cc-safe-setup 29.6.40 → 29.8.0

package/examples/quota-reset-cycle-monitor.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# quota-reset-cycle-monitor.sh — quotaリセット周期の変更を検知
+# Why: ユーザーのquotaリセット周期が予告なく月曜→金曜に変更された (#49599, 2r/4c)。
+#      リセット日を追跡し、周期変更時に警告する。
+#      突然のquota枯渇の原因究明に役立つ。
+# Event: Notification  MATCHER: ""
+# Action: 日次でquotaリセット日を記録、周期変更を検知
+
+RESET_LOG="/tmp/cc-quota-reset-history"
+TODAY=$(date +%u)  # 1=Monday, 7=Sunday
+TODAY_DATE=$(date +%Y-%m-%d)
+
+# 1日1回だけチェック（日付で制御）
+LAST_CHECK=$(head -1 "$RESET_LOG" 2>/dev/null | cut -d'|' -f1)
+[ "$LAST_CHECK" = "$TODAY_DATE" ] && exit 0
+
+# /costの出力からリセット情報を取得する方法の案内
+# 実際のリセット検知は手動確認が必要だが、ログを残すことで追跡可能
+echo "$TODAY_DATE|$TODAY" >> "$RESET_LOG"
+
+# リセット履歴が2件以上ある場合、周期を分析
+ENTRIES=$(wc -l < "$RESET_LOG" 2>/dev/null || echo "0")
+if [ "$ENTRIES" -ge 7 ]; then
+  # 過去7日の曜日パターンを表示（週末にquotaが増えたら次週リセット=正常）
+  echo "📊 Quota tracking: $ENTRIES days logged. Run '/cost' to check current reset day." >&2
+  echo "Known issue: reset cycle may change without notice (#49599)." >&2
+  echo "If your quota resets on a different day than expected, report to Anthropic support." >&2
+fi
+
+exit 0

package/examples/repo-visibility-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# repo-visibility-guard.sh — Block repository visibility changes
+# Prevents Claude Code from making private repos public (or vice versa).
+# Incident: #50353 — Opus 4.7 ran `gh repo edit --visibility public` autonomously,
+# exposing a hardcoded private key. Wallet drained $413 in 60-90 seconds.
+#
+# Hook config (settings.json):
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/repo-visibility-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Block gh repo edit --visibility (public/private/internal)
+if echo "$COMMAND" | grep -qE 'gh\s+repo\s+edit\s+--visibility'; then
+    echo "BLOCKED: repository visibility change requires manual confirmation. See #50353." >&2
+    exit 2
+fi
+
+# Block git push with --set-upstream to unknown remotes (potential exfiltration)
+if echo "$COMMAND" | grep -qE 'git\s+remote\s+add\s' && echo "$COMMAND" | grep -qE 'git\s+push'; then
+    echo "BLOCKED: adding remote and pushing in one command. Review the remote URL first." >&2
+    exit 2
+fi
+
+exit 0

