cc-safe-setup 29.6.40 → 29.7.0

package/tests/test-move-delete-sequence-guard.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Tests for move-delete-sequence-guard.sh
+# Run: bash tests/test-move-delete-sequence-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/move-delete-sequence-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "move-delete-sequence-guard.sh tests"
+echo ""
+
+# --- Block: mv + rm -rf on parent directory (#49129 pattern) ---
+test_hook '{"tool_input":{"command":"mv /home/user/project/important.txt /tmp/ && rm -rf /home/user/project"}}' 2 "Block mv file then rm -rf parent (&&)"
+test_hook '{"tool_input":{"command":"mv /home/user/project/src/main.py /tmp/backup/ ; rm -rf /home/user/project/src"}}' 2 "Block mv file then rm -rf parent (;)"
+test_hook '{"tool_input":{"command":"mv /data/app/config.yml /tmp/ || rm -rf /data/app"}}' 2 "Block mv file then rm -rf parent (||)"
+
+# --- Block: mv + rm -rf on same path ---
+test_hook '{"tool_input":{"command":"mv /home/user/mydir /tmp/backup && rm -rf /home/user/mydir"}}' 2 "Block mv dir then rm -rf same dir"
+
+# --- Block: mv + rm -rf on ancestor directory ---
+test_hook '{"tool_input":{"command":"mv /home/user/project/src/lib/util.py /tmp/ && rm -rf /home/user/project"}}' 2 "Block mv file then rm -rf ancestor"
+test_hook '{"tool_input":{"command":"mv /var/data/app/logs/today.log /tmp/ ; rm -rf /var/data"}}' 2 "Block mv file then rm -rf distant ancestor"
+
+# --- Allow: mv and rm on unrelated paths ---
+test_hook '{"tool_input":{"command":"mv /tmp/old.txt /tmp/new.txt && rm /var/log/app.log"}}' 0 "Allow mv and rm on unrelated paths"
+test_hook '{"tool_input":{"command":"mv file.txt backup/ && rm other_file.txt"}}' 0 "Allow mv and rm on different files"
+
+# --- Allow: mv only (no rm) ---
+test_hook '{"tool_input":{"command":"mv /home/user/file.txt /tmp/"}}' 0 "Allow mv without rm"
+
+# --- Allow: rm only (no mv) ---
+test_hook '{"tool_input":{"command":"rm -rf /tmp/junk"}}' 0 "Allow rm without mv"
+
+# --- Allow: Empty/missing input ---
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_input":{}}' 0 "Allow missing command"
+test_hook '{"tool_input":{"command":""}}' 0 "Allow empty command"
+
+# --- Allow: Safe operations ---
+test_hook '{"tool_input":{"command":"ls -la && echo done"}}' 0 "Allow non-destructive compound command"
+test_hook '{"tool_input":{"command":"git mv old.txt new.txt"}}' 0 "Allow git mv (no rm)"
+
+# --- Block: Real-world attack patterns ---
+test_hook '{"tool_input":{"command":"mv /home/user/projects/webapp/src/index.js /tmp/safe/ && rm -rf /home/user/projects/webapp/src"}}' 2 "Block real-world: save one file, delete rest of src"
+test_hook '{"tool_input":{"command":"mv /home/user/data/important.db /tmp/ ; rm -r /home/user/data"}}' 2 "Block real-world: save DB, delete data dir"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-pr-duplicate-guard.sh

@@ -0,0 +1,29 @@
+set -euo pipefail
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/pr-duplicate-guard.sh"
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+echo "=== pr-duplicate-guard.sh ==="
+test_hook '{"tool_input":{"command":"git push origin main"}}' 0 "git push passes through"
+test_hook '{"tool_input":{"command":"npm publish"}}' 0 "npm publish passes through"
+test_hook '{"tool_input":{"command":"echo hello"}}' 0 "echo passes through"
+test_hook '{"tool_input":{"command":"gh pr list"}}' 0 "gh pr list passes through"
+test_hook '{"tool_input":{"command":"gh pr view 123"}}' 0 "gh pr view passes through"
+test_hook '{"tool_input":{"command":"gh issue create --title test"}}' 0 "gh issue create passes through"
+test_hook '{"tool_input":{"command":"gh pr create --title \"test\" --body \"test\""}}' 0 "gh pr create on unique branch passes"
+test_hook '{}' 0 "empty input passes"
+test_hook '' 0 "blank input passes"
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-quota-reset-cycle-monitor.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Tests for quota-reset-cycle-monitor.sh
+HOOK="examples/quota-reset-cycle-monitor.sh"
+PASS=0 FAIL=0
+
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_not_contains() { if ! echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (unexpected '$3')"; fi; }
+assert_exit() { if [ "$2" -eq "$3" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (exit $2, expected $3)"; fi; }
+
+HISTORY="/tmp/cc-quota-reset-history"
+rm -f "$HISTORY"
+
+# Test 1: First run creates history
+OUT=$(bash "$HOOK" 2>&1)
+RC=$?
