cc-safe-setup 29.6.40 → 29.7.0

package/examples/session-agent-cost-limiter.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# session-agent-cost-limiter.sh — Cap total subagent spawns per session
+#
+# Solves: #47049 — User lost £140 overnight when Claude spawned 16+
+#   subagents. Each agent gets its own context window = 16x token cost.
+#   Existing max-concurrent-agents limits simultaneous agents, but not
+#   total spawns over a session. This hook limits the cumulative count.
+#
+# How it works: Tracks every Agent spawn in a session-scoped counter.
+#   After CC_MAX_SESSION_AGENTS total spawns, blocks further agents.
+#   Counter resets when the session ends (file keyed by PPID).
+#
+# CONFIG:
+#   CC_MAX_SESSION_AGENTS=10  (default: 10 total agents per session)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Agent" ] && exit 0
+
+MAX_TOTAL=${CC_MAX_SESSION_AGENTS:-10}
+# Use PPID to track the parent Claude Code process, not this subshell
+COUNTER_FILE="/tmp/cc-session-agents-${PPID}"
+
+# Initialize if missing
+[ -f "$COUNTER_FILE" ] || echo "0" > "$COUNTER_FILE"
+
+CURRENT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+
+if [ "$CURRENT" -ge "$MAX_TOTAL" ]; then
+    echo "BLOCKED: Session agent limit reached (${CURRENT}/${MAX_TOTAL} total spawns)." >&2
+    echo "  Each subagent opens a new context window and consumes tokens independently." >&2
+    echo "  Consider completing existing work before spawning more agents." >&2
+    echo "  Override: CC_MAX_SESSION_AGENTS=$((MAX_TOTAL + 5))" >&2
+    exit 2
+fi
+
+# Increment
+echo $((CURRENT + 1)) > "$COUNTER_FILE"
+exit 0

package/examples/session-cost-alert.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# session-cost-alert.sh — Alert when estimated session cost exceeds threshold
+#
+# Solves: #47049 — User lost £140 overnight without realizing costs were
+#   accumulating. This hook estimates token cost per tool call and warns
+#   when the session total exceeds a configurable threshold.
+#
+# How it works: PostToolUse hook that parses session_tokens from tool
+#   results (when available) and estimates cost using Anthropic pricing.
+#   Warns at $1 and blocks at $5 (configurable).
+#
+# CONFIG:
+#   CC_COST_WARN=1     (warn at $1, default)
+#   CC_COST_BLOCK=5    (block at $5, default)
+#   CC_MODEL_COST=5    ($/M input tokens for Opus, default)
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+
+WARN_THRESHOLD=${CC_COST_WARN:-1}
+BLOCK_THRESHOLD=${CC_COST_BLOCK:-5}
+COST_PER_M=${CC_MODEL_COST:-5}
+
+COST_FILE="/tmp/cc-session-cost-${PPID}"
+
+# Initialize
+if [ ! -f "$COST_FILE" ]; then
+    echo "0" > "$COST_FILE"
+fi
+
+# Try to extract token count from tool result
+# Note: Not all tool results contain token info. This is a best-effort estimate.
+TOKENS=$(echo "$INPUT" | jq -r '.tool_result // empty' 2>/dev/null | wc -c)
+# Rough estimate: 1 char ≈ 0.3 tokens (for tool output going into context)
+EST_TOKENS=$((TOKENS * 3 / 10))
+
+# Add to running total
+CURRENT=$(cat "$COST_FILE" 2>/dev/null || echo 0)
+TOTAL=$((CURRENT + EST_TOKENS))
+echo "$TOTAL" > "$COST_FILE"
+
+# Estimate cost
+COST=$(echo "scale=4; $TOTAL * $COST_PER_M / 1000000" | bc 2>/dev/null || echo "0")
+COST_CENTS=$(echo "scale=0; $TOTAL * $COST_PER_M / 10000" | bc 2>/dev/null || echo "0")
+
+# Check thresholds
+BLOCK_CENTS=$(echo "scale=0; $BLOCK_THRESHOLD * 100" | bc 2>/dev/null || echo "500")
+WARN_CENTS=$(echo "scale=0; $WARN_THRESHOLD * 100" | bc 2>/dev/null || echo "100")
+
+if [ "$COST_CENTS" -ge "$BLOCK_CENTS" ] 2>/dev/null; then
+    echo "BLOCKED: Estimated session cost \$${COST} exceeds \$${BLOCK_THRESHOLD} limit." >&2
+    echo "  Estimated tokens used: ${TOTAL}" >&2
+    echo "  Override: CC_COST_BLOCK=$((BLOCK_THRESHOLD * 2))" >&2
+    exit 2
+elif [ "$COST_CENTS" -ge "$WARN_CENTS" ] 2>/dev/null; then
+    echo "WARNING: Estimated session cost \$${COST} approaching \$${BLOCK_THRESHOLD} limit." >&2
+fi
+
+exit 0

