cc-safe-setup 29.6.40 → 29.7.0

package/examples/worktree-branch-pollution-detector.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# worktree-branch-pollution-detector.sh — worktreeが親ブランチを汚染していないか検知
+# Why: サブエージェントのworktree操作が親リポを予期しないブランチに移動させ、
+#      意図しないcommit-to-mainが発生する。1週間で3回の事故報告あり (#50207)
+# Event: PostToolUse  MATCHER: Bash
+# Action: 現在のブランチが期待値と異なる場合に警告
+
+INPUT=$(cat)
+
+# 期待ブランチ（セッション開始時に記録）
+EXPECTED_BRANCH_FILE="/tmp/cc-expected-branch-$(pwd | md5sum | cut -c1-8)"
+
+# git管理下でなければスキップ
+git rev-parse --is-inside-work-tree >/dev/null 2>&1 || exit 0
+
+CURRENT_BRANCH=$(git branch --show-current 2>/dev/null)
+[ -z "$CURRENT_BRANCH" ] && exit 0
+
+# 初回実行時はブランチを記録
+if [ ! -f "$EXPECTED_BRANCH_FILE" ]; then
+  echo "$CURRENT_BRANCH" > "$EXPECTED_BRANCH_FILE"
+  exit 0
+fi
+
+EXPECTED_BRANCH=$(cat "$EXPECTED_BRANCH_FILE" 2>/dev/null)
+
+if [ "$CURRENT_BRANCH" != "$EXPECTED_BRANCH" ]; then
+  echo "⚠ BRANCH CHANGED: Expected '$EXPECTED_BRANCH' but now on '$CURRENT_BRANCH'" >&2
+  echo "This may be caused by a worktree or subagent switching your branch." >&2
+  echo "Run 'git checkout $EXPECTED_BRANCH' to return. See: #50207" >&2
+  # 新しいブランチを記録（意図的な切替かもしれない）
+  echo "$CURRENT_BRANCH" > "$EXPECTED_BRANCH_FILE"
+fi
+
+exit 0

package/examples/worktree-create-log.sh

@@ -0,0 +1,6 @@
+LOGFILE="${HOME}/.claude/worktree-audit.log"
+INFO=$(cat)
+BRANCH=$(echo "$INFO" | jq -r '.branch // "unknown"' 2>/dev/null)
+PATH_WT=$(echo "$INFO" | jq -r '.path // "unknown"' 2>/dev/null)
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] CREATE branch=$BRANCH path=$PATH_WT" >> "$LOGFILE"
+exit 0

package/examples/worktree-hook-linker.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# worktree-hook-linker.sh — Auto-link settings to worktrees
+#
+# Solves: In git worktrees, .claude/settings.json is not found because
+# worktrees share .git but not the working directory. All hooks
+# become silently disabled. (#46808)
+#
+# How it works: On SessionStart, checks if the current directory is a
+# git worktree. If so, creates a symlink from the worktree's
+# .claude/settings.json to the main tree's settings. This ensures
+# hooks work identically in worktrees.
+#
+# {
+#   "hooks": {
+#     "Notification": [{
+#       "matcher": "SessionStart",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/worktree-hook-linker.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: Notification
+# MATCHER: "SessionStart"
+
+# Detect if we're in a git worktree
+GITDIR=$(git rev-parse --git-dir 2>/dev/null) || exit 0
+echo "$GITDIR" | grep -q "worktrees" || exit 0
+
+# We're in a worktree — find the main working tree
+MAIN_GITDIR=$(git rev-parse --path-format=absolute --git-common-dir 2>/dev/null) || exit 0
+MAIN_WORKDIR=$(echo "$MAIN_GITDIR" | sed 's|/.git$||')
+
+MAIN_CLAUDE_DIR="$MAIN_WORKDIR/.claude"
+LOCAL_CLAUDE_DIR=".claude"
+
+# Skip if main tree has no .claude directory
+[ -d "$MAIN_CLAUDE_DIR" ] || exit 0
+
+# Create .claude directory in worktree if needed
+mkdir -p "$LOCAL_CLAUDE_DIR" 2>/dev/null
+
+# Link settings files if they exist in main but not in worktree
+for f in settings.json settings.local.json; do
+    MAIN_FILE="$MAIN_CLAUDE_DIR/$f"
+    LOCAL_FILE="$LOCAL_CLAUDE_DIR/$f"
+
+    [ ! -f "$MAIN_FILE" ] && continue
+
+    if [ ! -e "$LOCAL_FILE" ]; then
+        ln -s "$MAIN_FILE" "$LOCAL_FILE"
+        echo "Linked $f from main tree → worktree (hooks now active)" >&2
+    elif [ -L "$LOCAL_FILE" ]; then
+        # Already a symlink — verify it points to the right place
+        TARGET=$(readlink -f "$LOCAL_FILE" 2>/dev/null)
+        EXPECTED=$(readlink -f "$MAIN_FILE" 2>/dev/null)
+        if [ "$TARGET" != "$EXPECTED" ]; then
+            rm "$LOCAL_FILE"
+            ln -s "$MAIN_FILE" "$LOCAL_FILE"
+            echo "Re-linked $f (was pointing to wrong location)" >&2
+        fi
+    fi
+done
+
+# Also link hooks directory if it exists
+MAIN_HOOKS="$MAIN_CLAUDE_DIR/hooks"
+LOCAL_HOOKS="$LOCAL_CLAUDE_DIR/hooks"
+if [ -d "$MAIN_HOOKS" ] && [ ! -e "$LOCAL_HOOKS" ]; then
+    ln -s "$MAIN_HOOKS" "$LOCAL_HOOKS"
+    echo "Linked hooks/ directory from main tree → worktree" >&2
+fi
+
+exit 0

