cc-safe-setup 29.6.40 → 29.7.0

package/examples/effort-tracking-logger.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# effort-tracking-logger.sh — ツール使用ごとのエフォートログを記録
+# Why: OTEL互換のエフォート追跡への要望が急増 (#49893, 18👍)。
+#      公式対応を待たずに、hookでツール呼び出しごとのログを残す。
+#      コスト分析・セッション振り返り・ボトルネック特定に使える。
+# Event: PostToolUse  MATCHER: ""
+# Output: ~/.claude/effort-log/YYYY-MM-DD.jsonl
+
+LOG_DIR="${HOME}/.claude/effort-log"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/$(date +%Y-%m-%d).jsonl"
+
+# stdinからツール情報を取得
+TOOL_INPUT=$(cat)
+TOOL_NAME=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('tool_name','unknown'))" 2>/dev/null)
+TOOL_STATUS=$(echo "$TOOL_INPUT" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('was_error','false'))" 2>/dev/null)
+
+# JSONLログに追記
+python3 -c "
+import json, datetime
+entry = {
+    'timestamp': datetime.datetime.now().isoformat(),
+    'tool': '$TOOL_NAME',
+    'error': '$TOOL_STATUS' == 'true',
+    'session_pid': $(echo $$)
+}
+print(json.dumps(entry))
+" >> "$LOG_FILE"
+
+exit 0

package/examples/financial-operation-guard.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# financial-operation-guard.sh — Block unauthorized financial operations
+#
+# Solves: Claude Code transferred $1,446 from spot to futures without
+# authorization when told to "close a position". Financial APIs
+# should never be called without explicit per-transaction approval. (#46828)
+#
+# How it works: Detects commands that interact with exchange APIs,
+# wallet transfers, payment processors, or any operation involving
+# fund movement. Blocks with exit 2 and requires explicit user
+# confirmation.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Detect financial API calls
+# Exchange APIs
+if echo "$CMD" | grep -qiE '(binance|bitget|bybit|kraken|coinbase|ftx|okx|kucoin|gate\.io|huobi).*(transfer|withdraw|swap|order|trade|margin|futures|spot|deposit)'; then
+    echo "BLOCKED: Financial exchange operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Fund transfers require explicit user approval for EACH transaction." >&2
+    exit 2
+fi
+
+# Generic payment/transfer patterns
+if echo "$CMD" | grep -qiE '(transfer|withdraw|send|swap|bridge)[^a-z].*\b(usdt|usdc|eth|btc|sol|bnb|funds|balance|wallet)\b'; then
+    echo "BLOCKED: Cryptocurrency transfer operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Wallet/fund operations require explicit user approval." >&2
+    exit 2
+fi
+
+# Payment processor APIs
+if echo "$CMD" | grep -qiE 'stripe.*(charges?|transfers?|payouts?)|paypal.*(payments?|send|transfers?)|square.*(payments?|charges?)'; then
+    echo "BLOCKED: Payment processor operation detected." >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Payment operations require explicit user approval." >&2
+    exit 2
+fi
+
+exit 0