package/examples/session-memory-watchdog.sh

@@ -1,6 +1,15 @@
 MAX_RSS_MB="${CC_MAX_RSS_MB:-4096}"
 CHECK_INTERVAL=300
+PID_FILE="/tmp/cc-memory-watchdog.pid"
+
+# Prevent duplicate instances — only one watchdog should run at a time
+if [ -f "$PID_FILE" ] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
+    exit 0
+fi
+
 (
+    echo $$ > "$PID_FILE"
+    trap 'rm -f "$PID_FILE"' EXIT
     while true; do
         sleep "$CHECK_INTERVAL"
         pgrep -f "claude" | while read pid; do

package/examples/settings-integrity-monitor.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# settings-integrity-monitor.sh — Detect unexpected settings.json changes
+# Trigger: PreToolUse
+# Matcher: (empty — runs on every tool use)
+#
+# The /model command silently rewrites settings.json from scratch,
+# removing sandbox restrictions and hook configurations.
+# See: https://github.com/anthropics/claude-code/issues/44791
+#
+# This hook maintains a checksum of settings.json and warns when
+# it changes outside your control. It also creates automatic backups
+# so you can restore your configuration.
+#
+# TRIGGER: PreToolUse  MATCHER: ""
+
+SETTINGS="${CLAUDE_SETTINGS_FILE:-$HOME/.claude/settings.json}"
+BACKUP_DIR="$HOME/.claude/settings-backups"
+CHECKSUM_FILE="$BACKUP_DIR/.checksum"
+
+# Exit silently if settings.json doesn't exist
+[ -f "$SETTINGS" ] || exit 0
+
+mkdir -p "$BACKUP_DIR"
+
+CURRENT_HASH=$(sha256sum "$SETTINGS" 2>/dev/null | cut -d' ' -f1)
+
+if [ ! -f "$CHECKSUM_FILE" ]; then
+    # First run: save baseline
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.baseline"
+    exit 0
+fi
+
+SAVED_HASH=$(cat "$CHECKSUM_FILE" 2>/dev/null)
+
+if [ "$CURRENT_HASH" != "$SAVED_HASH" ]; then
+    # Settings changed — create timestamped backup of PREVIOUS version
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    if [ -f "$BACKUP_DIR/settings.json.latest" ]; then
+        cp "$BACKUP_DIR/settings.json.latest" "$BACKUP_DIR/settings.json.$TIMESTAMP"
+    fi
+    # Save current as latest
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.latest"
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+
+    # Count hooks in old vs new
+    OLD_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$BACKUP_DIR/settings.json.$TIMESTAMP" 2>/dev/null || echo "?")
+    NEW_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$SETTINGS" 2>/dev/null || echo "?")
+
+    echo "⚠ settings.json was modified (hooks: $OLD_HOOKS → $NEW_HOOKS)" >&2
+    echo "  Backup saved: $BACKUP_DIR/settings.json.$TIMESTAMP" >&2
+    echo "  Restore: cp $BACKUP_DIR/settings.json.$TIMESTAMP $SETTINGS" >&2
+fi
+
+exit 0