+assert_exit "exit 0" "$RC" 0
+if [ -f "$HISTORY" ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: history not created"; fi
+
+# Test 2: History contains today's date
+TODAY=$(date +%Y-%m-%d)
+CONTENT=$(cat "$HISTORY")
+assert_contains "has today's date" "$CONTENT" "$TODAY"
+
+# Test 3: Second run same day — no duplicate entry
+bash "$HOOK" 2>/dev/null
+LINES=$(wc -l < "$HISTORY")
+if [ "$LINES" -eq 1 ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: duplicate entry ($LINES lines)"; fi
+
+# Test 4: History format is correct (date|weekday)
+WEEKDAY=$(date +%u)
+assert_contains "correct format" "$CONTENT" "$TODAY|$WEEKDAY"
+
+# Test 5: With 7+ entries, should give info message
+rm -f "$HISTORY"
+for i in $(seq 1 7); do
+  echo "2026-04-$(printf '%02d' $((i+10)))|$i" >> "$HISTORY"
+done
+# Remove today's entry so the hook will run
+sed -i "/$TODAY/d" "$HISTORY"
+OUT=$(bash "$HOOK" 2>&1)
+assert_contains "7+ entries shows info" "$OUT" "tracking"
+assert_contains "references issue" "$OUT" "#49599"
+
+# Test 6: Exit code always 0
+RC=$?
+assert_exit "always exit 0" "$RC" 0
+
+# Cleanup
+rm -f "$HISTORY"
+
+echo "quota-reset-cycle-monitor: $PASS passed, $FAIL failed"
+exit $FAIL

package/tests/test-shell-config-truncation-guard.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+# Tests for shell-config-truncation-guard.sh
+# Run: bash tests/test-shell-config-truncation-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/shell-config-truncation-guard.sh"
+
+# Create temp dir for test files
+TEST_DIR=$(mktemp -d)
+trap 'rm -rf "$TEST_DIR"' EXIT
+
+# Create a fake home with shell config files
+export HOME="$TEST_DIR"
+echo '# My bash profile
+export PATH="$HOME/bin:$PATH"
+export EDITOR=vim
+alias ll="ls -la"
+eval "$(pyenv init -)"
+source ~/.bash_completion
+' > "$TEST_DIR/.bash_profile"
+
+echo '# My zshrc
+export PATH="$HOME/bin:$PATH"
+autoload -Uz compinit
+compinit
+source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
+' > "$TEST_DIR/.zshrc"
+
+echo '# My bashrc
+if [ -f /etc/bashrc ]; then . /etc/bashrc; fi
+export PATH="$HOME/bin:$PATH"
+' > "$TEST_DIR/.bashrc"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "shell-config-truncation-guard.sh tests"
+echo ""
+
+# --- Block: Write tool truncating to empty ---
+echo "= Write tool: truncation blocking ="
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.bash_profile\",\"content\":\"\"}}" 2 "Block empty Write to .bash_profile"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.zshrc\",\"content\":\"\"}}" 2 "Block empty Write to .zshrc"
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.bashrc\",\"content\":\"\"}}" 2 "Block empty Write to .bashrc"
+
+# --- Block: Write tool with near-empty content ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.bash_profile\",\"content\":\"#\n\"}}" 2 "Block near-empty Write to .bash_profile"
+
+# --- Block: Write tool with >60% size reduction ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.bash_profile\",\"content\":\"export PATH\"}}" 2 "Block >60% reduction of .bash_profile"
+
+# --- Allow: Write tool with reasonable content ---
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.bash_profile\",\"content\":\"# Updated bash profile\nexport PATH=\\\"$TEST_DIR/bin:\$PATH\\\"\nexport EDITOR=vim\nalias ll=\\\"ls -la\\\"\neval \\\"\$(pyenv init -)\\\"\nsource ~/.bash_completion\n# Added new alias\nalias gs=\\\"git status\\\"\n\"}}" 0 "Allow reasonable Write to .bash_profile"
