cc-safe-setup 29.6.39 → 29.7.0

package/hooks/hooks.json

@@ -0,0 +1,60 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE '^\\s*(sudo\\s+)?rm\\s+.*-[rRf]*[rR]' && ! echo \"$CMD\" | grep -qE '(node_modules|dist|build|__pycache__|/tmp)'; then echo 'BLOCKED: recursive rm on non-safe target. Use specific paths.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push\\s+.*--force|git\\s+reset\\s+--hard|git\\s+clean\\s+-fd'; then echo 'BLOCKED: destructive git operation. Use safer alternatives.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qiE '(api.key|secret|password|token).*=.*[A-Za-z0-9]{20}'; then echo 'BLOCKED: potential credential in command. Use environment variables.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty'); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.(env|pem|key|credentials|secret)$'; then echo 'BLOCKED: writing to sensitive file. Check if this is intentional.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/move-delete-sequence-guard.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/system-dir-protection-guard.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/index.mjs

@@ -94,6 +94,7 @@ const GENERATE_CI = process.argv.includes('--generate-ci');
 const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
+const OPUS47 = process.argv.includes('--opus47');
 const ANALYZE = process.argv.includes('--analyze');
 const TEAM = process.argv.includes('--team');
 const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
@@ -192,8 +193,9 @@ if (HELP) {
   Find hooks: npx cc-hook-registry search <keyword>
   Test hooks: npx cc-hook-test <hook.sh>
 
-  Support: https://github.com/sponsors/yurukusa
-  Book:    https://zenn.dev/yurukusa/books/6076c23b1cb18b
+  Token Checkup: https://yurukusa.github.io/cc-safe-setup/token-checkup.html
+  Token Book:    https://yurukusa.github.io/cc-safe-setup/token-book.html
+  Safety Guide:  https://zenn.dev/yurukusa/books/6076c23b1cb18b
 `);
   process.exit(0);
 }
@@ -690,6 +692,14 @@ function examples() {
       'write-overwrite-confirm.sh': 'Warn when Write tool overwrites large files',
       'write-secret-guard.sh': 'Block secrets from being written to files',
       'write-shrink-guard.sh': 'Block writes that drastically shrink files',
+      'cch-cache-guard.sh': 'Block reads of session files to prevent cache poisoning',
+      'conversation-history-guard.sh': 'Block modifications to conversation history',
+      'image-file-validator.sh': 'Block reads of fake image files that corrupt sessions',
+      'permission-denial-enforcer.sh': 'Block alternative write methods after permission denial',
+      'read-only-mode.sh': 'Block all file modifications and destructive commands',
+      'replace-all-guard.sh': 'Warn when Edit uses replace_all: true',
+      'task-integrity-guard.sh': 'Prevent Claude from deleting tasks to hide unfinished work',
+      'working-directory-fence.sh': 'Block file operations outside current working directory',
     },
     'Auto-Approve': {
       'allow-claude-settings.sh': 'PermissionRequest hook',
@@ -927,6 +937,9 @@ function examples() {
       'tool-call-rate-limiter.sh': 'Prevent runaway tool calls',
       'tool-file-logger.sh': 'Log file paths from Read/Write/Edit to stderr',
       'usage-cache-local.sh': 'Cache usage info locally to avoid API calls',
+      'compact-alert-notification.sh': 'Warn when context compaction is imminent',
+      'prompt-usage-logger.sh': 'Log every prompt with timestamps',
+      'subagent-error-detector.sh': 'Detect failed subagent results',
     },
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after every edit for rollback protection',
@@ -956,6 +969,10 @@ function examples() {
       'session-summary.sh': 'Session Summary',
       'settings-auto-backup.sh': 'Auto-backup settings on session start',
       'terminal-state-restore.sh': 'terminal-state-restore — restore terminal to clean state on session exit',
+      'pre-compact-transcript-backup.sh': 'Backup transcript before compaction',
+      'ripgrep-permission-fix.sh': 'Auto-fix ripgrep execute permission on session start',
+      'session-backup-on-start.sh': 'Backup session JSONL files on start',
+      'session-index-repair.sh': 'Rebuild sessions-index.json on exit',
     },
     'UX': {
       'auto-answer-question.sh': 'Auto-answer AskUserQuestion for headless/autonomous mode',
@@ -1028,6 +1045,7 @@ function examples() {
     },
     'Other': {
       'token-spike-alert.sh': 'Alert on abnormal token consumption per turn',
+      'mcp-warmup-wait.sh': 'Wait for MCP servers to be ready on session start',
     },
   };
 