package/examples/worktree-remove-uncommitted-guard.sh

@@ -0,0 +1,20 @@
+INFO=$(cat)
+PATH_WT=$(echo "$INFO" | jq -r '.path // empty' 2>/dev/null)
+[ -z "$PATH_WT" ] && exit 0
+[ ! -d "$PATH_WT" ] && exit 0
+cd "$PATH_WT" 2>/dev/null || exit 0
+DIRTY=$(git status --porcelain 2>/dev/null | wc -l)
+if [ "$DIRTY" -gt 0 ]; then
+    echo "BLOCKED: Worktree at $PATH_WT has $DIRTY uncommitted change(s)." >&2
+    echo "Commit or stash changes before removing." >&2
+    exit 2
+fi
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
+if [ -n "$BRANCH" ]; then
+    UNPUSHED=$(git log --oneline "origin/$BRANCH..$BRANCH" 2>/dev/null | wc -l)
+    if [ "$UNPUSHED" -gt 0 ]; then
+        echo "WARNING: $UNPUSHED unpushed commit(s) on $BRANCH." >&2
+        echo "Push before removing: git push origin $BRANCH" >&2
+    fi
+fi
+exit 0

package/hooks/hooks.json

@@ -0,0 +1,60 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE '^\\s*(sudo\\s+)?rm\\s+.*-[rRf]*[rR]' && ! echo \"$CMD\" | grep -qE '(node_modules|dist|build|__pycache__|/tmp)'; then echo 'BLOCKED: recursive rm on non-safe target. Use specific paths.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push\\s+.*--force|git\\s+reset\\s+--hard|git\\s+clean\\s+-fd'; then echo 'BLOCKED: destructive git operation. Use safer alternatives.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty'); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qiE '(api.key|secret|password|token).*=.*[A-Za-z0-9]{20}'; then echo 'BLOCKED: potential credential in command. Use environment variables.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty'); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.(env|pem|key|credentials|secret)$'; then echo 'BLOCKED: writing to sensitive file. Check if this is intentional.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/move-delete-sequence-guard.sh"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/system-dir-protection-guard.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/index.mjs

@@ -94,6 +94,7 @@ const GENERATE_CI = process.argv.includes('--generate-ci');
 const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
+const OPUS47 = process.argv.includes('--opus47');
 const ANALYZE = process.argv.includes('--analyze');
 const TEAM = process.argv.includes('--team');
 const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
@@ -192,8 +193,9 @@ if (HELP) {
   Find hooks: npx cc-hook-registry search <keyword>
   Test hooks: npx cc-hook-test <hook.sh>
 