+
+# --- Allow: Write to unprotected files ---
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"/tmp/test.txt","content":""}}' 0 "Allow empty Write to unprotected file"
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"/tmp/config.sh","content":"echo hello"}}' 0 "Allow Write to unprotected config"
+
+# --- Block: Bash truncation commands ---
+echo ""
+echo "= Bash tool: truncation blocking ="
+test_hook "{\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\"> $TEST_DIR/.bashrc\"}}" 2 "Block > redirect truncation of .bashrc"
+test_hook "{\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\"truncate -s 0 $TEST_DIR/.zshrc\"}}" 2 "Block truncate command on .zshrc"
+test_hook "{\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\": > $TEST_DIR/.bash_profile\"}}" 2 "Block : > truncation of .bash_profile"
+
+# --- Allow: Bash reading shell config ---
+test_hook "{\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\"cat $TEST_DIR/.bashrc\"}}" 0 "Allow cat .bashrc"
+test_hook "{\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\"grep PATH $TEST_DIR/.zshrc\"}}" 0 "Allow grep .zshrc"
+
+# --- Allow: Bash with unrelated commands ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"echo hello"}}' 0 "Allow echo"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"ls -la"}}' 0 "Allow ls"
+test_hook '{"tool_name":"Bash","tool_input":{"command":"git status"}}' 0 "Allow git status"
+
+# --- Allow: Non-matching tools ---
+echo ""
+echo "= Non-matching tools ="
+test_hook '{"tool_name":"Read","tool_input":{"file_path":"/tmp/test"}}' 0 "Allow Read tool"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test"}}' 0 "Allow Edit tool"
+
+# --- Edge cases ---
+echo ""
+echo "= Edge cases ="
+test_hook '{}' 0 "Handle empty input"
+test_hook '{"tool_name":"Bash","tool_input":{"command":""}}' 0 "Handle empty command"
+
+# Write to a file that doesn't exist yet (should allow)
+test_hook "{\"tool_name\":\"Write\",\"tool_input\":{\"file_path\":\"$TEST_DIR/.new_profile\",\"content\":\"\"}}" 0 "Allow Write to non-existent profile"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && echo "ALL TESTS PASSED" || exit 1

package/tests/test-subagent-spawn-rate-monitor.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# Tests for subagent-spawn-rate-monitor.sh
+HOOK="examples/subagent-spawn-rate-monitor.sh"
+PASS=0 FAIL=0
+
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_not_contains() { if ! echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (unexpected '$3')"; fi; }
+
+# Cleanup state
+rm -f /tmp/cc-subagent-spawn-counter /tmp/cc-subagent-spawn-window
+
+# Test 1: First spawn should not warn
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+assert_not_contains "first spawn no warn" "$OUT" "HIGH SUBAGENT"
+
+# Test 2-5: Spawns 2-5 should not warn
+for i in 2 3 4 5; do
+  OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+  assert_not_contains "spawn $i no warn" "$OUT" "HIGH SUBAGENT"
+done
+
+# Test 6: 6th spawn (>5 threshold) should warn
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+assert_contains "6th spawn should warn" "$OUT" "HIGH SUBAGENT"
+assert_contains "should mention token cost" "$OUT" "4.7K"
+assert_contains "should reference issue" "$OUT" "#50213"
+
+# Test 7: Reset counter, verify no warning after reset
+rm -f /tmp/cc-subagent-spawn-counter /tmp/cc-subagent-spawn-window
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+assert_not_contains "after reset no warn" "$OUT" "HIGH SUBAGENT"