@@ -2900,6 +2918,79 @@ async function analyze() {
   console.log();
 }
 
+async function opus47() {
+  console.log();
+  console.log(c.bold + '  🚨  cc-safe-setup --opus47' + c.reset);
+  console.log(c.dim + '  Opus 4.7 protection — fixes for known critical issues' + c.reset);
+  console.log();
+
+  // First install core hooks if not already installed
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  let coreInstalled = 0;
+  for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+    const hookPath = join(HOOKS_DIR, `${hookId}.sh`);
+    if (!existsSync(hookPath)) {
+      writeFileSync(hookPath, SCRIPTS[hookId]);
+      chmodSync(hookPath, 0o755);
+      coreInstalled++;
+    }
+  }
+  if (coreInstalled > 0) {
+    // Update settings.json for core hooks
+    let settings = {};
+    if (existsSync(SETTINGS_PATH)) {
+      settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf8'));
+    }
+    if (!settings.hooks) settings.hooks = {};
+    for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+      const trigger = hookMeta.trigger;
+      if (!settings.hooks[trigger]) settings.hooks[trigger] = [];
+      const hookPath = toBashPath(join(HOOKS_DIR, `${hookId}.sh`));
+      const exists = settings.hooks[trigger].some(h => h.hooks?.some(hh => hh.command?.includes(hookId)));
+      if (!exists) {
+        settings.hooks[trigger].push({
+          matcher: hookMeta.matcher,
+          hooks: [{ type: 'command', command: hookPath }]
+        });
+      }
+    }
+    writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2) + '\n');
+    console.log(c.green + '  ✓' + c.reset + ` ${coreInstalled} core safety hooks installed`);
+  } else {
+    console.log(c.dim + '  ✓ Core safety hooks already installed' + c.reset);
+  }
+
+  // Install Opus 4.7-specific hooks
+  const opus47Hooks = [
+    { name: 'model-version-alert', desc: 'Warns when Opus 4.7 is silently active (#49541)', issue: '4x token consumption' },
+    { name: 'shell-config-truncation-guard', desc: 'Blocks installer from truncating ~/.bash_profile (#49615)', issue: 'config destruction' },
+    { name: 'credential-exfil-guard', desc: 'Blocks credential file access (#49539, #49554)', issue: 'credential deletion' },
+    { name: 'home-critical-bash-guard', desc: 'Blocks destructive ops on critical dotfiles (#49554)', issue: 'home directory attacks' },
+  ];
+
+  console.log();
+  console.log(c.bold + '  Opus 4.7 protection hooks:' + c.reset);
+  let added = 0;
+  for (const hook of opus47Hooks) {
+    try {
+      await installExample(hook.name);
+      added++;
+    } catch (e) {
+      // installExample may exit on error, but we want to continue
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Why these hooks matter:' + c.reset);
+  console.log(c.dim + '  Opus 4.7\'s safety classifier is hardcoded to 4.6 (#49618).' + c.reset);
+  console.log(c.dim + '  Auto mode can\'t block dangerous commands on 4.7.' + c.reset);
+  console.log(c.dim + '  These hooks run at process level — independent of the model.' + c.reset);
+  console.log();
+  console.log(c.green + '  Done.' + c.reset + ' Your setup is protected against known Opus 4.7 issues.');
+  console.log(c.dim + '  Guide: https://yurukusa.github.io/cc-safe-setup/opus-47-survival-guide.html' + c.reset);
+  console.log();
+}
+
 async function shield() {
   const { execSync } = await import('child_process');
   const { readdirSync } = await import('fs');
@@ -2953,6 +3044,9 @@ async function shield() {
   // Always include these for maximum safety
   extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd', 'memory-write-guard', 'skill-gate', 'auto-approve-test', 'auto-approve-readonly');
 