package/examples/sandbox-relative-path-audit.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# sandbox-relative-path-audit.sh — Detect relative paths in sandbox settings that are silently ignored
+#
+# CRITICAL: denyWrite, denyRead, and allowWrite in settings.json only work
+# with ABSOLUTE paths. Relative paths are SILENTLY IGNORED — no error, no
+# warning, and zero protection. Users who think they've protected sensitive
+# directories may have no actual protection.
+#
+# Born from: https://github.com/anthropics/claude-code/issues/50454
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash|Write|Edit"
+# Best used as a Notification hook (exit 0 always) to alert without blocking.
+
+INPUT=$(cat)
+# Only run once per session (check marker file)
+MARKER="/tmp/cc-sandbox-audit-$$"
+[ -f "$MARKER" ] && exit 0
+touch "$MARKER"
+
+# Find settings.json locations
+SETTINGS_FILES=""
+[ -f "$HOME/.claude/settings.json" ] && SETTINGS_FILES="$HOME/.claude/settings.json"
+[ -f ".claude/settings.json" ] && SETTINGS_FILES="$SETTINGS_FILES .claude/settings.json"
+[ -f "$HOME/.claude/settings.local.json" ] && SETTINGS_FILES="$SETTINGS_FILES $HOME/.claude/settings.local.json"
+
+[ -z "$SETTINGS_FILES" ] && exit 0
+
+FOUND_RELATIVE=0
+for SFILE in $SETTINGS_FILES; do
+    for KEY in denyWrite denyRead allowWrite; do
+        PATHS=$(jq -r ".permissions.${KEY}[]? // empty" "$SFILE" 2>/dev/null)
+        [ -z "$PATHS" ] && continue
+        while IFS= read -r P; do
+            [ -z "$P" ] && continue
+            if [[ "$P" != /* ]] && [[ "$P" != "~"* ]]; then
+                echo "⚠ SANDBOX WARNING: Relative path in ${KEY} is SILENTLY IGNORED" >&2
+                echo "  File: $SFILE" >&2
+                echo "  Path: \"$P\" → has NO effect" >&2
+                echo "  Fix:  Use absolute path: \"$(realpath -m "$P" 2>/dev/null || echo "$PWD/$P")\"" >&2
+                FOUND_RELATIVE=1
+            fi
+        done <<< "$PATHS"
+    done
+done
+
+if [ "$FOUND_RELATIVE" -eq 1 ]; then
+    echo "" >&2
+    echo "See: https://github.com/anthropics/claude-code/issues/50454" >&2
+fi
+
+exit 0

package/examples/session-agent-cost-limiter.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# session-agent-cost-limiter.sh — Cap total subagent spawns per session
+#
+# Solves: #47049 — User lost £140 overnight when Claude spawned 16+
+#   subagents. Each agent gets its own context window = 16x token cost.
+#   Existing max-concurrent-agents limits simultaneous agents, but not
+#   total spawns over a session. This hook limits the cumulative count.
+#
+# How it works: Tracks every Agent spawn in a session-scoped counter.
+#   After CC_MAX_SESSION_AGENTS total spawns, blocks further agents.
+#   Counter resets when the session ends (file keyed by PPID).
+#
+# CONFIG:
+#   CC_MAX_SESSION_AGENTS=10  (default: 10 total agents per session)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Agent"
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+[ "$TOOL" != "Agent" ] && exit 0
+
+MAX_TOTAL=${CC_MAX_SESSION_AGENTS:-10}
+# Use PPID to track the parent Claude Code process, not this subshell
+COUNTER_FILE="/tmp/cc-session-agents-${PPID}"
+
+# Initialize if missing
+[ -f "$COUNTER_FILE" ] || echo "0" > "$COUNTER_FILE"
+
+CURRENT=$(cat "$COUNTER_FILE" 2>/dev/null || echo 0)
+
+if [ "$CURRENT" -ge "$MAX_TOTAL" ]; then
+    echo "BLOCKED: Session agent limit reached (${CURRENT}/${MAX_TOTAL} total spawns)." >&2
+    echo "  Each subagent opens a new context window and consumes tokens independently." >&2
+    echo "  Consider completing existing work before spawning more agents." >&2
+    echo "  Override: CC_MAX_SESSION_AGENTS=$((MAX_TOTAL + 5))" >&2
+    exit 2
+fi
+
+# Increment
+echo $((CURRENT + 1)) > "$COUNTER_FILE"
+exit 0