package/examples/settings-json-model-guard.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# settings-json-model-guard.sh — Backup settings.json before /model changes
+#
+# Solves: The /model slash command rewrites settings.json completely,
+# wiping all hook configurations and custom settings. (#46921)
+#
+# How it works: PreToolUse(Bash) detects commands that modify
+# settings.json (especially from /model). Creates a timestamped
+# backup before allowing the write. If hooks are lost after the
+# write, the PostToolUse phase restores them.
+#
+# Usage: Add TWO hooks
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }],
+#     "PostToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PreToolUse+PostToolUse  MATCHER: "Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+HOOK_EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // empty' 2>/dev/null)
+
+# Only care about settings.json writes
+case "$FILE" in
+    */.claude/settings.json|*/.claude/settings.local.json) ;;
+    *) exit 0 ;;
+esac
+
+BACKUP_DIR="$HOME/.claude/settings-backups"
+mkdir -p "$BACKUP_DIR"
+
+SETTINGS_FILE="$FILE"
+[ ! -f "$SETTINGS_FILE" ] && exit 0
+
+# --- PreToolUse: backup before modification ---
+if [[ "$HOOK_EVENT" == "PreToolUse" ]]; then
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    BASENAME=$(basename "$SETTINGS_FILE" .json)
+    BACKUP="$BACKUP_DIR/${BASENAME}-pre-model-${TIMESTAMP}.json"
+    cp "$SETTINGS_FILE" "$BACKUP"
+
+    # Count hooks in current settings
+    HOOK_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+    if [ "$HOOK_COUNT" -gt 0 ]; then
+        echo "Settings backup created: $BACKUP ($HOOK_COUNT hooks preserved)" >&2
+        # Store hook count for PostToolUse comparison
+        echo "$HOOK_COUNT" > "/tmp/cc-settings-hook-count-pre"
+    fi
+    exit 0
+fi
+
+# --- PostToolUse: verify hooks survived ---
+if [[ "$HOOK_EVENT" == "PostToolUse" ]]; then
+    PRE_COUNT_FILE="/tmp/cc-settings-hook-count-pre"
+    [ ! -f "$PRE_COUNT_FILE" ] && exit 0
+
+    PRE_COUNT=$(cat "$PRE_COUNT_FILE" 2>/dev/null || echo 0)
+    rm -f "$PRE_COUNT_FILE"
+
+    [ "$PRE_COUNT" -eq 0 ] && exit 0
+
+    # Count hooks after modification
+    POST_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+
+    if [ "$POST_COUNT" -lt "$PRE_COUNT" ]; then
+        LATEST_BACKUP=$(ls -t "$BACKUP_DIR"/settings-pre-model-*.json 2>/dev/null | head -1)
+        echo "WARNING: Hook count dropped from $PRE_COUNT to $POST_COUNT after settings modification!" >&2
+        echo "  This typically happens when /model rewrites settings.json." >&2
+        if [ -n "$LATEST_BACKUP" ]; then
+            echo "  Restore hooks: jq -s '.[0] * {hooks: .[1].hooks}' '$SETTINGS_FILE' '$LATEST_BACKUP' > /tmp/merged.json && mv /tmp/merged.json '$SETTINGS_FILE'" >&2
+        fi
+    fi
+    exit 0
+fi
+
+exit 0

