cc-safe-setup 29.6.40 → 29.7.0

package/tests/dotenv-read-guard.test.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Tests for dotenv-read-guard.sh
+HOOK="$(dirname "$0")/../examples/dotenv-read-guard.sh"
+PASS=0; FAIL=0
+
+run_test() {
+    local desc="$1" input="$2" expect="$3"
+    result=$(echo "$input" | bash "$HOOK" 2>/dev/null; echo $?)
+    code=$(echo "$result" | tail -1)
+    if [ "$code" = "$expect" ]; then
+        echo "PASS: $desc"
+        ((PASS++))
+    else
+        echo "FAIL: $desc (expected $expect, got $code)"
+        ((FAIL++))
+    fi
+}
+
+# Should block .env files
+run_test "Block .env" \
+    '{"tool_input":{"file_path":"/home/user/project/.env"}}' "2"
+
+run_test "Block .env.local" \
+    '{"tool_input":{"file_path":"/app/.env.local"}}' "2"
+
+run_test "Block .env.production" \
+    '{"tool_input":{"file_path":"/deploy/.env.production"}}' "2"
+
+run_test "Block .env.staging" \
+    '{"tool_input":{"file_path":"/app/.env.staging"}}' "2"
+
+run_test "Block .env.development" \
+    '{"tool_input":{"file_path":"/app/.env.development"}}' "2"
+
+run_test "Block .env.test" \
+    '{"tool_input":{"file_path":"/project/.env.test"}}' "2"
+
+# Should allow non-.env files
+run_test "Allow .env.example" \
+    '{"tool_input":{"file_path":"/project/.env.example"}}' "0"
+
+run_test "Allow README.md" \
+    '{"tool_input":{"file_path":"/project/README.md"}}' "0"
+
+run_test "Allow package.json" \
+    '{"tool_input":{"file_path":"/project/package.json"}}' "0"
+
+run_test "Allow config.ts" \
+    '{"tool_input":{"file_path":"/src/config.ts"}}' "0"
+
+run_test "Allow env.ts (not dotenv)" \
+    '{"tool_input":{"file_path":"/src/env.ts"}}' "0"
+
+run_test "Allow .envrc (direnv)" \
+    '{"tool_input":{"file_path":"/project/.envrc"}}' "0"
+
+# Edge cases
+run_test "Empty input" '{}' "0"
+
+run_test "No file_path" \
+    '{"tool_input":{}}' "0"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-auto-mode-safety-enforcer.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Tests for auto-mode-safety-enforcer.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/auto-mode-safety-enforcer.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "auto-mode-safety-enforcer.sh tests"
+echo ""
+
+# --- Block: Critical rm operations ---
+test_hook '{"tool_input":{"command":"rm -rf /"}}' 2 "Block rm -rf /"
+test_hook '{"tool_input":{"command":"rm -rf ~"}}' 2 "Block rm -rf ~"
+test_hook '{"tool_input":{"command":"rm -rf ~/."}}' 2 "Block rm -rf ~/."
+test_hook '{"tool_input":{"command":"sudo rm -rf /home"}}' 2 "Block sudo rm -rf /home"
+test_hook '{"tool_input":{"command":"rm -rf /etc"}}' 2 "Block rm -rf /etc"
+test_hook '{"tool_input":{"command":"rm -rf /usr"}}' 2 "Block rm -rf /usr"
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.ssh\"}}" 2 "Block rm -rf ~/.ssh"
+test_hook "{\"tool_input\":{\"command\":\"rm $HOME/.git-credentials\"}}" 2 "Block rm ~/.git-credentials"
+test_hook "{\"tool_input\":{\"command\":\"rm -f $HOME/.bashrc\"}}" 2 "Block rm ~/.bashrc"
+
+# --- Block: Disk operations ---
+test_hook '{"tool_input":{"command":"sudo dd if=/dev/zero of=/dev/sda"}}' 2 "Block dd to disk"
+test_hook '{"tool_input":{"command":"sudo mkfs.ext4 /dev/sda1"}}' 2 "Block mkfs"
+test_hook '{"tool_input":{"command":"sudo fdisk /dev/sda"}}' 2 "Block fdisk"
+
+# --- Block: System process kill ---
+test_hook '{"tool_input":{"command":"kill -9 1"}}' 2 "Block kill PID 1"
+test_hook '{"tool_input":{"command":"killall systemd"}}' 2 "Block killall systemd"
+
+# --- Allow: Safe operations ---
+test_hook '{"tool_input":{"command":"rm -rf node_modules"}}' 0 "Allow rm node_modules"
+test_hook '{"tool_input":{"command":"rm /tmp/test.txt"}}' 0 "Allow rm in /tmp"
+test_hook '{"tool_input":{"command":"ls -la"}}' 0 "Allow ls"
+test_hook '{"tool_input":{"command":"git status"}}' 0 "Allow git"
+test_hook '{"tool_input":{"command":"npm install"}}' 0 "Allow npm install"
+test_hook '{}' 0 "Allow empty input"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-case-insensitive-path-guard.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# Tests for case-insensitive-path-guard.sh
+# Run: bash tests/test-case-insensitive-path-guard.sh
+# NOTE: Full case-mismatch detection only works on macOS APFS.