package/examples/session-cost-alert.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# session-cost-alert.sh — Alert when estimated session cost exceeds threshold
+#
+# Solves: #47049 — User lost £140 overnight without realizing costs were
+#   accumulating. This hook estimates token cost per tool call and warns
+#   when the session total exceeds a configurable threshold.
+#
+# How it works: PostToolUse hook that parses session_tokens from tool
+#   results (when available) and estimates cost using Anthropic pricing.
+#   Warns at $1 and blocks at $5 (configurable).
+#
+# CONFIG:
+#   CC_COST_WARN=1     (warn at $1, default)
+#   CC_COST_BLOCK=5    (block at $5, default)
+#   CC_MODEL_COST=5    ($/M input tokens for Opus, default)
+#
+# TRIGGER: PostToolUse
+# MATCHER: ""
+# CATEGORY: cost-control
+
+INPUT=$(cat)
+
+WARN_THRESHOLD=${CC_COST_WARN:-1}
+BLOCK_THRESHOLD=${CC_COST_BLOCK:-5}
+COST_PER_M=${CC_MODEL_COST:-5}
+
+COST_FILE="/tmp/cc-session-cost-${PPID}"
+
+# Initialize
+if [ ! -f "$COST_FILE" ]; then
+    echo "0" > "$COST_FILE"
+fi
+
+# Try to extract token count from tool result
+# Note: Not all tool results contain token info. This is a best-effort estimate.
+TOKENS=$(echo "$INPUT" | jq -r '.tool_result // empty' 2>/dev/null | wc -c)
+# Rough estimate: 1 char ≈ 0.3 tokens (for tool output going into context)
+EST_TOKENS=$((TOKENS * 3 / 10))
+
+# Add to running total
+CURRENT=$(cat "$COST_FILE" 2>/dev/null || echo 0)
+TOTAL=$((CURRENT + EST_TOKENS))
+echo "$TOTAL" > "$COST_FILE"
+
+# Estimate cost
+COST=$(echo "scale=4; $TOTAL * $COST_PER_M / 1000000" | bc 2>/dev/null || echo "0")
+COST_CENTS=$(echo "scale=0; $TOTAL * $COST_PER_M / 10000" | bc 2>/dev/null || echo "0")
+
+# Check thresholds
+BLOCK_CENTS=$(echo "scale=0; $BLOCK_THRESHOLD * 100" | bc 2>/dev/null || echo "500")
+WARN_CENTS=$(echo "scale=0; $WARN_THRESHOLD * 100" | bc 2>/dev/null || echo "100")
+
+if [ "$COST_CENTS" -ge "$BLOCK_CENTS" ] 2>/dev/null; then
+    echo "BLOCKED: Estimated session cost \$${COST} exceeds \$${BLOCK_THRESHOLD} limit." >&2
+    echo "  Estimated tokens used: ${TOTAL}" >&2
+    echo "  Override: CC_COST_BLOCK=$((BLOCK_THRESHOLD * 2))" >&2
+    exit 2
+elif [ "$COST_CENTS" -ge "$WARN_CENTS" ] 2>/dev/null; then
+    echo "WARNING: Estimated session cost \$${COST} approaching \$${BLOCK_THRESHOLD} limit." >&2
+fi
+
+exit 0

package/examples/session-memory-watchdog.sh

@@ -1,6 +1,15 @@
 MAX_RSS_MB="${CC_MAX_RSS_MB:-4096}"
 CHECK_INTERVAL=300
+PID_FILE="/tmp/cc-memory-watchdog.pid"
+
+# Prevent duplicate instances — only one watchdog should run at a time
+if [ -f "$PID_FILE" ] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
+    exit 0
+fi
+
 (
+    echo $$ > "$PID_FILE"
+    trap 'rm -f "$PID_FILE"' EXIT
     while true; do
         sleep "$CHECK_INTERVAL"
         pgrep -f "claude" | while read pid; do