package/examples/full-rewrite-detector.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# ================================================================
+# full-rewrite-detector.sh — Warn on full-file rewrites
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes rewrites entire files when a small edit
+#   would suffice. AMD's analysis of 6,852 sessions found this
+#   pattern increasing over time — a sign of quality degradation.
+#   This hook detects when >80% of a file's lines were changed
+#   and warns the user.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Write"
+#
+# HOW IT WORKS:
+#   After a Write operation, checks git diff for the target file.
+#   If the ratio of changed lines to total lines exceeds the
+#   threshold (default 80%), emits a warning.
+#
+# CONFIGURATION:
+#   CC_REWRITE_THRESHOLD=80  — percentage threshold (default 80)
+#
+# NOTE: Only works in git repositories. No-op outside git repos.
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip if no file path
+[ -z "$FILE" ] && exit 0
+
+# Skip if not in a git repo
+git rev-parse --is-inside-work-tree &>/dev/null || exit 0
+
+# Skip if file doesn't exist (new file creation is fine)
+[ -f "$FILE" ] || exit 0
+
+# Get change stats from git
+STATS=$(git diff --numstat -- "$FILE" 2>/dev/null)
+[ -z "$STATS" ] && exit 0
+
+ADDED=$(echo "$STATS" | awk '{print $1}')
+DELETED=$(echo "$STATS" | awk '{print $2}')
+
+# Handle binary files (git outputs "-" for binary)
+[ "$ADDED" = "-" ] && exit 0
+
+CHANGED=$((ADDED + DELETED))
+TOTAL=$(wc -l < "$FILE" 2>/dev/null || echo 0)
+
+# Avoid division by zero; skip very small files
+[ "$TOTAL" -lt 5 ] && exit 0
+
+RATIO=$((CHANGED * 100 / TOTAL))
+THRESHOLD=${CC_REWRITE_THRESHOLD:-80}
+
+if [ "$RATIO" -gt "$THRESHOLD" ]; then
+    echo "WARNING: Full rewrite detected on $(basename "$FILE")" >&2
+    echo "  ${RATIO}% of lines changed (${CHANGED} lines changed / ${TOTAL} total)" >&2
+    echo "  Consider: was a partial edit sufficient?" >&2
+fi
+
+exit 0

package/examples/home-critical-bash-guard.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# home-critical-bash-guard.sh — Block Bash commands that delete/modify critical home files
+#
+# Solves: Bash commands that rm/mv/truncate critical dotfiles and directories
+#   - #49554: auto mode approved ~/.ssh directory deletion
+#   - #49539: ~/.git-credentials PATs deleted without confirmation
+#   - #49464: ./~ misinterpreted as ~/ leading to home directory deletion attempt
+#
+# Complements dotfile-protection-guard.sh (which covers Write/Edit tools).
+# This hook covers the Bash tool path — rm, mv, truncate, > redirect on dotfiles.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+HOME_DIR="$HOME"
+
+# Critical paths (regex patterns)
+CRITICAL="(${HOME_DIR}|\~)/\.(bashrc|bash_profile|zshrc|zshenv|profile|login|logout|ssh|git-credentials|gitconfig|gnupg|npmrc|netrc|docker|kube|aws)"
+
+# Check for rm/unlink targeting critical paths
+if echo "$COMMAND" | grep -qE "(rm|unlink)\s" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Deleting critical home directory file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Check for mv (rename/move) of critical paths
+if echo "$COMMAND" | grep -qE "mv\s" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Moving/renaming critical home directory file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Check for truncation via redirect (> ~/.bashrc or : > ~/.bashrc)
+if echo "$COMMAND" | grep -qE ">\s*(${HOME_DIR}|\~)/\."; then
+    TARGET=$(echo "$COMMAND" | grep -oP ">\s*\K(${HOME_DIR}|~)/\.[^\s;|&]+")
+    if echo "$TARGET" | grep -qE "$CRITICAL"; then
+        echo "BLOCKED: Truncating critical home directory file" >&2
+        echo "Command: $COMMAND" >&2
+        exit 2
+    fi
+fi
+
+# Check for chmod on critical credential files
+if echo "$COMMAND" | grep -qE "chmod\s.*777" && echo "$COMMAND" | grep -qE "$CRITICAL"; then
+    echo "BLOCKED: Removing permissions on critical file" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/idle-session-cost-alert.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# idle-session-cost-alert.sh — Warn when session has been idle too long
+# An idle session can still consume tokens via background processes.
+# Incident: #50389 — Idle session consumed 18% usage limit over 2 hours with zero user input.
+#
+# This hook runs on Notification events and warns if the session has been
+# idle for more than 5 minutes, reminding the user to exit if not actively working.
+#
+# Hook config (settings.json):
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/idle-session-cost-alert.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+
+# Track last activity timestamp
+IDLE_FILE="/tmp/claude-idle-tracker-$$"
+CURRENT_TIME=$(date +%s)
+
+if [ -f "$IDLE_FILE" ]; then
+    LAST_ACTIVE=$(cat "$IDLE_FILE")
+    IDLE_SECONDS=$((CURRENT_TIME - LAST_ACTIVE))
+
+    if [ "$IDLE_SECONDS" -gt 300 ]; then
+        IDLE_MINUTES=$((IDLE_SECONDS / 60))
+        echo "WARNING: Session idle for ${IDLE_MINUTES} minutes. Idle sessions can consume tokens via background processes (#50389). Consider exiting if not actively working." >&2
+    fi
+fi
+
+echo "$CURRENT_TIME" > "$IDLE_FILE"
+exit 0