+#       On Linux, the hook exits 0 for all inputs (no case-insensitive FS).
+#       These tests verify the non-macOS path (exit 0) and input parsing.
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/case-insensitive-path-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "case-insensitive-path-guard.sh tests"
+echo ""
+
+# On Linux, all commands should pass through (exit 0)
+# The hook only activates on macOS (uname == Darwin)
+IS_LINUX=0
+[ "$(uname)" != "Darwin" ] && IS_LINUX=1
+
+if [ "$IS_LINUX" -eq 1 ]; then
+    echo "Running on Linux — all tests should pass through (exit 0)"
+    echo ""
+
+    # --- Pass-through on Linux ---
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf ~/Projects"}}' 0 "Linux: rm -rf passes through"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf ~/Documents"}}' 0 "Linux: rm Documents passes through"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"mv ~/old ~/new"}}' 0 "Linux: mv passes through"
+
+    # --- Non-destructive commands always pass ---
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"ls ~/Projects"}}' 0 "Linux: ls passes through"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"git status"}}' 0 "Linux: git status passes through"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"echo hello"}}' 0 "Linux: echo passes through"
+
+    # --- Safe paths always pass ---
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf node_modules"}}' 0 "Linux: rm node_modules passes"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf /tmp/test"}}' 0 "Linux: rm /tmp passes"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf .cache"}}' 0 "Linux: rm .cache passes"
+
+    # --- Empty/missing inputs ---
+    test_hook '{"tool_name":"Bash","tool_input":{"command":""}}' 0 "Empty command"
+    test_hook '{"tool_name":"Bash","tool_input":{}}' 0 "No command"
+    test_hook '{}' 0 "Empty JSON"
+
+else
+    echo "Running on macOS — testing case-mismatch detection"
+    echo ""
+
+    # On macOS, safe paths should still pass
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf node_modules"}}' 0 "macOS: rm node_modules passes"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf /tmp/test"}}' 0 "macOS: rm /tmp passes"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"rm -rf __pycache__"}}' 0 "macOS: rm __pycache__ passes"
+
+    # Non-destructive commands pass
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"ls ~/Projects"}}' 0 "macOS: ls passes through"
+    test_hook '{"tool_name":"Bash","tool_input":{"command":"git status"}}' 0 "macOS: git status passes"
+
+    # Empty inputs
+    test_hook '{"tool_name":"Bash","tool_input":{"command":""}}' 0 "Empty command"
+    test_hook '{"tool_name":"Bash","tool_input":{}}' 0 "No command"
+fi
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL))"
+[ "$FAIL" -eq 0 ] && echo "ALL TESTS PASSED" || exit 1

package/tests/test-context-usage-drift-alert.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Tests for context-usage-drift-alert.sh
+HOOK="examples/context-usage-drift-alert.sh"
+PASS=0 FAIL=0
+
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_not_contains() { if ! echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (unexpected '$3')"; fi; }
+
+# Use a test-specific counter file
+COUNTER_FILE="/tmp/cc-context-usage-counter-$(date +%Y%m%d)"
+rm -f "$COUNTER_FILE"
+
+# Test 1: Calls 1-49 should not warn
+for i in $(seq 1 49); do
+  echo '{}' | bash "$HOOK" 2>/dev/null
+done
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+# Call 50 should give checkpoint
+assert_contains "call 50 should checkpoint" "$OUT" "checkpoint"
+assert_contains "should mention /cost" "$OUT" "/cost"
+
+# Test 2: Calls 51-99 should not warn
+for i in $(seq 51 99); do
+  echo '{}' | bash "$HOOK" 2>/dev/null
+done
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+# Call 100 should give strong warning
+assert_contains "call 100 should warn high" "$OUT" "HIGH CONTEXT"
+assert_contains "should mention /compact" "$OUT" "/compact"
+assert_contains "should reference issue" "$OUT" "#50204"