package/examples/settings-integrity-monitor.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# settings-integrity-monitor.sh — Detect unexpected settings.json changes
+# Trigger: PreToolUse
+# Matcher: (empty — runs on every tool use)
+#
+# The /model command silently rewrites settings.json from scratch,
+# removing sandbox restrictions and hook configurations.
+# See: https://github.com/anthropics/claude-code/issues/44791
+#
+# This hook maintains a checksum of settings.json and warns when
+# it changes outside your control. It also creates automatic backups
+# so you can restore your configuration.
+#
+# TRIGGER: PreToolUse  MATCHER: ""
+
+SETTINGS="${CLAUDE_SETTINGS_FILE:-$HOME/.claude/settings.json}"
+BACKUP_DIR="$HOME/.claude/settings-backups"
+CHECKSUM_FILE="$BACKUP_DIR/.checksum"
+
+# Exit silently if settings.json doesn't exist
+[ -f "$SETTINGS" ] || exit 0
+
+mkdir -p "$BACKUP_DIR"
+
+CURRENT_HASH=$(sha256sum "$SETTINGS" 2>/dev/null | cut -d' ' -f1)
+
+if [ ! -f "$CHECKSUM_FILE" ]; then
+    # First run: save baseline
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.baseline"
+    exit 0
+fi
+
+SAVED_HASH=$(cat "$CHECKSUM_FILE" 2>/dev/null)
+
+if [ "$CURRENT_HASH" != "$SAVED_HASH" ]; then
+    # Settings changed — create timestamped backup of PREVIOUS version
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    if [ -f "$BACKUP_DIR/settings.json.latest" ]; then
+        cp "$BACKUP_DIR/settings.json.latest" "$BACKUP_DIR/settings.json.$TIMESTAMP"
+    fi
+    # Save current as latest
+    cp "$SETTINGS" "$BACKUP_DIR/settings.json.latest"
+    echo "$CURRENT_HASH" > "$CHECKSUM_FILE"
+
+    # Count hooks in old vs new
+    OLD_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$BACKUP_DIR/settings.json.$TIMESTAMP" 2>/dev/null || echo "?")
+    NEW_HOOKS=$(jq '[.hooks | to_entries[].value[].hooks[]?] | length' "$SETTINGS" 2>/dev/null || echo "?")
+
+    echo "⚠ settings.json was modified (hooks: $OLD_HOOKS → $NEW_HOOKS)" >&2
+    echo "  Backup saved: $BACKUP_DIR/settings.json.$TIMESTAMP" >&2
+    echo "  Restore: cp $BACKUP_DIR/settings.json.$TIMESTAMP $SETTINGS" >&2
+fi
+
+exit 0