package/examples/model-version-alert.sh

@@ -0,0 +1,18 @@
+INPUT=$(cat)
+COUNTER_FILE="/tmp/.cc-model-check-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+if [ $((COUNT % 50)) -ne 0 ]; then
+    exit 0
+fi
+SESSION_FILE=$(ls -t ~/.claude/projects/*/session.jsonl 2>/dev/null | head -1)
+if [ -n "$SESSION_FILE" ]; then
+    MODEL=$(grep -o '"model":"[^"]*"' "$SESSION_FILE" 2>/dev/null | tail -1 | cut -d'"' -f4)
+    if echo "$MODEL" | grep -qi "opus-4-7\|opus-4.7"; then
+        echo "⚠ Model alert: You're using $MODEL which may consume 3x more tokens than Opus 4.6."
+        echo "Consider: claude --model claude-opus-4-6 or add \"model\": \"claude-opus-4-6\" to settings.json"
+        echo "See: https://github.com/anthropics/claude-code/issues/49601"
+    fi
+fi
+exit 0

package/examples/model-version-change-alert.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# model-version-change-alert.sh — モデルバージョン変更を検知して警告
+# Why: Opus 4.6がモデルピッカーから突然削除された (#49689, 14👍)。
+#      ユーザーが意図せず別モデルに切り替えられるケースが多発。
+#      モデルが変わるとhookの挙動・トークン消費・品質が全て変わる。
+# Event: Notification  MATCHER: ""
+# Action: 前回のモデルと現在のモデルを比較し、変更時に警告
+
+MODEL_HISTORY="/tmp/cc-model-version-history"
+CURRENT_MODEL="${CLAUDE_MODEL:-unknown}"
+
+# Notificationイベントのbodyからモデル情報を取得試行
+if [ -n "$1" ]; then
+  BODY_MODEL=$(echo "$1" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('model',''))" 2>/dev/null)
+  [ -n "$BODY_MODEL" ] && CURRENT_MODEL="$BODY_MODEL"
+fi
+
+# 前回のモデルを読み取り
+PREV_MODEL=$(cat "$MODEL_HISTORY" 2>/dev/null || echo "")
+
+if [ -n "$PREV_MODEL" ] && [ "$PREV_MODEL" != "$CURRENT_MODEL" ] && [ "$CURRENT_MODEL" != "unknown" ]; then
+  echo "⚠ MODEL CHANGED: $PREV_MODEL → $CURRENT_MODEL" >&2
+  echo "Your model was switched. This affects token consumption, quality, and hook behavior." >&2
+  echo "If unintended, check your settings: claude --model $PREV_MODEL" >&2
+  echo "Known issue: Opus 4.6 was removed from the Desktop picker (#49689)" >&2
+fi
+
+# 現在のモデルを記録
+[ "$CURRENT_MODEL" != "unknown" ] && echo "$CURRENT_MODEL" > "$MODEL_HISTORY"
+
+exit 0