+
+# Test 8: Window expiry reset
+echo "1" > /tmp/cc-subagent-spawn-counter
+echo "$(($(date +%s) - 400))" > /tmp/cc-subagent-spawn-window
+OUT=$(echo '{}' | bash "$HOOK" 2>&1)
+assert_not_contains "expired window resets count" "$OUT" "HIGH SUBAGENT"
+
+# Cleanup
+rm -f /tmp/cc-subagent-spawn-counter /tmp/cc-subagent-spawn-window
+
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ]

package/tests/test-system-dir-protection-guard.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Tests for system-dir-protection-guard.sh
+# Run: bash tests/test-system-dir-protection-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/system-dir-protection-guard.sh"
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "system-dir-protection-guard.sh tests"
+echo ""
+
+# --- Block: rm on system directories ---
+test_hook '{"tool_input":{"command":"rm -rf /etc"}}' 2 "Block rm -rf /etc"
+test_hook '{"tool_input":{"command":"rm -rf /usr"}}' 2 "Block rm -rf /usr"
+test_hook '{"tool_input":{"command":"rm -rf /var"}}' 2 "Block rm -rf /var"
+test_hook '{"tool_input":{"command":"rm -rf /opt"}}' 2 "Block rm -rf /opt"
+test_hook '{"tool_input":{"command":"rm -rf /boot"}}' 2 "Block rm -rf /boot"
+test_hook '{"tool_input":{"command":"rm -rf /root"}}' 2 "Block rm -rf /root"
+test_hook '{"tool_input":{"command":"rm -rf /srv"}}' 2 "Block rm -rf /srv"
+test_hook '{"tool_input":{"command":"rm -rf /home"}}' 2 "Block rm -rf /home"
+test_hook '{"tool_input":{"command":"rm -rf /home/username"}}' 2 "Block rm -rf /home/username"
+test_hook '{"tool_input":{"command":"sudo rm -rf /etc/nginx"}}' 2 "Block sudo rm -rf /etc/nginx"
+test_hook '{"tool_input":{"command":"rm -rf /usr/local"}}' 2 "Block rm -rf /usr/local"
+
+# --- Block: rm on critical home directories ---
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.ssh\"}}" 2 "Block rm -rf ~/.ssh"
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.config\"}}" 2 "Block rm -rf ~/.config"
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.local\"}}" 2 "Block rm -rf ~/.local"
+test_hook "{\"tool_input\":{\"command\":\"rm -rf $HOME/.gnupg\"}}" 2 "Block rm -rf ~/.gnupg"
+
+# --- Block: mv on system directories (#49554) ---
+test_hook '{"tool_input":{"command":"mv /etc /tmp/etc_backup"}}' 2 "Block mv /etc"
+test_hook '{"tool_input":{"command":"mv /usr/local /tmp/"}}' 2 "Block mv /usr/local"
+test_hook '{"tool_input":{"command":"mv /home/user /tmp/"}}' 2 "Block mv /home/user"
+test_hook '{"tool_input":{"command":"sudo mv /var/lib /tmp/"}}' 2 "Block sudo mv /var/lib"
+test_hook "{\"tool_input\":{\"command\":\"mv $HOME/.ssh /tmp/\"}}" 2 "Block mv ~/.ssh"
+
+# --- Block: chmod -R on system directories ---
+test_hook '{"tool_input":{"command":"chmod -R 777 /etc"}}' 2 "Block chmod -R 777 /etc"
+test_hook '{"tool_input":{"command":"sudo chmod -R 755 /usr"}}' 2 "Block sudo chmod -R /usr"
+
+# --- Block: chown -R on system directories ---
+test_hook '{"tool_input":{"command":"chown -R user:user /var"}}' 2 "Block chown -R /var"
+test_hook '{"tool_input":{"command":"sudo chown -R root:root /opt"}}' 2 "Block sudo chown -R /opt"
+
+# --- Allow: Safe operations ---
+test_hook '{"tool_input":{"command":"rm -rf /tmp/junk"}}' 0 "Allow rm -rf /tmp/junk"
+test_hook '{"tool_input":{"command":"rm node_modules"}}' 0 "Allow rm node_modules"
+test_hook '{"tool_input":{"command":"rm /home/user/project/dist/bundle.js"}}' 0 "Allow rm specific file in project"