package/examples/shell-config-truncation-guard.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# shell-config-truncation-guard.sh — Block writes that would truncate shell config files
+#
+# Solves: Claude Code installer auto-update truncating ~/.bash_profile and
+# ~/.zshrc to 0 bytes, destroying all user shell configuration (#49615).
+# Also catches Claude itself attempting to overwrite these files with
+# minimal or empty content.
+#
+# How it works: PreToolUse hook intercepts Write/Bash operations targeting
+# shell config files. If the new content would be significantly shorter
+# than the existing file (>60% reduction), the operation is blocked.
+# Empty/near-empty writes are always blocked.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash|Write"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/shell-config-truncation-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Shell config files to protect
+PROTECTED_FILES=(
+    "$HOME/.bashrc"
+    "$HOME/.bash_profile"
+    "$HOME/.zshrc"
+    "$HOME/.zprofile"
+    "$HOME/.profile"
+    "$HOME/.zshenv"
+)
+
+check_file_truncation() {
+    local target_file="$1"
+    local new_size="$2"
+
+    for protected in "${PROTECTED_FILES[@]}"; do
+        if [ "$target_file" = "$protected" ] || [ "$(realpath "$target_file" 2>/dev/null)" = "$(realpath "$protected" 2>/dev/null)" ]; then
+            if [ ! -f "$protected" ]; then
+                return 0
+            fi
+            local current_size
+            current_size=$(wc -c < "$protected" 2>/dev/null || echo 0)
+
+            # Block if writing 0 bytes or near-empty (< 10 bytes)
+            if [ "$new_size" -lt 10 ] && [ "$current_size" -gt 50 ]; then
+                echo "BLOCKED: Attempted to truncate $protected to $new_size bytes (current: $current_size bytes)" >&2
+                echo "This would destroy your shell configuration. See: github.com/anthropics/claude-code/issues/49615" >&2
+                exit 2
+            fi
+
+            # Block if >60% size reduction
+            if [ "$current_size" -gt 100 ]; then
+                local threshold=$((current_size * 40 / 100))
+                if [ "$new_size" -lt "$threshold" ]; then
+                    echo "BLOCKED: Write to $protected would reduce size by >60% ($current_size → $new_size bytes)" >&2
+                    echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+                    exit 2
+                fi
+            fi
+            return 0
+        fi
+    done
+    return 0
+}
+
+if [ "$TOOL" = "Write" ]; then
+    FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
+    if [ -n "$FILE_PATH" ]; then
+        NEW_SIZE=${#CONTENT}
+        check_file_truncation "$FILE_PATH" "$NEW_SIZE"
+    fi
+elif [ "$TOOL" = "Bash" ]; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$COMMAND" ] && exit 0
+
+    # Detect redirect truncation: > ~/.bashrc, >~/.zshrc, etc.
+    for protected in "${PROTECTED_FILES[@]}"; do
+        base=$(basename "$protected")
+        # Match: > file, >file, truncate file, : > file, echo "" > file
+        if echo "$COMMAND" | grep -qE "(^|[;&|])\s*(>|truncate\s+-s\s*0|:\s*>)\s*~?(/[^;]*)?${base}"; then
+            echo "BLOCKED: Command would truncate $protected" >&2
+            echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+            exit 2
+        fi
+    done
+fi
+
+exit 0

package/examples/shell-wrapper-guard.sh

@@ -34,8 +34,8 @@ if echo "$COMMAND" | grep -qE '(sh|bash|zsh|dash)\s+-c\s+'; then
 fi
 
 # === Check 2: Python one-liners ===
-if echo "$COMMAND" | grep -qE 'python[23]?\s+-c\s+'; then
-    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
+if echo "$COMMAND" | grep -qE 'python[23]?(\.[0-9]+)?\s+-c\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?(\.[0-9]+)?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
     if echo "$INNER" | grep -qiE "os\.system\(.*($DESTRUCT_PATTERN)|subprocess\.(run|call|Popen)\(.*($DESTRUCT_PATTERN)|shutil\.rmtree\s*\(\s*['\"/~]"; then
         echo "BLOCKED: Destructive command in Python one-liner" >&2
         exit 2
@@ -69,9 +69,9 @@ if echo "$COMMAND" | grep -qE '(sh|bash)\s+-c\s+.*(sh|bash)\s+-c'; then
 fi
 