+  // Opus 4.7 safety: classifier is hardcoded to 4.6 (#49618) — hooks are the only defense
+  extras.push('dotfile-protection-guard', 'home-critical-bash-guard');
+
   for (const ex of extras) {
     const exPath = join(__dirname, 'examples', `${ex}.sh`);
     const hookPath = join(HOOKS_DIR, `${ex}.sh`);
@@ -3102,6 +3196,9 @@ async function shield() {
   console.log(c.dim + '  Verify: npx cc-safe-setup --verify' + c.reset);
   console.log(c.dim + '  Status: npx cc-safe-setup --status' + c.reset);
   console.log();
+  console.log(c.dim + '  Burning tokens too fast? Free diagnosis:' + c.reset);
+  console.log(c.blue + '  https://yurukusa.github.io/cc-safe-setup/token-checkup.html' + c.reset);
+  console.log();
 }
 
 async function quickfix() {
@@ -5768,6 +5865,7 @@ async function main() {
   if (TEAM) return team();
   if (PROFILE_IDX !== -1) return profile(PROFILE);
   if (ANALYZE) return analyze();
+  if (OPUS47) return opus47();
   if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();
   if (REPORT) return report();
@@ -5882,12 +5980,16 @@ async function main() {
   console.log('  ' + c.blue + '  --doctor' + c.reset + '            Verify hooks work');
   console.log('  ' + c.blue + '  --simulate "cmd"' + c.reset + '    Test how hooks react');
   console.log('  ' + c.blue + '  --shield' + c.reset + '            Maximum safety (recommended)');
+  console.log('  ' + c.blue + '  --opus47' + c.reset + '            Opus 4.7 crisis protection');
   console.log();
-  console.log('  ' + c.dim + '23 web tools: https://yurukusa.github.io/cc-safe-setup/hub.html' + c.reset);
+  console.log('  ' + c.dim + 'Free tools:' + c.reset);
+  console.log('  ' + c.blue + '  Token Checkup' + c.reset + '  https://yurukusa.github.io/cc-safe-setup/token-checkup.html');
+  console.log('  ' + c.blue + '  Token Book' + c.reset + '     https://yurukusa.github.io/cc-safe-setup/token-book.html');
+  console.log('  ' + c.dim + '  28 web tools: https://yurukusa.github.io/cc-safe-setup/hub.html' + c.reset);
   console.log();
-  console.log('  ' + c.dim + 'Like this tool? Support development:' + c.reset);
-  console.log('  ' + c.dim + '  Sponsor: https://github.com/sponsors/yurukusa' + c.reset);
-  console.log('  ' + c.dim + '  Book:    https://zenn.dev/yurukusa/books/6076c23b1cb18b' + c.reset);
+  console.log('  ' + c.dim + 'Tokens disappearing too fast?' + c.reset);
+  console.log('  ' + c.blue + '  Token Book' + c.reset + '  Cut consumption in half — https://yurukusa.github.io/cc-safe-setup/token-book.html');
+  console.log('  ' + c.dim + '  Safety Guide: https://zenn.dev/yurukusa/books/6076c23b1cb18b' + c.reset);
   console.log();
 }
 

package/memory/market-anthropic-japan-strategy-2026-04-13.md

@@ -0,0 +1,4 @@
+This file was created in the wrong location. The correct version is at:
+~/.claude/projects/-home-namakusa-projects-cc-loop/memory/market-anthropic-japan-strategy-2026-04-13.md
+
+This file can be deleted.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.39",
-  "description": "One command to make Claude Code safe. 650 example hooks + 8 built-in. 56 CLI commands. Token consumption diagnosis. Works with Auto Mode.",
+  "version": "29.7.0",
+  "description": "One command to make Claude Code safe. 700 example hooks + 8 built-in. 56 CLI commands. Token consumption diagnosis. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"

