耗する (#50213, #46968)
+# Event: PreToolUse  MATCHER: Agent
+# Action: 短時間に多数のAgent spawnがあれば警告
+
+COUNTER_FILE="/tmp/cc-subagent-spawn-counter"
+WINDOW_FILE="/tmp/cc-subagent-spawn-window"
+THRESHOLD=5      # この回数を超えたら警告
+WINDOW_SECS=300  # 5分間のウィンドウ
+
+NOW=$(date +%s)
+WINDOW_START=$(cat "$WINDOW_FILE" 2>/dev/null || echo "$NOW")
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+
+# ウィンドウ期限切れならリセット
+ELAPSED=$((NOW - WINDOW_START))
+if [ "$ELAPSED" -gt "$WINDOW_SECS" ]; then
+  COUNT=0
+  echo "$NOW" > "$WINDOW_FILE"
+fi
+
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+if [ "$COUNT" -gt "$THRESHOLD" ]; then
+  echo "⚠ HIGH SUBAGENT SPAWN RATE: $COUNT agents spawned in ${ELAPSED}s" >&2
+  echo "Each spawn costs ~4.7K tokens at 1.25x rate (no cache_control)." >&2
+  echo "Consider batching tasks or using fewer parallel agents. See: #50213" >&2
+fi
+
+exit 0

package/examples/subcommand-chain-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# subcommand-chain-guard.sh — Block commands with excessive subcommand chains
+#
+# Solves: Claude Code silently ignores deny rules when a command contains
+# 50+ subcommands (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50).
+# Attackers chain 50 no-op "true" commands before a dangerous command
+# to bypass all security checks. (Adversa AI / CVE disclosure, April 2026)
+#
+# How it works: Counts semicolon-separated and &&/|| chained subcommands.
+# If the count exceeds a threshold (default: 20), blocks execution.
+# This catches the exploit well before the 50-command limit.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+THRESHOLD=${CC_SUBCOMMAND_LIMIT:-20}
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Count subcommands: split on ; && ||
+# Use tr to normalize separators, then count
+SUBCOMMAND_COUNT=$(echo "$CMD" | tr ';' '\n' | tr '&' '\n' | tr '|' '\n' | grep -c '[^ ]' 2>/dev/null || echo 1)
+
+if [ "$SUBCOMMAND_COUNT" -gt "$THRESHOLD" ]; then
+    echo "BLOCKED: Command contains $SUBCOMMAND_COUNT subcommands (limit: $THRESHOLD)." >&2
+    echo "  Claude Code ignores deny rules after 50 subcommands (CVE disclosure)." >&2
+    echo "  This hook blocks at $THRESHOLD to prevent security bypass." >&2
+    echo "  Override: CC_SUBCOMMAND_LIMIT=100 (not recommended)" >&2
+    exit 2
+fi
+
+# Also detect the specific attack pattern: many "true" or ":" no-ops
+NOOP_COUNT=$(echo "$CMD" | grep -oE '\btrue\b|^:|;\s*:' | wc -l 2>/dev/null || echo 0)
+if [ "$NOOP_COUNT" -gt 10 ]; then
+    echo "BLOCKED: Suspicious pattern — $NOOP_COUNT no-op commands detected." >&2
+    echo "  This resembles the subcommand-chain attack (50x true + dangerous cmd)." >&2
+    exit 2
+fi
+
+exit 0