-  Support: https://github.com/sponsors/yurukusa
-  Book:    https://zenn.dev/yurukusa/books/6076c23b1cb18b
+  Token Checkup: https://yurukusa.github.io/cc-safe-setup/token-checkup.html
+  Token Book:    https://yurukusa.github.io/cc-safe-setup/token-book.html
+  Safety Guide:  https://zenn.dev/yurukusa/books/6076c23b1cb18b
 `);
   process.exit(0);
 }
@@ -2916,6 +2918,79 @@ async function analyze() {
   console.log();
 }
 
+async function opus47() {
+  console.log();
+  console.log(c.bold + '  🚨  cc-safe-setup --opus47' + c.reset);
+  console.log(c.dim + '  Opus 4.7 protection — fixes for known critical issues' + c.reset);
+  console.log();
+
+  // First install core hooks if not already installed
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  let coreInstalled = 0;
+  for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+    const hookPath = join(HOOKS_DIR, `${hookId}.sh`);
+    if (!existsSync(hookPath)) {
+      writeFileSync(hookPath, SCRIPTS[hookId]);
+      chmodSync(hookPath, 0o755);
+      coreInstalled++;
+    }
+  }
+  if (coreInstalled > 0) {
+    // Update settings.json for core hooks
+    let settings = {};
+    if (existsSync(SETTINGS_PATH)) {
+      settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf8'));
+    }
+    if (!settings.hooks) settings.hooks = {};
+    for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+      const trigger = hookMeta.trigger;
+      if (!settings.hooks[trigger]) settings.hooks[trigger] = [];
+      const hookPath = toBashPath(join(HOOKS_DIR, `${hookId}.sh`));
+      const exists = settings.hooks[trigger].some(h => h.hooks?.some(hh => hh.command?.includes(hookId)));
+      if (!exists) {
+        settings.hooks[trigger].push({
+          matcher: hookMeta.matcher,
+          hooks: [{ type: 'command', command: hookPath }]
+        });
+      }
+    }
+    writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2) + '\n');
+    console.log(c.green + '  ✓' + c.reset + ` ${coreInstalled} core safety hooks installed`);
+  } else {
+    console.log(c.dim + '  ✓ Core safety hooks already installed' + c.reset);
+  }
+
+  // Install Opus 4.7-specific hooks
+  const opus47Hooks = [
+    { name: 'model-version-alert', desc: 'Warns when Opus 4.7 is silently active (#49541)', issue: '4x token consumption' },
+    { name: 'shell-config-truncation-guard', desc: 'Blocks installer from truncating ~/.bash_profile (#49615)', issue: 'config destruction' },
+    { name: 'credential-exfil-guard', desc: 'Blocks credential file access (#49539, #49554)', issue: 'credential deletion' },
+    { name: 'home-critical-bash-guard', desc: 'Blocks destructive ops on critical dotfiles (#49554)', issue: 'home directory attacks' },
+  ];
+
+  console.log();
+  console.log(c.bold + '  Opus 4.7 protection hooks:' + c.reset);
+  let added = 0;
+  for (const hook of opus47Hooks) {
+    try {
+      await installExample(hook.name);
+      added++;
+    } catch (e) {
+      // installExample may exit on error, but we want to continue
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Why these hooks matter:' + c.reset);
+  console.log(c.dim + '  Opus 4.7\'s safety classifier is hardcoded to 4.6 (#49618).' + c.reset);
+  console.log(c.dim + '  Auto mode can\'t block dangerous commands on 4.7.' + c.reset);
+  console.log(c.dim + '  These hooks run at process level — independent of the model.' + c.reset);
+  console.log();
+  console.log(c.green + '  Done.' + c.reset + ' Your setup is protected against known Opus 4.7 issues.');
+  console.log(c.dim + '  Guide: https://yurukusa.github.io/cc-safe-setup/opus-47-survival-guide.html' + c.reset);
+  console.log();
+}
+
 async function shield() {
   const { execSync } = await import('child_process');
   const { readdirSync } = await import('fs');
@@ -2969,6 +3044,9 @@ async function shield() {
   // Always include these for maximum safety
   extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd', 'memory-write-guard', 'skill-gate', 'auto-approve-test', 'auto-approve-readonly');
 