 # === Check 6: Pipe to shell (echo "rm -rf /" | sh) ===
-if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)\s*$'; then
+if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)(\s|$)'; then
     # Extract the piped content
-    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)\s*$//')
+    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)(\s.*)?$//')
     if echo "$PIPED" | grep -qE "$DESTRUCT_PATTERN"; then
         echo "BLOCKED: Destructive command piped to shell" >&2
         exit 2

package/examples/subagent-spawn-rate-monitor.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# subagent-spawn-rate-monitor.sh — サブエージェントの過剰spawn検知
+# Why: サブエージェントは毎回spawnされるたびに~4.7Kトークンがcache_creation
+#      (1.25xコスト)として課金される。spawn-heavyなワークフローでは線形に増大し、
+#      ユーザーが気づかないうちにquotaを消耗する (#50213, #46968)
+# Event: PreToolUse  MATCHER: Agent
+# Action: 短時間に多数のAgent spawnがあれば警告
+
+COUNTER_FILE="/tmp/cc-subagent-spawn-counter"
+WINDOW_FILE="/tmp/cc-subagent-spawn-window"
+THRESHOLD=5      # この回数を超えたら警告
+WINDOW_SECS=300  # 5分間のウィンドウ
+
+NOW=$(date +%s)
+WINDOW_START=$(cat "$WINDOW_FILE" 2>/dev/null || echo "$NOW")
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+
+# ウィンドウ期限切れならリセット
+ELAPSED=$((NOW - WINDOW_START))
+if [ "$ELAPSED" -gt "$WINDOW_SECS" ]; then
+  COUNT=0
+  echo "$NOW" > "$WINDOW_FILE"
+fi
+
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+if [ "$COUNT" -gt "$THRESHOLD" ]; then
+  echo "⚠ HIGH SUBAGENT SPAWN RATE: $COUNT agents spawned in ${ELAPSED}s" >&2
+  echo "Each spawn costs ~4.7K tokens at 1.25x rate (no cache_control)." >&2
+  echo "Consider batching tasks or using fewer parallel agents. See: #50213" >&2
+fi
+
+exit 0

package/examples/subcommand-chain-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# subcommand-chain-guard.sh — Block commands with excessive subcommand chains
+#
+# Solves: Claude Code silently ignores deny rules when a command contains
+# 50+ subcommands (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50).
+# Attackers chain 50 no-op "true" commands before a dangerous command
+# to bypass all security checks. (Adversa AI / CVE disclosure, April 2026)
+#
+# How it works: Counts semicolon-separated and &&/|| chained subcommands.
+# If the count exceeds a threshold (default: 20), blocks execution.
+# This catches the exploit well before the 50-command limit.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+THRESHOLD=${CC_SUBCOMMAND_LIMIT:-20}
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Count subcommands: split on ; && ||
+# Use tr to normalize separators, then count
+SUBCOMMAND_COUNT=$(echo "$CMD" | tr ';' '\n' | tr '&' '\n' | tr '|' '\n' | grep -c '[^ ]' 2>/dev/null || echo 1)
+
+if [ "$SUBCOMMAND_COUNT" -gt "$THRESHOLD" ]; then
+    echo "BLOCKED: Command contains $SUBCOMMAND_COUNT subcommands (limit: $THRESHOLD)." >&2
+    echo "  Claude Code ignores deny rules after 50 subcommands (CVE disclosure)." >&2
+    echo "  This hook blocks at $THRESHOLD to prevent security bypass." >&2
+    echo "  Override: CC_SUBCOMMAND_LIMIT=100 (not recommended)" >&2
+    exit 2
+fi
+
+# Also detect the specific attack pattern: many "true" or ":" no-ops
+NOOP_COUNT=$(echo "$CMD" | grep -oE '\btrue\b|^:|;\s*:' | wc -l 2>/dev/null || echo 0)
+if [ "$NOOP_COUNT" -gt 10 ]; then
+    echo "BLOCKED: Suspicious pattern — $NOOP_COUNT no-op commands detected." >&2
+    echo "  This resembles the subcommand-chain attack (50x true + dangerous cmd)." >&2
+    exit 2
+fi
+
+exit 0