package/examples/system-dir-protection-guard.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# system-dir-protection-guard.sh — Block destructive operations on system directories
+#
+# Solves: Agent deleting or moving system-level directories in auto mode
+#   - #49554: Auto mode approved deletion of system directories
+#   - #49129: rm -rf on /home subdirectories causing 50GB data loss
+#
+# Difference from existing hooks:
+#   rm-safety-net.sh:    Blocks rm on critical paths, but only rm commands
+#   home-critical-bash-guard.sh: Protects ~/dotfiles only
+#   This hook: Blocks rm, mv, chmod -R, chown -R on ALL system directories
+#              including /home/*, /usr, /etc, /var, /opt, /root, /boot, /srv
+#              Also blocks mv of system dirs (not covered by rm-safety-net)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Check if a path is a protected system directory
+is_system_dir() {
+    local path="$1"
+    # Remove trailing slash
+    path="${path%/}"
+
+    # Expand ~ to $HOME
+    if [[ "$path" == "~"* ]]; then
+        path="${HOME}${path#\~}"
+    fi
+
+    # Top-level system directories
+    case "$path" in
+        /|/home|/etc|/usr|/var|/opt|/root|/boot|/srv|/sys|/proc)
+            return 0 ;;
+    esac
+
+    # /home/<username> (1 level deep)
+    if echo "$path" | grep -qE '^/home/[^/]+$'; then
+        return 0
+    fi
+
+    # System subdirectories (e.g., /etc/nginx, /usr/local, /var/lib)
+    if echo "$path" | grep -qE '^/(etc|usr|var|opt|root|boot|srv|sys|proc)/'; then
+        return 0
+    fi
+
+    # Critical home directories: ~/.ssh, ~/.config, ~/.local, ~/.gnupg, ~/.cache
+    if echo "$path" | grep -qE "^${HOME}/\.(ssh|config|local|gnupg|cache)(/[^/]*)?$"; then
+        return 0
+    fi
+
+    return 1
+}
+
+# --- rm / unlink on system directories ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(rm|unlink)\s'; then
+    # Extract targets after rm and flags
+    TARGETS=$(echo "$COMMAND" | grep -oP '(rm|unlink)\s+(-[a-zA-Z]+\s+)*\K[^;|&]+' 2>/dev/null || true)
+    for target in $TARGETS; do
+        if is_system_dir "$target"; then
+            echo "BLOCKED: Destructive operation on system directory: $target" >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "System directories must not be deleted. Use specific file paths instead." >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49554" >&2
+            exit 2
+        fi
+    done
+fi
+
+# --- mv (moving system directories) ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?mv\s'; then
+    # Get the source of the mv (first non-flag argument)
+    MV_SOURCE=$(echo "$COMMAND" | grep -oP 'mv\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+    if is_system_dir "$MV_SOURCE"; then
+        echo "BLOCKED: Moving system directory: $MV_SOURCE" >&2
+        echo "Command: $COMMAND" >&2
+        echo "" >&2
+        echo "System directories must not be moved." >&2
+        echo "See: https://github.com/anthropics/claude-code/issues/49554" >&2
+        exit 2
+    fi
+fi
+
+# --- chmod -R / chown -R on system directories ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(chmod|chown)\s+.*-R'; then
+    TARGETS=$(echo "$COMMAND" | grep -oP '(chmod|chown)\s+[^;|&]+' 2>/dev/null | awk '{print $NF}' || true)
+    for target in $TARGETS; do
+        if is_system_dir "$target"; then
+            echo "BLOCKED: Recursive permission change on system directory: $target" >&2
+            echo "Command: $COMMAND" >&2
+            exit 2
+        fi
+    done
+fi
+
+exit 0

package/examples/thinking-display-enforcer.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# thinking-display-enforcer.sh — Opus 4.7 thinking summaries消失を検知
+# Why: Opus 4.7でthinking displayのデフォルトがsummarized→omittedに変更された(#49268, 17👍)
+# セッション開始時にモデルを確認し、Opus 4.7でthinkingが非表示の場合に警告する
+# Event: Notification (セッション開始時に確認)
+# Fix: claude --thinking-display summarized
+
+# チェック頻度制御（100回に1回）
+COUNTER_FILE="/tmp/thinking-display-check-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 100)) -ne 1 ] && exit 0
+
+# settings.jsonにthinking display設定があるか確認
+SETTINGS_FILE="${HOME}/.claude/settings.json"
+if [ -f "$SETTINGS_FILE" ]; then
+    HAS_THINKING=$(grep -c "showThinkingSummaries\|thinkingDisplay" "$SETTINGS_FILE" 2>/dev/null || echo "0")
+    if [ "$HAS_THINKING" -eq 0 ]; then
+        echo "INFO: Opus 4.7ではthinking summariesがデフォルトで非表示です。" >&2
+        echo "修正: claude --thinking-display summarized で起動するか、settings.jsonに設定を追加してください。" >&2
+        echo "詳細: https://github.com/anthropics/claude-code/issues/49268" >&2
+    fi
+fi
+exit 0