+test_hook '{"tool_input":{"command":"ls /etc/hosts"}}' 0 "Allow read-only access to /etc"
+test_hook '{"tool_input":{"command":"cat /usr/local/bin/script"}}' 0 "Allow cat on /usr"
+test_hook '{"tool_input":{"command":"mv /tmp/a.txt /tmp/b.txt"}}' 0 "Allow mv in /tmp"
+test_hook '{"tool_input":{"command":"chmod 644 myfile.txt"}}' 0 "Allow chmod on project file"
+
+# --- Allow: Empty/missing input ---
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_input":{}}' 0 "Allow missing command"
+test_hook '{"tool_input":{"command":""}}' 0 "Allow empty command"
+
+# --- Allow: Non-destructive system commands ---
+test_hook '{"tool_input":{"command":"grep -r pattern /etc/nginx/"}}' 0 "Allow grep in /etc"
+test_hook '{"tool_input":{"command":"find /usr -name \"*.so\""}}' 0 "Allow find in /usr (no delete)"
+test_hook '{"tool_input":{"command":"cp /etc/hosts /tmp/"}}' 0 "Allow cp from /etc"
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed out of $((PASS + FAIL)) tests"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-tool-retry-budget-guard.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# Tests for tool-retry-budget-guard.sh
+set -euo pipefail
+
+PASS=0
+FAIL=0
+HOOK="$(dirname "$0")/../examples/tool-retry-budget-guard.sh"
+
+# Clean state before tests
+rm -rf /tmp/.cc-retry-budget
+
+test_hook() {
+    local input="$1" expected_exit="$2" desc="$3"
+    local actual_exit=0
+    echo "$input" | bash "$HOOK" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "tool-retry-budget-guard.sh tests"
+echo ""
+
+# Clean state
+rm -rf /tmp/.cc-retry-budget
+
+# --- Allow: First few edits ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Allow 1st edit to file A"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Allow 2nd edit to file A"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Allow 3rd edit to file A"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Allow 4th edit to file A"
+
+# --- Allow: Warning at 5th (exit 0 but with warning) ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Warn at 5th edit (still allow)"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Warn at 6th edit (still allow)"
+
+# --- Block: 7th attempt ---
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 2 "Block at 7th consecutive edit"
+
+# --- After block, counter resets ---
+rm -rf /tmp/.cc-retry-budget
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-a.txt"}}' 0 "Allow after counter reset"
+
+# --- Different files don't interfere ---
+rm -rf /tmp/.cc-retry-budget
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-b.txt"}}' 0 "Allow edit to file B"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-c.txt"}}' 0 "Allow edit to file C"
+test_hook '{"tool_name":"Edit","tool_input":{"file_path":"/tmp/test-retry-b.txt"}}' 0 "Allow 2nd edit to file B"
+
+# --- Write tool also tracked ---
+rm -rf /tmp/.cc-retry-budget
+for i in $(seq 1 6); do
+    test_hook '{"tool_name":"Write","tool_input":{"file_path":"/tmp/test-retry-w.txt"}}' 0 "Write attempt $i (allow)"
+done
+test_hook '{"tool_name":"Write","tool_input":{"file_path":"/tmp/test-retry-w.txt"}}' 2 "Block Write at 7th attempt"
+
+# --- Non-Edit/Write tools pass through ---
+test_hook '{"tool_name":"Bash","tool_input":{"command":"ls"}}' 0 "Allow Bash (not tracked)"
+test_hook '{"tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' 0 "Allow Read (not tracked)"
+test_hook '{"tool_name":"Grep","tool_input":{"pattern":"test"}}' 0 "Allow Grep (not tracked)"