+
+# Test 3: Calls 101-149
+for i in $(seq 101 149); do
+  echo '{}' | bash "$HOOK" 2>/dev/null
+done
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+# Call 150 should give critical warning
+assert_contains "call 150 critical warning" "$OUT" "VERY HIGH"
+assert_contains "should mention saving state" "$OUT" "Save"
+
+# Test 4: Normal calls between thresholds should be silent
+rm -f "$COUNTER_FILE"
+echo "10" > "$COUNTER_FILE"
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+assert_not_contains "non-threshold call should be silent" "$OUT" "checkpoint"
+assert_not_contains "non-threshold no warning" "$OUT" "HIGH"
+
+# Cleanup
+rm -f "$COUNTER_FILE"
+
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ]

package/tests/test-dangerous-pip-flag-guard.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# Tests for dangerous-pip-flag-guard.sh
+# Run: bash tests/test-dangerous-pip-flag-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/dangerous-pip-flag-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "dangerous-pip-flag-guard.sh tests"
+echo ""
+
+# --- Block: --break-system-packages ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install --break-system-packages requests"}}' 2 "Block --break-system-packages"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip3 install --break-system-packages numpy"}}' 2 "Block pip3 --break-system-packages"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install requests --break-system-packages"}}' 2 "Block flag after package name"
+
+# --- Block: sudo pip install ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"sudo pip install flask"}}' 2 "Block sudo pip install"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"sudo pip3 install django"}}' 2 "Block sudo pip3 install"
+
+# --- Block: targeting system directories ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install --target=/usr/lib/python3/dist-packages requests"}}' 2 "Block install to /usr/lib"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install --target /opt/python/lib requests"}}' 2 "Block install to /opt"
+
+# --- Allow: normal pip install ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install requests"}}' 0 "Allow normal pip install"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install --user requests"}}' 0 "Allow --user install"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip install -r requirements.txt"}}' 0 "Allow requirements.txt"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"pip3 install flask==2.0"}}' 0 "Allow versioned install"
+
+# --- Allow: non-pip commands ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"npm install express"}}' 0 "Allow npm install"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"git status"}}' 0 "Allow git status"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"echo hello"}}' 0 "Allow echo"
+
+# --- Allow: empty/missing ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":""}}' 0 "Allow empty command"
+test_hook '{"tool_name":"Bash","tool_input":{}}' 0 "Allow no command"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL))"
+[ "$FAIL" -eq 0 ] && echo "ALL TESTS PASSED" || exit 1

package/tests/test-dotfile-protection-guard.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Tests for dotfile-protection-guard.sh
+# Run: bash tests/test-dotfile-protection-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/dotfile-protection-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "dotfile-protection-guard.sh tests"
+echo ""
+
+# --- Block: Shell config files ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.bashrc\"}}" 2 "Block Write to .bashrc"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.zshrc\"}}" 2 "Block Edit to .zshrc"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.bash_profile\"}}" 2 "Block Write to .bash_profile"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.profile\"}}" 2 "Block Edit to .profile"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.zshenv\"}}" 2 "Block Write to .zshenv"
+