package/examples/tool-retry-budget-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# tool-retry-budget-guard.sh — Stop Claude from wasting tokens on repeated failures
+#
+# Solves: #50986 — Claude fails simple UI change after 10+ attempts, wastes entire
+#         token budget. Also prevents retry spirals on any file.
+#
+# Tracks consecutive tool calls (Edit, Write, Bash) targeting the same file.
+# After 5 attempts, blocks further edits and forces a different approach.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Use file hash as state key
+HASH=$(echo "$FILE" | md5sum | cut -c1-8)
+STATE_DIR="/tmp/.cc-retry-budget"
+mkdir -p "$STATE_DIR"
+STATE_FILE="$STATE_DIR/$HASH"
+
+# Track attempt count and timestamp
+NOW=$(date +%s)
+COUNT=1
+
+if [ -f "$STATE_FILE" ]; then
+    PREV_TIME=$(head -1 "$STATE_FILE" 2>/dev/null || echo "0")
+    PREV_COUNT=$(tail -1 "$STATE_FILE" 2>/dev/null || echo "0")
+
+    # Reset if more than 5 minutes since last attempt (new task)
+    ELAPSED=$(( NOW - PREV_TIME ))
+    if [ "$ELAPSED" -lt 300 ]; then
+        COUNT=$(( PREV_COUNT + 1 ))
+    fi
+fi
+
+printf '%s\n%s\n' "$NOW" "$COUNT" > "$STATE_FILE"
+
+if [ "$COUNT" -ge 7 ]; then
+    echo "BLOCKED: You've attempted to modify $(basename "$FILE") $COUNT times in the last 5 minutes." >&2
+    echo "  This pattern wastes tokens. Stop and try a completely different approach:" >&2
+    echo "  1. Read the file first to understand current state" >&2
+    echo "  2. Use a different strategy (smaller change, different tool)" >&2
+    echo "  3. If stuck, explain the problem and ask for help" >&2
+    rm -f "$STATE_FILE"
+    exit 2
+elif [ "$COUNT" -ge 5 ]; then
+    echo "WARNING: $COUNT consecutive edits to $(basename "$FILE") — approaching retry limit (7)." >&2
+    echo "  Consider reading the file to verify your assumptions before the next attempt." >&2
+fi
+
+exit 0

package/examples/worktree-branch-pollution-detector.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# worktree-branch-pollution-detector.sh — worktreeが親ブランチを汚染していないか検知
+# Why: サブエージェントのworktree操作が親リポを予期しないブランチに移動させ、
+#      意図しないcommit-to-mainが発生する。1週間で3回の事故報告あり (#50207)
+# Event: PostToolUse  MATCHER: Bash
+# Action: 現在のブランチが期待値と異なる場合に警告
+
+INPUT=$(cat)
+
+# 期待ブランチ（セッション開始時に記録）
+EXPECTED_BRANCH_FILE="/tmp/cc-expected-branch-$(pwd | md5sum | cut -c1-8)"
+
+# git管理下でなければスキップ
+git rev-parse --is-inside-work-tree >/dev/null 2>&1 || exit 0
+
+CURRENT_BRANCH=$(git branch --show-current 2>/dev/null)
+[ -z "$CURRENT_BRANCH" ] && exit 0
+
+# 初回実行時はブランチを記録
+if [ ! -f "$EXPECTED_BRANCH_FILE" ]; then
+  echo "$CURRENT_BRANCH" > "$EXPECTED_BRANCH_FILE"
+  exit 0
+fi
+
+EXPECTED_BRANCH=$(cat "$EXPECTED_BRANCH_FILE" 2>/dev/null)
+
+if [ "$CURRENT_BRANCH" != "$EXPECTED_BRANCH" ]; then
+  echo "⚠ BRANCH CHANGED: Expected '$EXPECTED_BRANCH' but now on '$CURRENT_BRANCH'" >&2
+  echo "This may be caused by a worktree or subagent switching your branch." >&2
+  echo "Run 'git checkout $EXPECTED_BRANCH' to return. See: #50207" >&2
+  # 新しいブランチを記録（意図的な切替かもしれない）
+  echo "$CURRENT_BRANCH" > "$EXPECTED_BRANCH_FILE"
+fi
+
+exit 0

package/examples/worktree-create-log.sh

@@ -0,0 +1,6 @@
+LOGFILE="${HOME}/.claude/worktree-audit.log"
+INFO=$(cat)
+BRANCH=$(echo "$INFO" | jq -r '.branch // "unknown"' 2>/dev/null)
+PATH_WT=$(echo "$INFO" | jq -r '.path // "unknown"' 2>/dev/null)
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] CREATE branch=$BRANCH path=$PATH_WT" >> "$LOGFILE"
+exit 0