package/examples/move-delete-sequence-guard.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# move-delete-sequence-guard.sh — Detect move+delete sequences that cause data loss
+#
+# Solves: Agent moves files to a temp location, then deletes the parent directory,
+#   effectively destroying the moved files' original context and siblings.
+#   - #49129: mv files to /tmp && rm -rf parent/ — lost 50GB of data
+#   - #49792: Opus 4.7 moves files, then deletes the source directory
+#
+# Pattern detected:
+#   mv <source> <dest> && rm -rf <source_parent>
+#   mv <source> <dest> ; rm -rf <source_parent>
+#   mv <source> <dest> || rm -rf <source_parent>
+#   Any compound command containing both mv and rm -r on related paths
+#
+# This is distinct from rm-safety-net.sh (blocks rm on critical paths)
+# and bulk-file-delete-guard.sh (blocks large recursive deletes).
+# This hook specifically targets the mv+rm compound pattern.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check compound commands that contain both mv and rm
+if ! echo "$COMMAND" | grep -qE '\bmv\s' || ! echo "$COMMAND" | grep -qE '\brm\s'; then
+    exit 0
+fi
+
+# Extract mv source directory and rm target, check for overlap
+# Pattern: mv <src> <dst> [&&;||] rm [-rf] <target>
+# We check if the rm target is a parent of, or the same as, the mv source
+
+# Get all mv source paths (first arg after mv and optional flags)
+MV_SOURCES=$(echo "$COMMAND" | grep -oP '\bmv\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+# Get all rm targets
+RM_TARGETS=$(echo "$COMMAND" | grep -oP '\brm\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+
+[ -z "$MV_SOURCES" ] && exit 0
+[ -z "$RM_TARGETS" ] && exit 0
+
+# Normalize: get parent directory of mv source
+for mv_src in $MV_SOURCES; do
+    mv_parent=$(dirname "$mv_src" 2>/dev/null || echo "")
+    [ -z "$mv_parent" ] && continue
+
+    for rm_target in $RM_TARGETS; do
+        # Check if rm target matches the mv source's parent or the mv source itself
+        # Normalize trailing slashes
+        rm_clean="${rm_target%/}"
+        mv_parent_clean="${mv_parent%/}"
+        mv_src_clean="${mv_src%/}"
+
+        # Case 1: rm deletes the parent of the moved file
+        if [ "$rm_clean" = "$mv_parent_clean" ]; then
+            echo "BLOCKED: Move+delete sequence detected — rm target ($rm_target) is parent of mv source ($mv_src)" >&2
+            echo "This pattern destroys sibling files. Move files individually instead." >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+            exit 2
+        fi
+
+        # Case 2: rm deletes the exact path that was moved from
+        if [ "$rm_clean" = "$mv_src_clean" ]; then
+            # mv a dir then rm -rf the same dir — likely the user moved the dir,
+            # but rm -rf on the source after mv is suspicious if recursive
+            if echo "$COMMAND" | grep -qE "rm\s+.*-[rRf]*[rR].*$rm_target|rm\s+.*-[rRf]*[rR]\s+$rm_target"; then
+                echo "BLOCKED: Move+delete sequence detected — rm -r on the same path as mv source ($mv_src)" >&2
+                echo "If the directory was already moved, rm -r should not be needed." >&2
+                echo "Command: $COMMAND" >&2
+                echo "" >&2
+                echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+                exit 2
+            fi
+        fi
+
+        # Case 3: rm deletes an ancestor directory of the mv source
+        if echo "$mv_src_clean" | grep -qE "^${rm_clean}/"; then
+            echo "BLOCKED: Move+delete sequence detected — rm target ($rm_target) is ancestor of mv source ($mv_src)" >&2
+            echo "This pattern destroys the source tree. Use targeted operations instead." >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49129" >&2
+            exit 2
+        fi
+    done
+done
+
+exit 0