+# --- Block: SSH ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.ssh/id_rsa\"}}" 2 "Block Write to .ssh/id_rsa"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.ssh/config\"}}" 2 "Block Edit to .ssh/config"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.ssh/authorized_keys\"}}" 2 "Block Write to .ssh/authorized_keys"
+
+# --- Block: Git credentials ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.git-credentials\"}}" 2 "Block Write to .git-credentials"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.gitconfig\"}}" 2 "Block Edit to .gitconfig"
+
+# --- Block: Other credentials ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.npmrc\"}}" 2 "Block Write to .npmrc"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.aws/credentials\"}}" 2 "Block Write to .aws/credentials"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.config/gh/hosts.yml\"}}" 2 "Block Edit to gh hosts.yml"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.netrc\"}}" 2 "Block Write to .netrc"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.docker/config.json\"}}" 2 "Block Write to docker config"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.kube/config\"}}" 2 "Block Write to kube config"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.gnupg/trustdb.gpg\"}}" 2 "Block Write to gnupg"
+
+# --- Allow: Claude Code config ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$HOME/.claude/settings.json\"}}" 0 "Allow Write to .claude/settings.json"
+test_hook "{\"tool_name\":\"Edit\",\"tool_input\":{\"file_path\":\"$HOME/.claude/CLAUDE.md\"}}" 0 "Allow Edit to .claude/CLAUDE.md"
+
+# --- Allow: Project files ---
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"/home/user/project/src/main.py"}}' 0 "Allow Write to project file"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"./README.md"}}' 0 "Allow Edit to relative path"
+
+# --- Allow: Empty input ---
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_name":"Write","tool_input":{}}' 0 "Allow missing file_path"
+
+# --- Block: Tilde expansion ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"~/.bashrc\"}}" 2 "Block Write to ~/.bashrc (tilde)"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-effort-tracking-logger.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Tests for effort-tracking-logger.sh
+HOOK="examples/effort-tracking-logger.sh"
+PASS=0 FAIL=0
+
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_exit() { if [ "$2" -eq "$3" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (exit $2, expected $3)"; fi; }
+
+LOG_DIR="${HOME}/.claude/effort-log"
+LOG_FILE="$LOG_DIR/$(date +%Y-%m-%d).jsonl"
+rm -rf "$LOG_DIR"
+
+# Test 1: Creates log directory
+echo '{"tool_name":"Bash","was_error":"false"}' | bash "$HOOK" 2>&1
+RC=$?
+assert_exit "exit 0" "$RC" 0
+if [ -d "$LOG_DIR" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: log dir not created"; fi
+
+# Test 2: Log file created with valid JSONL
+if [ -f "$LOG_FILE" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: log file not created"; fi
+ENTRY=$(cat "$LOG_FILE")
+assert_contains "has timestamp" "$ENTRY" "timestamp"
+assert_contains "has tool name" "$ENTRY" "Bash"
+assert_contains "has error field" "$ENTRY" "error"
+
+# Test 3: Valid JSON
+python3 -c "import json; json.loads(open('$LOG_FILE').read().strip())" 2>/dev/null
+if [ $? -eq 0 ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: invalid JSON"; fi
+
+# Test 4: Multiple entries appended
+echo '{"tool_name":"Read","was_error":"false"}' | bash "$HOOK" 2>&1
+echo '{"tool_name":"Edit","was_error":"true"}' | bash "$HOOK" 2>&1
+LINES=$(wc -l < "$LOG_FILE")
+if [ "$LINES" -eq 3 ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: expected 3 lines, got $LINES"; fi
+
+# Test 5: Error field correctly parsed
+LAST=$(tail -1 "$LOG_FILE")
+assert_contains "error=true parsed" "$LAST" '"error": true'
+
+# Test 6: Tool name correctly parsed
+SECOND=$(sed -n '2p' "$LOG_FILE")
+assert_contains "Read tool name" "$SECOND" '"tool": "Read"'
+
+# Test 7: Unknown tool handled
+echo '{}' | bash "$HOOK" 2>&1
+RC=$?