package/plugins/credential-guard/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "credential-guard",
+  "description": "Protect secrets and credentials from Claude Code. Blocks writes to .env files, detects API keys in shell commands, prevents hardcoded tokens, and guards service account JSON files.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.|credentials|secret'; then echo \"BLOCKED: Writing to sensitive file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.|credentials|secret'; then echo \"BLOCKED: Editing sensitive file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE '(sk|pk|api|key|token|secret|password)[-_]?[a-zA-Z0-9]{20,}'; then echo 'WARNING: Possible API key or token detected in command. Verify no secrets are exposed.' >&2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE 'serviceaccount.*\\.json|key\\.json|credentials\\.json'; then echo \"BLOCKED: Writing to service account file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'ANTHROPIC_API_KEY|OPENAI_API_KEY|AWS_SECRET|GITHUB_TOKEN|DATABASE_URL'; then echo 'WARNING: Environment variable with potential secret detected in command.' >&2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/git-protection/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "git-protection",
+  "description": "Git safety hooks for Claude Code. Blocks force-push, protects main/master branch, prevents hard-reset, guards interactive rebase, and blocks git clean -fd.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push.*--force|git\\s+push.*-f\\b'; then echo 'BLOCKED: Force push. Use --force-with-lease for safer alternative.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push\\s+(origin\\s+)?(main|master)\\b'; then echo 'BLOCKED: Direct push to main/master. Use a feature branch and PR.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+reset\\s+--hard'; then echo 'BLOCKED: git reset --hard. Use git stash or git reset --soft.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+clean\\s+-fd|git\\s+clean\\s+-f'; then echo 'BLOCKED: git clean removes untracked files permanently. Review with git clean -n first.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+branch\\s+-D'; then echo 'BLOCKED: Force branch deletion. Use -d (safe delete) instead of -D.' >&2; exit 2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/safety-essentials/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "safety-essentials",
+  "description": "5 essential safety hooks for Claude Code. Blocks rm -rf, force-push, hard-reset, .env overwrites, and package publish. The minimum viable safety net from 800+ hours of autonomous operation.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'rm\\s+-r(f|F)|rm\\s+-(f|F)r|rm\\s+--force.*-r|rm\\s+-r.*--force'; then echo 'BLOCKED: rm -rf detected. Use git clean or manual deletion instead.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push.*--force|git\\s+push.*-f\\b'; then echo 'BLOCKED: Force push detected. Use --force-with-lease or push normally.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+reset\\s+--hard'; then echo 'BLOCKED: git reset --hard discards uncommitted changes. Use git stash instead.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.'; then echo \"BLOCKED: Writing to environment file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'npm\\s+publish|yarn\\s+publish'; then echo 'BLOCKED: Package publish requires manual execution.' >&2; exit 2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/token-guard/.claude-plugin/plugin.json

@@ -0,0 +1,51 @@
+{
+  "name": "token-guard",
+  "description": "Token consumption guards for Claude Code. Warns on large file reads (100KB+), limits unique file reads per session, estimates token budget, and caps subagent spawns. From 800+ hours of autonomous operation data.",
+  "version": "1.0.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/token-book.html",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FP=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FP\" ] || [ ! -f \"$FP\" ] && exit 0; SZ=$(stat -c%s \"$FP\" 2>/dev/null || stat -f%z \"$FP\" 2>/dev/null); [ \"$SZ\" -gt 102400 ] 2>/dev/null && echo \"Warning: $(basename $FP) is $((SZ/1024))KB. Use limit parameter to read only what you need.\" || true"
+          }
+        ]
+      },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "BUDGET=${CC_READ_BUDGET:-100}; WARN=${CC_READ_WARN:-50}; T=/tmp/cc-read-budget-$PPID; INPUT=$(cat); FP=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FP\" ] && exit 0; C=0; if [ -f \"$T\" ]; then grep -qF \"$FP\" \"$T\" || echo \"$FP\" >> \"$T\"; C=$(wc -l < \"$T\"); else echo \"$FP\" > \"$T\"; C=1; fi; [ \"$C\" -ge \"$BUDGET\" ] && { echo \"[BLOCK] Read budget reached (${BUDGET} files). Use Glob/Grep to narrow down.\"; exit 2; }; [ \"$C\" -ge \"$WARN\" ] && echo \"Warning: ${C}/${BUDGET} files read.\""
+          }
+        ]
+      },
+      {
+        "matcher": "Agent",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "MAX=${CC_MAX_AGENTS:-3}; T=/tmp/cc-agents-$PPID; C=0; [ -f \"$T\" ] && C=$(cat \"$T\"); C=$((C+1)); echo $C > \"$T\"; [ $C -gt $MAX ] && { echo \"[BLOCK] Subagent limit (${MAX}). Complete existing agents first.\"; exit 2; }; [ $C -ge $MAX ] && echo \"Warning: ${C}/${MAX} subagents spawned.\""
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": {},
+        "hooks": [
+          {
+            "type": "command",
+            "command": "WARN=${CC_TOKEN_BUDGET:-50000}; BLOCK=${CC_TOKEN_BLOCK:-100000}; T=/tmp/cc-tokens-$PPID; INPUT=$(cat); SZ=${#INPUT}; TK=$((SZ/4)); TOTAL=0; [ -f \"$T\" ] && TOTAL=$(cat \"$T\"); TOTAL=$((TOTAL+TK)); echo $TOTAL > \"$T\"; [ $TOTAL -ge $BLOCK ] && { echo \"[BLOCK] Token budget exceeded (~${TOTAL}). Run /compact.\"; exit 2; }; [ $TOTAL -ge $WARN ] && echo \"Warning: ~${TOTAL} tokens consumed (limit: ${BLOCK}).\""
+          }
+        ]
+      }
+    ]
+  }
+}