package/examples/pii-upload-guard.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# pii-upload-guard.sh — Detect PII in outbound data before upload
+#
+# Solves: Claude uploaded physical coordinates to a public website
+# despite CLAUDE.md stating "no PII" for 17 sessions. CLAUDE.md
+# instructions are suggestions; hooks are enforcement. (#46910)
+#
+# How it works: Scans Bash commands for outbound data operations
+# (curl POST/PUT, scp, rsync to remote, git push with config files)
+# and checks if the data being sent contains PII patterns:
+# coordinates, emails, phone numbers, API keys, addresses.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Only check outbound data commands
+IS_OUTBOUND=0
+if echo "$CMD" | grep -qiE 'curl\s+.*-X\s*(POST|PUT|PATCH)|curl\s+.*--data|curl\s+.*-d\s'; then
+    IS_OUTBOUND=1
+elif echo "$CMD" | grep -qiE '\bscp\b.*:|\brsync\b.*:|\bsftp\b'; then
+    IS_OUTBOUND=1
+elif echo "$CMD" | grep -qiE 'curl\s+.*upload|wget\s+.*--post'; then
+    IS_OUTBOUND=1
+fi
+
+[ "$IS_OUTBOUND" -eq 0 ] && exit 0
+
+# Check for PII patterns in the command
+PII_FOUND=""
+
+# GPS coordinates (latitude/longitude pairs)
+if echo "$CMD" | grep -qE '[-]?[0-9]{1,3}\.[0-9]{4,}.*[-]?[0-9]{1,3}\.[0-9]{4,}'; then
+    PII_FOUND="GPS coordinates"
+fi
+
+# Email addresses
+if echo "$CMD" | grep -qiE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }email address"
+fi
+
+# Phone numbers (various formats)
+if echo "$CMD" | grep -qE '\+?[0-9]{1,4}[-. ]?\(?[0-9]{1,4}\)?[-. ]?[0-9]{3,4}[-. ]?[0-9]{3,4}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }phone number"
+fi
+
+# API keys / tokens (long hex or base64 strings in data)
+if echo "$CMD" | grep -qE '(key|token|secret|password|api_key|apikey)=[A-Za-z0-9+/=_-]{20,}'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }API key/token"
+fi
+
+# Physical addresses (street patterns)
+if echo "$CMD" | grep -qiE '[0-9]+\s+(street|st|avenue|ave|road|rd|boulevard|blvd|drive|dr|lane|ln)\b'; then
+    PII_FOUND="${PII_FOUND:+$PII_FOUND, }physical address"
+fi
+
+if [ -n "$PII_FOUND" ]; then
+    echo "WARNING: Possible PII detected in outbound data: $PII_FOUND" >&2
+    echo "  Command: $(echo "$CMD" | head -c 200)" >&2
+    echo "  Review the data being sent before proceeding." >&2
+    echo "  If this is intentional, acknowledge the PII and re-run." >&2
+    # exit 1 = warning (allow with notice), not exit 2 (block)
+    # Some legitimate uses send coordinates/emails
+    exit 1
+fi
+
+exit 0

package/examples/pr-duplicate-guard.sh

@@ -0,0 +1,14 @@
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '\bgh\s+pr\s+create\b' || exit 0
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+[ -z "$BRANCH" ] && exit 0
+EXISTING=$(gh pr list --head "$BRANCH" --state open --json number,title --jq '.[0].number' 2>/dev/null)
+if [ -n "$EXISTING" ]; then
+    TITLE=$(gh pr list --head "$BRANCH" --state open --json title --jq '.[0].title' 2>/dev/null)
+    echo "BLOCKED: An open PR already exists for branch '$BRANCH'." >&2
+    echo "  PR #$EXISTING: $TITLE" >&2
+    echo "  Update the existing PR instead of creating a new one." >&2
+    exit 2
+fi
+exit 0