+assert_exit "unknown tool exit 0" "$RC" 0
+LAST=$(tail -1 "$LOG_FILE")
+assert_contains "unknown tool logged" "$LAST" "unknown"
+
+# Cleanup
+rm -rf "$LOG_DIR"
+
+echo "effort-tracking-logger: $PASS passed, $FAIL failed"
+exit $FAIL

package/tests/test-financial-operation-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Tests for financial-operation-guard.sh
+# Run: bash tests/test-financial-operation-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/financial-operation-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "financial-operation-guard.sh tests"
+echo ""
+
+# --- Block: Exchange API calls (#46828 pattern) ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"ex.transfer(USDT, 1446.65, spot, swap)\" bitget"}}' 2 "Block Bitget fund transfer (#46828 exact pattern)"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"curl https://api.binance.com/api/v3/order -X POST"}}' 2 "Block Binance order API"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 trade.py --exchange bybit --withdraw 500"}}' 2 "Block Bybit withdrawal"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"ccxt kraken transfer USDT from spot to futures"}}' 2 "Block Kraken transfer via ccxt"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"coinbase.create_order(symbol, side, amount)\""}}' 2 "Block Coinbase order"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"curl -X POST https://api.okx.com/api/v5/trade/order"}}' 2 "Block OKX trade order"
+
+# --- Block: Generic crypto transfers ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"transfer(USDT, 1000, wallet_a, wallet_b)\""}}' 2 "Block USDT transfer"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"send_eth --to 0xabc --amount 5 --wallet main"}}' 2 "Block ETH send"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 withdraw_btc.py --balance 0.5"}}' 2 "Block BTC withdrawal"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"swap(usdc, 500, from_wallet)\""}}' 2 "Block USDC swap"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"bridge sol from mainnet to polygon --funds 100"}}' 2 "Block SOL bridge"
+
+# --- Block: Payment processor operations ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"curl -X POST https://api.stripe.com/v1/charges -d amount=5000"}}' 2 "Block Stripe charge"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"stripe.Transfer.create(amount=1000)\""}}' 2 "Block Stripe transfer"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"paypal-cli send payment --to user@email.com --amount 200"}}' 2 "Block PayPal payment"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 -c \"square.payments.create_payment(body)\""}}' 2 "Block Square payment"
+
+# --- Allow: Safe operations ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"curl https://api.example.com/data"}}' 0 "Allow normal API call"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"python3 analyze_trades.py --read-only"}}' 0 "Allow read-only trade analysis"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"cat balance.txt"}}' 0 "Allow reading balance file"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"echo transfer complete"}}' 0 "Allow echo containing transfer"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"git push origin main"}}' 0 "Allow git push"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"npm install stripe"}}' 0 "Allow npm install stripe (not an operation)"
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_name":"Bash","tool_input":{}}' 0 "Allow no command"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-home-critical-bash-guard.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Tests for home-critical-bash-guard.sh
+# Run: bash tests/test-home-critical-bash-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/home-critical-bash-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "home-critical-bash-guard.sh tests"
+echo ""
+
+# --- Block: rm on critical paths ---
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.ssh\"}}" 2 "Block rm -rf ~/.ssh"