+  // Opus 4.7 safety: classifier is hardcoded to 4.6 (#49618) — hooks are the only defense
+  extras.push('dotfile-protection-guard', 'home-critical-bash-guard');
+
   for (const ex of extras) {
     const exPath = join(__dirname, 'examples', `${ex}.sh`);
     const hookPath = join(HOOKS_DIR, `${ex}.sh`);
@@ -3118,6 +3196,9 @@ async function shield() {
   console.log(c.dim + '  Verify: npx cc-safe-setup --verify' + c.reset);
   console.log(c.dim + '  Status: npx cc-safe-setup --status' + c.reset);
   console.log();
+  console.log(c.dim + '  Burning tokens too fast? Free diagnosis:' + c.reset);
+  console.log(c.blue + '  https://yurukusa.github.io/cc-safe-setup/token-checkup.html' + c.reset);
+  console.log();
 }
 
 async function quickfix() {
@@ -5784,6 +5865,7 @@ async function main() {
   if (TEAM) return team();
   if (PROFILE_IDX !== -1) return profile(PROFILE);
   if (ANALYZE) return analyze();
+  if (OPUS47) return opus47();
   if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();
   if (REPORT) return report();
@@ -5898,12 +5980,16 @@ async function main() {
   console.log('  ' + c.blue + '  --doctor' + c.reset + '            Verify hooks work');
   console.log('  ' + c.blue + '  --simulate "cmd"' + c.reset + '    Test how hooks react');
   console.log('  ' + c.blue + '  --shield' + c.reset + '            Maximum safety (recommended)');
+  console.log('  ' + c.blue + '  --opus47' + c.reset + '            Opus 4.7 crisis protection');
   console.log();
-  console.log('  ' + c.dim + '23 web tools: https://yurukusa.github.io/cc-safe-setup/hub.html' + c.reset);
+  console.log('  ' + c.dim + 'Free tools:' + c.reset);
+  console.log('  ' + c.blue + '  Token Checkup' + c.reset + '  https://yurukusa.github.io/cc-safe-setup/token-checkup.html');
+  console.log('  ' + c.blue + '  Token Book' + c.reset + '     https://yurukusa.github.io/cc-safe-setup/token-book.html');
+  console.log('  ' + c.dim + '  28 web tools: https://yurukusa.github.io/cc-safe-setup/hub.html' + c.reset);
   console.log();
-  console.log('  ' + c.dim + 'Like this tool? Support development:' + c.reset);
-  console.log('  ' + c.dim + '  Sponsor: https://github.com/sponsors/yurukusa' + c.reset);
-  console.log('  ' + c.dim + '  Book:    https://zenn.dev/yurukusa/books/6076c23b1cb18b' + c.reset);
+  console.log('  ' + c.dim + 'Tokens disappearing too fast?' + c.reset);
+  console.log('  ' + c.blue + '  Token Book' + c.reset + '  Cut consumption in half — https://yurukusa.github.io/cc-safe-setup/token-book.html');
+  console.log('  ' + c.dim + '  Safety Guide: https://zenn.dev/yurukusa/books/6076c23b1cb18b' + c.reset);
   console.log();
 }
 

package/memory/market-anthropic-japan-strategy-2026-04-13.md

@@ -0,0 +1,4 @@
+This file was created in the wrong location. The correct version is at:
+~/.claude/projects/-home-namakusa-projects-cc-loop/memory/market-anthropic-japan-strategy-2026-04-13.md
+
+This file can be deleted.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.40",
-  "description": "One command to make Claude Code safe. 650 example hooks + 8 built-in. 56 CLI commands. Token consumption diagnosis. Works with Auto Mode.",
+  "version": "29.7.0",
+  "description": "One command to make Claude Code safe. 700 example hooks + 8 built-in. 56 CLI commands. Token consumption diagnosis. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"