package/examples/settings-json-model-guard.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# settings-json-model-guard.sh — Backup settings.json before /model changes
+#
+# Solves: The /model slash command rewrites settings.json completely,
+# wiping all hook configurations and custom settings. (#46921)
+#
+# How it works: PreToolUse(Bash) detects commands that modify
+# settings.json (especially from /model). Creates a timestamped
+# backup before allowing the write. If hooks are lost after the
+# write, the PostToolUse phase restores them.
+#
+# Usage: Add TWO hooks
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }],
+#     "PostToolUse": [{
+#       "matcher": "Edit|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/settings-json-model-guard.sh" }]
+#     }]
+#   }
+# }
+#
+# TRIGGER: PreToolUse+PostToolUse  MATCHER: "Edit|Write"
+
+set -euo pipefail
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+HOOK_EVENT=$(echo "$INPUT" | jq -r '.hook_event_name // empty' 2>/dev/null)
+
+# Only care about settings.json writes
+case "$FILE" in
+    */.claude/settings.json|*/.claude/settings.local.json) ;;
+    *) exit 0 ;;
+esac
+
+BACKUP_DIR="$HOME/.claude/settings-backups"
+mkdir -p "$BACKUP_DIR"
+
+SETTINGS_FILE="$FILE"
+[ ! -f "$SETTINGS_FILE" ] && exit 0
+
+# --- PreToolUse: backup before modification ---
+if [[ "$HOOK_EVENT" == "PreToolUse" ]]; then
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    BASENAME=$(basename "$SETTINGS_FILE" .json)
+    BACKUP="$BACKUP_DIR/${BASENAME}-pre-model-${TIMESTAMP}.json"
+    cp "$SETTINGS_FILE" "$BACKUP"
+
+    # Count hooks in current settings
+    HOOK_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+    if [ "$HOOK_COUNT" -gt 0 ]; then
+        echo "Settings backup created: $BACKUP ($HOOK_COUNT hooks preserved)" >&2
+        # Store hook count for PostToolUse comparison
+        echo "$HOOK_COUNT" > "/tmp/cc-settings-hook-count-pre"
+    fi
+    exit 0
+fi
+
+# --- PostToolUse: verify hooks survived ---
+if [[ "$HOOK_EVENT" == "PostToolUse" ]]; then
+    PRE_COUNT_FILE="/tmp/cc-settings-hook-count-pre"
+    [ ! -f "$PRE_COUNT_FILE" ] && exit 0
+
+    PRE_COUNT=$(cat "$PRE_COUNT_FILE" 2>/dev/null || echo 0)
+    rm -f "$PRE_COUNT_FILE"
+
+    [ "$PRE_COUNT" -eq 0 ] && exit 0
+
+    # Count hooks after modification
+    POST_COUNT=$(jq '[.hooks // {} | to_entries[] | .value[] | .hooks // [] | length] | add // 0' "$SETTINGS_FILE" 2>/dev/null || echo 0)
+
+    if [ "$POST_COUNT" -lt "$PRE_COUNT" ]; then
+        LATEST_BACKUP=$(ls -t "$BACKUP_DIR"/settings-pre-model-*.json 2>/dev/null | head -1)
+        echo "WARNING: Hook count dropped from $PRE_COUNT to $POST_COUNT after settings modification!" >&2
+        echo "  This typically happens when /model rewrites settings.json." >&2
+        if [ -n "$LATEST_BACKUP" ]; then
+            echo "  Restore hooks: jq -s '.[0] * {hooks: .[1].hooks}' '$SETTINGS_FILE' '$LATEST_BACKUP' > /tmp/merged.json && mv /tmp/merged.json '$SETTINGS_FILE'" >&2
+        fi
+    fi
+    exit 0
+fi
+
+exit 0

package/examples/shell-config-truncation-guard.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# shell-config-truncation-guard.sh — Block writes that would truncate shell config files
+#
+# Solves: Claude Code installer auto-update truncating ~/.bash_profile and
+# ~/.zshrc to 0 bytes, destroying all user shell configuration (#49615).
+# Also catches Claude itself attempting to overwrite these files with
+# minimal or empty content.
+#
+# How it works: PreToolUse hook intercepts Write/Bash operations targeting
+# shell config files. If the new content would be significantly shorter
+# than the existing file (>60% reduction), the operation is blocked.
+# Empty/near-empty writes are always blocked.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash|Write"
+#
+# Usage:
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash|Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/shell-config-truncation-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+
+# Shell config files to protect
+PROTECTED_FILES=(
+    "$HOME/.bashrc"
+    "$HOME/.bash_profile"
+    "$HOME/.zshrc"
+    "$HOME/.zprofile"
+    "$HOME/.profile"
+    "$HOME/.zshenv"
+)
+
+check_file_truncation() {
+    local target_file="$1"
+    local new_size="$2"
+
+    for protected in "${PROTECTED_FILES[@]}"; do
+        if [ "$target_file" = "$protected" ] || [ "$(realpath "$target_file" 2>/dev/null)" = "$(realpath "$protected" 2>/dev/null)" ]; then
+            if [ ! -f "$protected" ]; then
+                return 0
+            fi
+            local current_size
+            current_size=$(wc -c < "$protected" 2>/dev/null || echo 0)
+
+            # Block if writing 0 bytes or near-empty (< 10 bytes)
+            if [ "$new_size" -lt 10 ] && [ "$current_size" -gt 50 ]; then
+                echo "BLOCKED: Attempted to truncate $protected to $new_size bytes (current: $current_size bytes)" >&2
+                echo "This would destroy your shell configuration. See: github.com/anthropics/claude-code/issues/49615" >&2
+                exit 2
+            fi
+
+            # Block if >60% size reduction
+            if [ "$current_size" -gt 100 ]; then
+                local threshold=$((current_size * 40 / 100))
+                if [ "$new_size" -lt "$threshold" ]; then
+                    echo "BLOCKED: Write to $protected would reduce size by >60% ($current_size → $new_size bytes)" >&2
+                    echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+                    exit 2
+                fi
+            fi
+            return 0
+        fi
+    done
+    return 0
+}
+
+if [ "$TOOL" = "Write" ]; then
+    FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+    CONTENT=$(echo "$INPUT" | jq -r '.tool_input.content // empty' 2>/dev/null)
+    if [ -n "$FILE_PATH" ]; then
+        NEW_SIZE=${#CONTENT}
+        check_file_truncation "$FILE_PATH" "$NEW_SIZE"
+    fi
+elif [ "$TOOL" = "Bash" ]; then
+    COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+    [ -z "$COMMAND" ] && exit 0
+
+    # Detect redirect truncation: > ~/.bashrc, >~/.zshrc, etc.
+    for protected in "${PROTECTED_FILES[@]}"; do
+        base=$(basename "$protected")
+        # Match: > file, >file, truncate file, : > file, echo "" > file
+        if echo "$COMMAND" | grep -qE "(^|[;&|])\s*(>|truncate\s+-s\s*0|:\s*>)\s*~?(/[^;]*)?${base}"; then
+            echo "BLOCKED: Command would truncate $protected" >&2
+            echo "If intentional, back up first: cp $protected ${protected}.bak" >&2
+            exit 2
+        fi
+    done
+fi
+
+exit 0