package/examples/system-dir-protection-guard.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# system-dir-protection-guard.sh — Block destructive operations on system directories
+#
+# Solves: Agent deleting or moving system-level directories in auto mode
+#   - #49554: Auto mode approved deletion of system directories
+#   - #49129: rm -rf on /home subdirectories causing 50GB data loss
+#
+# Difference from existing hooks:
+#   rm-safety-net.sh:    Blocks rm on critical paths, but only rm commands
+#   home-critical-bash-guard.sh: Protects ~/dotfiles only
+#   This hook: Blocks rm, mv, chmod -R, chown -R on ALL system directories
+#              including /home/*, /usr, /etc, /var, /opt, /root, /boot, /srv
+#              Also blocks mv of system dirs (not covered by rm-safety-net)
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+
+set -euo pipefail
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Check if a path is a protected system directory
+is_system_dir() {
+    local path="$1"
+    # Remove trailing slash
+    path="${path%/}"
+
+    # Expand ~ to $HOME
+    if [[ "$path" == "~"* ]]; then
+        path="${HOME}${path#\~}"
+    fi
+
+    # Top-level system directories
+    case "$path" in
+        /|/home|/etc|/usr|/var|/opt|/root|/boot|/srv|/sys|/proc)
+            return 0 ;;
+    esac
+
+    # /home/<username> (1 level deep)
+    if echo "$path" | grep -qE '^/home/[^/]+$'; then
+        return 0
+    fi
+
+    # System subdirectories (e.g., /etc/nginx, /usr/local, /var/lib)
+    if echo "$path" | grep -qE '^/(etc|usr|var|opt|root|boot|srv|sys|proc)/'; then
+        return 0
+    fi
+
+    # Critical home directories: ~/.ssh, ~/.config, ~/.local, ~/.gnupg, ~/.cache
+    if echo "$path" | grep -qE "^${HOME}/\.(ssh|config|local|gnupg|cache)(/[^/]*)?$"; then
+        return 0
+    fi
+
+    return 1
+}
+
+# --- rm / unlink on system directories ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(rm|unlink)\s'; then
+    # Extract targets after rm and flags
+    TARGETS=$(echo "$COMMAND" | grep -oP '(rm|unlink)\s+(-[a-zA-Z]+\s+)*\K[^;|&]+' 2>/dev/null || true)
+    for target in $TARGETS; do
+        if is_system_dir "$target"; then
+            echo "BLOCKED: Destructive operation on system directory: $target" >&2
+            echo "Command: $COMMAND" >&2
+            echo "" >&2
+            echo "System directories must not be deleted. Use specific file paths instead." >&2
+            echo "See: https://github.com/anthropics/claude-code/issues/49554" >&2
+            exit 2
+        fi
+    done
+fi
+
+# --- mv (moving system directories) ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?mv\s'; then
+    # Get the source of the mv (first non-flag argument)
+    MV_SOURCE=$(echo "$COMMAND" | grep -oP 'mv\s+(-[a-zA-Z]+\s+)*\K\S+' 2>/dev/null || true)
+    if is_system_dir "$MV_SOURCE"; then
+        echo "BLOCKED: Moving system directory: $MV_SOURCE" >&2
+        echo "Command: $COMMAND" >&2
+        echo "" >&2
+        echo "System directories must not be moved." >&2
+        echo "See: https://github.com/anthropics/claude-code/issues/49554" >&2
+        exit 2
+    fi
+fi
+
+# --- chmod -R / chown -R on system directories ---
+if echo "$COMMAND" | grep -qE '^\s*(sudo\s+)?(chmod|chown)\s+.*-R'; then
+    TARGETS=$(echo "$COMMAND" | grep -oP '(chmod|chown)\s+[^;|&]+' 2>/dev/null | awk '{print $NF}' || true)
+    for target in $TARGETS; do
+        if is_system_dir "$target"; then
+            echo "BLOCKED: Recursive permission change on system directory: $target" >&2
+            echo "Command: $COMMAND" >&2
+            exit 2
+        fi
+    done
+fi
+
+exit 0