package/examples/production-port-kill-guard.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# production-port-kill-guard.sh — Block commands that kill processes by port number
+#
+# Solves: Claude Code killing production services running on ports without
+#         understanding their purpose. Real incident: user's CLAUDE.md said
+#         port 7000, but Claude killed the process on port 8000 — $1,000 loss.
+#         (GitHub Issue #50971)
+#
+# Detects:
+#   lsof -ti :PORT | xargs kill      (find process by port, then kill)
+#   lsof -t -i :PORT | kill          (same, different flag style)
+#   fuser -k PORT/tcp                (directly kill process on port)
+#   fuser --kill PORT/tcp            (same, long flag)
+#   kill $(lsof -ti :PORT)           (subshell variant)
+#
+# Does NOT block:
+#   lsof -i :PORT                    (just listing, no kill)
+#   fuser PORT/tcp                   (just checking, no kill)
+#   netstat / ss                     (read-only port inspection)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[ -z "$COMMAND" ] && exit 0
+
+# Block lsof-to-kill pipeline (lsof -ti :PORT piped to kill/xargs kill)
+# Covers: -ti :PORT, -t -i :PORT, -i :PORT -t, and combined flags like -sti
+if echo "$COMMAND" | grep -qE 'lsof\s.*-[a-zA-Z]*t.*:'; then
+    if echo "$COMMAND" | grep -qE '\|\s*(xargs\s+)?kill|kill\s+\$\('; then
+        PORT=$(echo "$COMMAND" | grep -oP ':\K\d+' | head -1)
+        echo "BLOCKED: Killing process by port number is dangerous." >&2
+        echo "  Port ${PORT} may be running a production service." >&2
+        echo "  First check what's running: lsof -i :${PORT}" >&2
+        echo "  Then decide manually whether to stop it." >&2
+        echo "  Command: $COMMAND" >&2
+        exit 2
+    fi
+fi
+
+# Block kill $(lsof ...) subshell pattern
+if echo "$COMMAND" | grep -qE 'kill\s+\$\(lsof\s'; then
+    echo "BLOCKED: Killing process found by lsof is dangerous." >&2
+    echo "  Verify the process identity before terminating." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Block fuser -k (directly kills process on port)
+if echo "$COMMAND" | grep -qE '\bfuser\s+(-[a-zA-Z]*k|--kill)\s'; then
+    PORT=$(echo "$COMMAND" | grep -oP '\d+(?=/tcp)' | head -1)
+    echo "BLOCKED: fuser -k kills the process on port ${PORT:-unknown} immediately." >&2
+    echo "  First check: fuser ${PORT:-PORT}/tcp" >&2
+    echo "  Then stop the service gracefully if needed." >&2
+    echo "  Command: $COMMAND" >&2
+    exit 2
+fi
+
+exit 0

package/examples/quota-reset-cycle-monitor.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# quota-reset-cycle-monitor.sh — quotaリセット周期の変更を検知
+# Why: ユーザーのquotaリセット周期が予告なく月曜→金曜に変更された (#49599, 2r/4c)。
+#      リセット日を追跡し、周期変更時に警告する。
+#      突然のquota枯渇の原因究明に役立つ。
+# Event: Notification  MATCHER: ""
+# Action: 日次でquotaリセット日を記録、周期変更を検知
+
+RESET_LOG="/tmp/cc-quota-reset-history"
+TODAY=$(date +%u)  # 1=Monday, 7=Sunday
+TODAY_DATE=$(date +%Y-%m-%d)
+
+# 1日1回だけチェック（日付で制御）
+LAST_CHECK=$(head -1 "$RESET_LOG" 2>/dev/null | cut -d'|' -f1)
+[ "$LAST_CHECK" = "$TODAY_DATE" ] && exit 0
+
+# /costの出力からリセット情報を取得する方法の案内
+# 実際のリセット検知は手動確認が必要だが、ログを残すことで追跡可能
+echo "$TODAY_DATE|$TODAY" >> "$RESET_LOG"
+
+# リセット履歴が2件以上ある場合、周期を分析
+ENTRIES=$(wc -l < "$RESET_LOG" 2>/dev/null || echo "0")
+if [ "$ENTRIES" -ge 7 ]; then
+  # 過去7日の曜日パターンを表示（週末にquotaが増えたら次週リセット=正常）
+  echo "📊 Quota tracking: $ENTRIES days logged. Run '/cost' to check current reset day." >&2
+  echo "Known issue: reset cycle may change without notice (#49599)." >&2
+  echo "If your quota resets on a different day than expected, report to Anthropic support." >&2
+fi
+
+exit 0