package/plugins/credential-guard/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "credential-guard",
+  "description": "Protect secrets and credentials from Claude Code. Blocks writes to .env files, detects API keys in shell commands, prevents hardcoded tokens, and guards service account JSON files.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.|credentials|secret'; then echo \"BLOCKED: Writing to sensitive file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.|credentials|secret'; then echo \"BLOCKED: Editing sensitive file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE '(sk|pk|api|key|token|secret|password)[-_]?[a-zA-Z0-9]{20,}'; then echo 'WARNING: Possible API key or token detected in command. Verify no secrets are exposed.' >&2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE 'serviceaccount.*\\.json|key\\.json|credentials\\.json'; then echo \"BLOCKED: Writing to service account file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'ANTHROPIC_API_KEY|OPENAI_API_KEY|AWS_SECRET|GITHUB_TOKEN|DATABASE_URL'; then echo 'WARNING: Environment variable with potential secret detected in command.' >&2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/git-protection/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "git-protection",
+  "description": "Git safety hooks for Claude Code. Blocks force-push, protects main/master branch, prevents hard-reset, guards interactive rebase, and blocks git clean -fd.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push.*--force|git\\s+push.*-f\\b'; then echo 'BLOCKED: Force push. Use --force-with-lease for safer alternative.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push\\s+(origin\\s+)?(main|master)\\b'; then echo 'BLOCKED: Direct push to main/master. Use a feature branch and PR.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+reset\\s+--hard'; then echo 'BLOCKED: git reset --hard. Use git stash or git reset --soft.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+clean\\s+-fd|git\\s+clean\\s+-f'; then echo 'BLOCKED: git clean removes untracked files permanently. Review with git clean -n first.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+branch\\s+-D'; then echo 'BLOCKED: Force branch deletion. Use -d (safe delete) instead of -D.' >&2; exit 2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/safety-essentials/.claude-plugin/plugin.json

@@ -0,0 +1,58 @@
+{
+  "name": "safety-essentials",
+  "description": "5 essential safety hooks for Claude Code. Blocks rm -rf, force-push, hard-reset, .env overwrites, and package publish. The minimum viable safety net from 800+ hours of autonomous operation.",
+  "version": "1.1.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'rm\\s+-r(f|F)|rm\\s+-(f|F)r|rm\\s+--force.*-r|rm\\s+-r.*--force'; then echo 'BLOCKED: rm -rf detected. Use git clean or manual deletion instead.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+push.*--force|git\\s+push.*-f\\b'; then echo 'BLOCKED: Force push detected. Use --force-with-lease or push normally.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'git\\s+reset\\s+--hard'; then echo 'BLOCKED: git reset --hard discards uncommitted changes. Use git stash instead.' >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FILE=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FILE\" ] && exit 0; if echo \"$FILE\" | grep -qE '\\.env$|\\.env\\.'; then echo \"BLOCKED: Writing to environment file: $FILE\" >&2; exit 2; fi"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); CMD=$(echo \"$INPUT\" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z \"$CMD\" ] && exit 0; if echo \"$CMD\" | grep -qE 'npm\\s+publish|yarn\\s+publish'; then echo 'BLOCKED: Package publish requires manual execution.' >&2; exit 2; fi"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/token-guard/.claude-plugin/plugin.json