package/examples/thinking-display-enforcer.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# thinking-display-enforcer.sh — Opus 4.7 thinking summaries消失を検知
+# Why: Opus 4.7でthinking displayのデフォルトがsummarized→omittedに変更された(#49268, 17👍)
+# セッション開始時にモデルを確認し、Opus 4.7でthinkingが非表示の場合に警告する
+# Event: Notification (セッション開始時に確認)
+# Fix: claude --thinking-display summarized
+
+# チェック頻度制御（100回に1回）
+COUNTER_FILE="/tmp/thinking-display-check-counter"
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+[ $((COUNT % 100)) -ne 1 ] && exit 0
+
+# settings.jsonにthinking display設定があるか確認
+SETTINGS_FILE="${HOME}/.claude/settings.json"
+if [ -f "$SETTINGS_FILE" ]; then
+    HAS_THINKING=$(grep -c "showThinkingSummaries\|thinkingDisplay" "$SETTINGS_FILE" 2>/dev/null || echo "0")
+    if [ "$HAS_THINKING" -eq 0 ]; then
+        echo "INFO: Opus 4.7ではthinking summariesがデフォルトで非表示です。" >&2
+        echo "修正: claude --thinking-display summarized で起動するか、settings.jsonに設定を追加してください。" >&2
+        echo "詳細: https://github.com/anthropics/claude-code/issues/49268" >&2
+    fi
+fi
+exit 0

package/examples/tool-retry-budget-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# tool-retry-budget-guard.sh — Stop Claude from wasting tokens on repeated failures
+#
+# Solves: #50986 — Claude fails simple UI change after 10+ attempts, wastes entire
+#         token budget. Also prevents retry spirals on any file.
+#
+# Tracks consecutive tool calls (Edit, Write, Bash) targeting the same file.
+# After 5 attempts, blocks further edits and forces a different approach.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+case "$TOOL" in
+  Edit|Write) ;;
+  *) exit 0 ;;
+esac
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Use file hash as state key
+HASH=$(echo "$FILE" | md5sum | cut -c1-8)
+STATE_DIR="/tmp/.cc-retry-budget"
+mkdir -p "$STATE_DIR"
+STATE_FILE="$STATE_DIR/$HASH"
+
+# Track attempt count and timestamp
+NOW=$(date +%s)
+COUNT=1
+
+if [ -f "$STATE_FILE" ]; then
+    PREV_TIME=$(head -1 "$STATE_FILE" 2>/dev/null || echo "0")
+    PREV_COUNT=$(tail -1 "$STATE_FILE" 2>/dev/null || echo "0")
+
+    # Reset if more than 5 minutes since last attempt (new task)
+    ELAPSED=$(( NOW - PREV_TIME ))
+    if [ "$ELAPSED" -lt 300 ]; then
+        COUNT=$(( PREV_COUNT + 1 ))
+    fi
+fi
+
+printf '%s\n%s\n' "$NOW" "$COUNT" > "$STATE_FILE"
+
+if [ "$COUNT" -ge 7 ]; then
+    echo "BLOCKED: You've attempted to modify $(basename "$FILE") $COUNT times in the last 5 minutes." >&2
+    echo "  This pattern wastes tokens. Stop and try a completely different approach:" >&2
+    echo "  1. Read the file first to understand current state" >&2
+    echo "  2. Use a different strategy (smaller change, different tool)" >&2
+    echo "  3. If stuck, explain the problem and ask for help" >&2
+    rm -f "$STATE_FILE"
+    exit 2
+elif [ "$COUNT" -ge 5 ]; then
+    echo "WARNING: $COUNT consecutive edits to $(basename "$FILE") — approaching retry limit (7)." >&2
+    echo "  Consider reading the file to verify your assumptions before the next attempt." >&2
+fi
+
+exit 0