package/skills/safety-setup/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: cc-safe-setup
+description: Safety hooks for Claude Code — 695 pre-built hooks that prevent file deletion, credential leaks, git disasters, and token waste during autonomous AI coding sessions. Install with npx cc-safe-setup.
+---
+
+# cc-safe-setup
+
+Safety-first configuration for Claude Code. Prevents the accidents that happen when AI writes code autonomously.
+
+## What it does
+
+Installs pre-built safety hooks into your Claude Code environment. These hooks run automatically before/after tool calls to block dangerous operations.
+
+**Categories:**
+- **File protection**: Block `rm -rf`, prevent overwriting files outside project
+- **Git safety**: Prevent force-push to main, block `reset --hard`
+- **Credential guards**: Stop `.env` files from being committed or read by AI
+- **Token optimization**: Warn on large file reads, limit subagent spawning
+- **Quality gates**: Detect lazy rewrites, verify claims before committing
+
+## Quick start
+
+```bash
+npx cc-safe-setup
+```
+
+This runs an interactive wizard that configures hooks based on your risk profile.
+
+## Install individual hooks
+
+```bash
+npx cc-safe-setup --install-example large-read-guard
+npx cc-safe-setup --install-example prevent-rm-rf
+npx cc-safe-setup --install-example git-force-push-block
+```
+
+## Why hooks instead of CLAUDE.md rules
+
+Rules in CLAUDE.md are suggestions — Claude can forget them. Hooks are enforced at the system level. A hook that blocks `rm -rf` cannot be overridden by the AI.
+
+From 800+ hours of autonomous operation: the hooks that matter most are the ones you don't notice until something goes wrong.
+
+## Resources
+
+- Repository: https://github.com/yurukusa/cc-safe-setup
+- Hook Selector (find hooks for your setup): https://yurukusa.github.io/cc-safe-setup/hook-selector.html
+- Token Checkup (diagnose waste): https://yurukusa.github.io/cc-safe-setup/token-checkup.html

package/tests/dotenv-read-guard.test.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Tests for dotenv-read-guard.sh
+HOOK="$(dirname "$0")/../examples/dotenv-read-guard.sh"
+PASS=0; FAIL=0
+
+run_test() {
+    local desc="$1" input="$2" expect="$3"
+    result=$(echo "$input" | bash "$HOOK" 2>/dev/null; echo $?)
+    code=$(echo "$result" | tail -1)
+    if [ "$code" = "$expect" ]; then
+        echo "PASS: $desc"
+        ((PASS++))
+    else
+        echo "FAIL: $desc (expected $expect, got $code)"
+        ((FAIL++))
+    fi
+}
+
+# Should block .env files
+run_test "Block .env" \
+    '{"tool_input":{"file_path":"/home/user/project/.env"}}' "2"
+
+run_test "Block .env.local" \
+    '{"tool_input":{"file_path":"/app/.env.local"}}' "2"
+
+run_test "Block .env.production" \
+    '{"tool_input":{"file_path":"/deploy/.env.production"}}' "2"
+
+run_test "Block .env.staging" \
+    '{"tool_input":{"file_path":"/app/.env.staging"}}' "2"
+
+run_test "Block .env.development" \
+    '{"tool_input":{"file_path":"/app/.env.development"}}' "2"
+
+run_test "Block .env.test" \
+    '{"tool_input":{"file_path":"/project/.env.test"}}' "2"
+
+# Should allow non-.env files
+run_test "Allow .env.example" \
+    '{"tool_input":{"file_path":"/project/.env.example"}}' "0"
+
+run_test "Allow README.md" \
+    '{"tool_input":{"file_path":"/project/README.md"}}' "0"
+
+run_test "Allow package.json" \
+    '{"tool_input":{"file_path":"/project/package.json"}}' "0"
+
+run_test "Allow config.ts" \
+    '{"tool_input":{"file_path":"/src/config.ts"}}' "0"
+
+run_test "Allow env.ts (not dotenv)" \
+    '{"tool_input":{"file_path":"/src/env.ts"}}' "0"
+
+run_test "Allow .envrc (direnv)" \
+    '{"tool_input":{"file_path":"/project/.envrc"}}' "0"
+
+# Edge cases
+run_test "Empty input" '{}' "0"
+
+run_test "No file_path" \
+    '{"tool_input":{}}' "0"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1