@@ -0,0 +1,51 @@
+{
+  "name": "token-guard",
+  "description": "Token consumption guards for Claude Code. Warns on large file reads (100KB+), limits unique file reads per session, estimates token budget, and caps subagent spawns. From 800+ hours of autonomous operation data.",
+  "version": "1.0.0",
+  "author": { "name": "yurukusa" },
+  "homepage": "https://yurukusa.github.io/cc-safe-setup/token-book.html",
+  "repository": "https://github.com/yurukusa/cc-safe-setup",
+  "license": "MIT",
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "INPUT=$(cat); FP=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FP\" ] || [ ! -f \"$FP\" ] && exit 0; SZ=$(stat -c%s \"$FP\" 2>/dev/null || stat -f%z \"$FP\" 2>/dev/null); [ \"$SZ\" -gt 102400 ] 2>/dev/null && echo \"Warning: $(basename $FP) is $((SZ/1024))KB. Use limit parameter to read only what you need.\" || true"
+          }
+        ]
+      },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "BUDGET=${CC_READ_BUDGET:-100}; WARN=${CC_READ_WARN:-50}; T=/tmp/cc-read-budget-$PPID; INPUT=$(cat); FP=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z \"$FP\" ] && exit 0; C=0; if [ -f \"$T\" ]; then grep -qF \"$FP\" \"$T\" || echo \"$FP\" >> \"$T\"; C=$(wc -l < \"$T\"); else echo \"$FP\" > \"$T\"; C=1; fi; [ \"$C\" -ge \"$BUDGET\" ] && { echo \"[BLOCK] Read budget reached (${BUDGET} files). Use Glob/Grep to narrow down.\"; exit 2; }; [ \"$C\" -ge \"$WARN\" ] && echo \"Warning: ${C}/${BUDGET} files read.\""
+          }
+        ]
+      },
+      {
+        "matcher": "Agent",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "MAX=${CC_MAX_AGENTS:-3}; T=/tmp/cc-agents-$PPID; C=0; [ -f \"$T\" ] && C=$(cat \"$T\"); C=$((C+1)); echo $C > \"$T\"; [ $C -gt $MAX ] && { echo \"[BLOCK] Subagent limit (${MAX}). Complete existing agents first.\"; exit 2; }; [ $C -ge $MAX ] && echo \"Warning: ${C}/${MAX} subagents spawned.\""
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": {},
+        "hooks": [
+          {
+            "type": "command",
+            "command": "WARN=${CC_TOKEN_BUDGET:-50000}; BLOCK=${CC_TOKEN_BLOCK:-100000}; T=/tmp/cc-tokens-$PPID; INPUT=$(cat); SZ=${#INPUT}; TK=$((SZ/4)); TOTAL=0; [ -f \"$T\" ] && TOTAL=$(cat \"$T\"); TOTAL=$((TOTAL+TK)); echo $TOTAL > \"$T\"; [ $TOTAL -ge $BLOCK ] && { echo \"[BLOCK] Token budget exceeded (~${TOTAL}). Run /compact.\"; exit 2; }; [ $TOTAL -ge $WARN ] && echo \"Warning: ~${TOTAL} tokens consumed (limit: ${BLOCK}).\""
+          }
+        ]
+      }
+    ]
+  }
+}

package/skills/safety-setup/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: cc-safe-setup
+description: Safety hooks for Claude Code — 695 pre-built hooks that prevent file deletion, credential leaks, git disasters, and token waste during autonomous AI coding sessions. Install with npx cc-safe-setup.
+---
+
+# cc-safe-setup
+
+Safety-first configuration for Claude Code. Prevents the accidents that happen when AI writes code autonomously.
+
+## What it does
+
+Installs pre-built safety hooks into your Claude Code environment. These hooks run automatically before/after tool calls to block dangerous operations.
+
+**Categories:**
+- **File protection**: Block `rm -rf`, prevent overwriting files outside project
+- **Git safety**: Prevent force-push to main, block `reset --hard`
+- **Credential guards**: Stop `.env` files from being committed or read by AI
+- **Token optimization**: Warn on large file reads, limit subagent spawning
+- **Quality gates**: Detect lazy rewrites, verify claims before committing
+
+## Quick start
+
+```bash
+npx cc-safe-setup
+```
+
+This runs an interactive wizard that configures hooks based on your risk profile.
+
+## Install individual hooks
+
+```bash
+npx cc-safe-setup --install-example large-read-guard
+npx cc-safe-setup --install-example prevent-rm-rf
+npx cc-safe-setup --install-example git-force-push-block
+```
+
+## Why hooks instead of CLAUDE.md rules
+
+Rules in CLAUDE.md are suggestions — Claude can forget them. Hooks are enforced at the system level. A hook that blocks `rm -rf` cannot be overridden by the AI.
+
+From 800+ hours of autonomous operation: the hooks that matter most are the ones you don't notice until something goes wrong.
+
+## Resources
+
+- Repository: https://github.com/yurukusa/cc-safe-setup
+- Hook Selector (find hooks for your setup): https://yurukusa.github.io/cc-safe-setup/hook-selector.html
+- Token Checkup (diagnose waste): https://yurukusa.github.io/cc-safe-setup/token-checkup.html