+
+# --- Empty input ---
+test_hook '{}' 0 "Allow empty input"
+test_hook '{"tool_name":"Edit","tool_input":{}}' 0 "Allow Edit with no file_path"
+
+# Clean up
+rm -rf /tmp/.cc-retry-budget
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1

package/tests/test-worktree-branch-pollution-detector.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Tests for worktree-branch-pollution-detector.sh
+HOOK="examples/worktree-branch-pollution-detector.sh"
+PASS=0 FAIL=0
+
+assert_pass() { if [ $? -eq 0 ]; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1"; fi; }
+assert_contains() { if echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (expected '$3')"; fi; }
+assert_not_contains() { if ! echo "$2" | grep -q "$3"; then PASS=$((PASS+1)); else FAIL=$((FAIL+1)); echo "FAIL: $1 (unexpected '$3')"; fi; }
+
+# Setup temp repo
+TMPDIR=$(mktemp -d)
+cd "$TMPDIR"
+git init -q
+git commit --allow-empty -m "init" -q 2>/dev/null
+
+# Clean up expected branch files
+HASH=$(echo "$TMPDIR" | md5sum | cut -c1-8)
+rm -f "/tmp/cc-expected-branch-$HASH"
+
+# Test 1: First run records branch (no warning)
+OUT=$(echo '{}' | bash "$OLDPWD/$HOOK" 2>&1)
+assert_not_contains "first run should not warn" "$OUT" "BRANCH CHANGED"
+assert_pass "first run exits 0"
+
+# Test 2: Same branch (no warning)
+OUT=$(echo '{}' | bash "$OLDPWD/$HOOK" 2>&1)
+assert_not_contains "same branch should not warn" "$OUT" "BRANCH CHANGED"
+
+# Test 3: Switch branch triggers warning
+DEFAULT_BRANCH=$(git branch --show-current)
+git checkout -b feature-x -q 2>/dev/null
+OUT=$(echo '{}' | bash "$OLDPWD/$HOOK" 2>&1)
+assert_contains "branch change should warn" "$OUT" "BRANCH CHANGED"
+assert_contains "should mention expected branch" "$OUT" "$DEFAULT_BRANCH"
+
+# Test 4: After warning, new branch is accepted
+OUT=$(echo '{}' | bash "$OLDPWD/$HOOK" 2>&1)
+assert_not_contains "after update should not warn" "$OUT" "BRANCH CHANGED"
+
+# Test 5: Non-git directory exits silently
+cd /tmp
+OUT=$(echo '{}' | bash "$OLDPWD/$HOOK" 2>&1)
+assert_not_contains "non-git should not warn" "$OUT" "BRANCH CHANGED"
+
+# Cleanup
+rm -rf "$TMPDIR"
+rm -f "/tmp/cc-expected-branch-$HASH"
+
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ]

package/tests/test-worktree-lifecycle-hooks.sh

@@ -0,0 +1,29 @@
+set -euo pipefail
+PASS=0
+FAIL=0
+test_hook() {
+    local hook="$1" input="$2" expected_exit="$3" desc="$4"
+    local actual_exit=0
+    echo "$input" | bash "$hook" > /dev/null 2>/dev/null || actual_exit=$?
+    if [ "$actual_exit" -eq "$expected_exit" ]; then
+        echo "  PASS: $desc"
+        PASS=$((PASS + 1))
+    else
+        echo "  FAIL: $desc (expected exit $expected_exit, got $actual_exit)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+HOOK_CREATE="$(dirname "$0")/../examples/worktree-create-log.sh"
+HOOK_REMOVE="$(dirname "$0")/../examples/worktree-remove-uncommitted-guard.sh"
+echo "=== worktree-create-log.sh ==="
+test_hook "$HOOK_CREATE" '{"branch":"feature/test","path":"/tmp/wt-test"}' 0 "logs creation and passes"
+test_hook "$HOOK_CREATE" '{}' 0 "empty input passes"
+test_hook "$HOOK_CREATE" '' 0 "blank input passes"
+echo ""
+echo "=== worktree-remove-uncommitted-guard.sh ==="
+test_hook "$HOOK_REMOVE" '{"path":"/nonexistent/path"}' 0 "nonexistent path passes"
+test_hook "$HOOK_REMOVE" '{}' 0 "empty input passes"
+test_hook "$HOOK_REMOVE" '' 0 "blank input passes"
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1