+test_hook "{\"tool_input\":{\"command\":\"rm $HOME/.git-credentials\"}}" 2 "Block rm ~/.git-credentials"
+test_hook "{\"tool_input\":{\"command\":\"rm -f $HOME/.bashrc\"}}" 2 "Block rm ~/.bashrc"
+test_hook "{\"tool_input\":{\"command\":\"sudo rm $HOME/.zshrc\"}}" 2 "Block sudo rm ~/.zshrc"
+test_hook "{\"tool_input\":{\"command\":\"rm $HOME/.npmrc\"}}" 2 "Block rm ~/.npmrc"
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.gnupg\"}}" 2 "Block rm -rf ~/.gnupg"
+test_hook "{\"tool_input\":{\"command\":\"rm $HOME/.aws/credentials\"}}" 2 "Block rm ~/.aws/credentials"
+
+# --- Block: mv on critical paths ---
+test_hook "{\"tool_input\":{\"command\":\"mv $HOME/.bashrc /tmp/\"}}" 2 "Block mv ~/.bashrc"
+test_hook "{\"tool_input\":{\"command\":\"mv $HOME/.ssh/config /tmp/bak\"}}" 2 "Block mv ~/.ssh/config"
+
+# --- Block: Truncation via redirect ---
+test_hook "{\"tool_input\":{\"command\":\"> $HOME/.bashrc\"}}" 2 "Block > ~/.bashrc truncation"
+test_hook "{\"tool_input\":{\"command\":\"echo '' > $HOME/.zshrc\"}}" 2 "Block echo > ~/.zshrc"
+
+# --- Block: chmod 777 on critical files ---
+test_hook "{\"tool_input\":{\"command\":\"chmod 777 $HOME/.ssh/id_rsa\"}}" 2 "Block chmod 777 on .ssh/id_rsa"
+
+# --- Allow: Safe commands ---
+test_hook '{"tool_input":{"command":"rm -rf node_modules"}}' 0 "Allow rm node_modules"
+test_hook '{"tool_input":{"command":"rm /tmp/test.txt"}}' 0 "Allow rm in /tmp"
+test_hook '{"tool_input":{"command":"ls -la ~/.ssh"}}' 0 "Allow ls on .ssh (read-only)"
+test_hook '{"tool_input":{"command":"cat ~/.bashrc"}}' 0 "Allow cat on .bashrc (read-only)"
+test_hook '{"tool_input":{"command":"git status"}}' 0 "Allow git commands"
+
+# --- Allow: Empty input ---
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_input":{}}' 0 "Allow missing command"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-model-version-change-alert.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Tests for model-version-change-alert.sh
+HOOK="examples/model-version-change-alert.sh"
+PASS=0 FAIL=0
+
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_not_contains() { if ! echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (unexpected '$3')"; fi; }
+assert_exit() { if [ "$2" -eq "$3" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (exit $2, expected $3)"; fi; }
+
+HISTORY="/tmp/cc-model-version-history"
+rm -f "$HISTORY"
+
+# Test 1: First run (no history) — no alert
+OUT=$(CLAUDE_MODEL="opus-4.7" bash "$HOOK" 2>&1)
+RC=$?
+assert_not_contains "first run should not alert" "$OUT" "MODEL CHANGED"
+assert_exit "first run exit 0" "$RC" 0
+
+# Test 2: Same model — no alert
+OUT=$(CLAUDE_MODEL="opus-4.7" bash "$HOOK" 2>&1)
+assert_not_contains "same model no alert" "$OUT" "MODEL CHANGED"
+
+# Test 3: Model changed — should alert
+OUT=$(CLAUDE_MODEL="opus-4.6" bash "$HOOK" 2>&1)
+assert_contains "model change should alert" "$OUT" "MODEL CHANGED"
+assert_contains "should show old model" "$OUT" "opus-4.7"
+assert_contains "should show new model" "$OUT" "opus-4.6"
+assert_contains "should reference issue" "$OUT" "#49689"
+
+# Test 4: Exit code always 0
+RC=$?
+assert_exit "exit 0 on alert" "$RC" 0
+
+# Test 5: Unknown model — no update, no alert
+echo "opus-4.7" > "$HISTORY"
+OUT=$(bash "$HOOK" 2>&1)  # No CLAUDE_MODEL set
+assert_not_contains "unknown model no alert" "$OUT" "MODEL CHANGED"
+
+# Test 6: History file is updated correctly
+echo "opus-4.6" > "$HISTORY"
+CLAUDE_MODEL="opus-4.7" bash "$HOOK" > /dev/null 2>&1
+STORED=$(cat "$HISTORY")
+if [ "$STORED" = "opus-4.7" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: history should store new model (got $STORED)"; fi
+
+# Test 7: Back-to-back changes detected
+CLAUDE_MODEL="sonnet-4.5" bash "$HOOK" > /dev/null 2>&1
+OUT=$(CLAUDE_MODEL="haiku-4.5" bash "$HOOK" 2>&1)
+assert_contains "sequential change detected" "$OUT" "MODEL CHANGED"
+assert_contains "shows sonnet" "$OUT" "sonnet-4.5"
+
+# Cleanup
+rm -f "$HISTORY"
+
+echo "model-version-change-alert: $PASS passed, $FAIL failed"
+exit $FAIL