package/examples/worktree-hook-linker.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# worktree-hook-linker.sh — Auto-link settings to worktrees
+#
+# Solves: In git worktrees, .claude/settings.json is not found because
+# worktrees share .git but not the working directory. All hooks
+# become silently disabled. (#46808)
+#
+# How it works: On SessionStart, checks if the current directory is a
+# git worktree. If so, creates a symlink from the worktree's
+# .claude/settings.json to the main tree's settings. This ensures
+# hooks work identically in worktrees.
+#
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "SessionStart",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/worktree-hook-linker.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: Notification
+# MATCHER: "SessionStart"
+
+# Detect if we're in a git worktree
+GITDIR=$(git rev-parse --git-dir 2>/dev/null) || exit 0
+echo "$GITDIR" | grep -q "worktrees" || exit 0
+
+# We're in a worktree — find the main working tree
+MAIN_GITDIR=$(git rev-parse --path-format=absolute --git-common-dir 2>/dev/null) || exit 0
+MAIN_WORKDIR=$(echo "$MAIN_GITDIR" | sed 's|/.git$||')
+
+MAIN_CLAUDE_DIR="$MAIN_WORKDIR/.claude"
+LOCAL_CLAUDE_DIR=".claude"
+
+# Skip if main tree has no .claude directory
+[ -d "$MAIN_CLAUDE_DIR" ] || exit 0
+
+# Create .claude directory in worktree if needed
+mkdir -p "$LOCAL_CLAUDE_DIR" 2>/dev/null
+
+# Link settings files if they exist in main but not in worktree
+for f in settings.json settings.local.json; do
+    MAIN_FILE="$MAIN_CLAUDE_DIR/$f"
+    LOCAL_FILE="$LOCAL_CLAUDE_DIR/$f"
+
+    [ ! -f "$MAIN_FILE" ] && continue
+
+    if [ ! -e "$LOCAL_FILE" ]; then
+        ln -s "$MAIN_FILE" "$LOCAL_FILE"
+        echo "Linked $f from main tree → worktree (hooks now active)" >&2
+    elif [ -L "$LOCAL_FILE" ]; then
+        # Already a symlink — verify it points to the right place
+        TARGET=$(readlink -f "$LOCAL_FILE" 2>/dev/null)
+        EXPECTED=$(readlink -f "$MAIN_FILE" 2>/dev/null)
+        if [ "$TARGET" != "$EXPECTED" ]; then
+            rm "$LOCAL_FILE"
+            ln -s "$MAIN_FILE" "$LOCAL_FILE"
+            echo "Re-linked $f (was pointing to wrong location)" >&2
+        fi
+    fi
+done
+
+# Also link hooks directory if it exists
+MAIN_HOOKS="$MAIN_CLAUDE_DIR/hooks"
+LOCAL_HOOKS="$LOCAL_CLAUDE_DIR/hooks"
+if [ -d "$MAIN_HOOKS" ] && [ ! -e "$LOCAL_HOOKS" ]; then
+    ln -s "$MAIN_HOOKS" "$LOCAL_HOOKS"
+    echo "Linked hooks/ directory from main tree → worktree" >&2
+fi
+
+exit 0

package/examples/worktree-remove-uncommitted-guard.sh

@@ -0,0 +1,20 @@
+INFO=$(cat)
+PATH_WT=$(echo "$INFO" | jq -r '.path // empty' 2>/dev/null)
+[ -z "$PATH_WT" ] && exit 0
+[ ! -d "$PATH_WT" ] && exit 0
+cd "$PATH_WT" 2>/dev/null || exit 0
+DIRTY=$(git status --porcelain 2>/dev/null | wc -l)
+if [ "$DIRTY" -gt 0 ]; then
+    echo "BLOCKED: Worktree at $PATH_WT has $DIRTY uncommitted change(s)." >&2
+    echo "Commit or stash changes before removing." >&2
+    exit 2
+fi
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+if [ -n "$BRANCH" ]; then
+    UNPUSHED=$(git log --oneline "origin/$BRANCH..$BRANCH" 2>/dev/null | wc -l)
+    if [ "$UNPUSHED" -gt 0 ]; then
+        echo "WARNING: $UNPUSHED unpushed commit(s) on $BRANCH." >&2
+        echo "Push before removing: git push origin $BRANCH" >&2
+    fi
+fi
+exit 0