package/examples/repo-visibility-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# repo-visibility-guard.sh — Block repository visibility changes
+# Prevents Claude Code from making private repos public (or vice versa).
+# Incident: #50353 — Opus 4.7 ran `gh repo edit --visibility public` autonomously,
+# exposing a hardcoded private key. Wallet drained $413 in 60-90 seconds.
+#
+# Hook config (settings.json):
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/repo-visibility-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block gh repo edit --visibility (public/private/internal)
+if echo "$COMMAND" | grep -qE 'gh\s+repo\s+edit\s+--visibility'; then
+    echo "BLOCKED: repository visibility change requires manual confirmation. See #50353." >&2
+    exit 2
+fi
+
+# Block git push with --set-upstream to unknown remotes (potential exfiltration)
+if echo "$COMMAND" | grep -qE 'git\s+remote\s+add\s' && echo "$COMMAND" | grep -qE 'git\s+push'; then
+    echo "BLOCKED: adding remote and pushing in one command. Review the remote URL first." >&2
+    exit 2
+fi
+
+exit 0

package/examples/sandbox-relative-path-audit.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# sandbox-relative-path-audit.sh — Detect relative paths in sandbox settings that are silently ignored
+#
+# CRITICAL: denyWrite, denyRead, and allowWrite in settings.json only work
+# with ABSOLUTE paths. Relative paths are SILENTLY IGNORED — no error, no
+# warning, and zero protection. Users who think they've protected sensitive
+# directories may have no actual protection.
+#
+# Born from: https://github.com/anthropics/claude-code/issues/50454
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash|Write|Edit"
+# Best used as a Notification hook (exit 0 always) to alert without blocking.
+
+INPUT=$(cat)
+# Only run once per session (check marker file)
+MARKER="/tmp/cc-sandbox-audit-$$"
+[ -f "$MARKER" ] && exit 0
+touch "$MARKER"
+
+# Find settings.json locations
+SETTINGS_FILES=""
+[ -f "$HOME/.claude/settings.json" ] && SETTINGS_FILES="$HOME/.claude/settings.json"
+[ -f ".claude/settings.json" ] && SETTINGS_FILES="$SETTINGS_FILES .claude/settings.json"
+[ -f "$HOME/.claude/settings.local.json" ] && SETTINGS_FILES="$SETTINGS_FILES $HOME/.claude/settings.local.json"
+
+[ -z "$SETTINGS_FILES" ] && exit 0
+
+FOUND_RELATIVE=0
+for SFILE in $SETTINGS_FILES; do
+    for KEY in denyWrite denyRead allowWrite; do
+        PATHS=$(jq -r ".permissions.${KEY}[]? // empty" "$SFILE" 2>/dev/null)
+        [ -z "$PATHS" ] && continue
+        while IFS= read -r P; do
+            [ -z "$P" ] && continue
+            if [[ "$P" != /* ]] && [[ "$P" != "~"* ]]; then
+                echo "⚠ SANDBOX WARNING: Relative path in ${KEY} is SILENTLY IGNORED" >&2
+                echo "  File: $SFILE" >&2
+                echo "  Path: \"$P\" → has NO effect" >&2
+                echo "  Fix:  Use absolute path: \"$(realpath -m "$P" 2>/dev/null || echo "$PWD/$P")\"" >&2
+                FOUND_RELATIVE=1
+            fi
+        done <<< "$PATHS"
+    done
+done
+
+if [ "$FOUND_RELATIVE" -eq 1 ]; then
+    echo "" >&2
+    echo "See: https://github.com/anthropics/claude-code/issues/50454" >&2
+fi
+
+exit 0