package/examples/shell-wrapper-guard.sh

@@ -34,8 +34,8 @@ if echo "$COMMAND" | grep -qE '(sh|bash|zsh|dash)\s+-c\s+'; then
 fi
 
 # === Check 2: Python one-liners ===
-if echo "$COMMAND" | grep -qE 'python[23]?\s+-c\s+'; then
-    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
+if echo "$COMMAND" | grep -qE 'python[23]?(\.[0-9]+)?\s+-c\s+'; then
+    INNER=$(echo "$COMMAND" | sed -E "s/.*python[23]?(\.[0-9]+)?\s+-c\s+['\"]?//" | sed "s/['\"]?\s*$//")
     if echo "$INNER" | grep -qiE "os\.system\(.*($DESTRUCT_PATTERN)|subprocess\.(run|call|Popen)\(.*($DESTRUCT_PATTERN)|shutil\.rmtree\s*\(\s*['\"/~]"; then
         echo "BLOCKED: Destructive command in Python one-liner" >&2
         exit 2
@@ -69,9 +69,9 @@ if echo "$COMMAND" | grep -qE '(sh|bash)\s+-c\s+.*(sh|bash)\s+-c'; then
 fi
 
 # === Check 6: Pipe to shell (echo "rm -rf /" | sh) ===
-if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)\s*$'; then
+if echo "$COMMAND" | grep -qE '\|\s*(sh|bash|zsh)(\s|$)'; then
     # Extract the piped content
-    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)\s*$//')
+    PIPED=$(echo "$COMMAND" | sed -E 's/\s*\|\s*(sh|bash|zsh)(\s.*)?$//')
     if echo "$PIPED" | grep -qE "$DESTRUCT_PATTERN"; then
         echo "BLOCKED: Destructive command piped to shell" >&2
         exit 2

package/examples/subagent-spawn-rate-monitor.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# subagent-spawn-rate-monitor.sh — サブエージェントの過剰spawn検知
+# Why: サブエージェントは毎回spawnされるたびに~4.7Kトークンがcache_creation
+#      (1.25xコスト)として課金される。spawn-heavyなワークフローでは線形に増大し、
+#      ユーザーが気づかないうちにquotaを消耗する (#50213, #46968)
+# Event: PreToolUse  MATCHER: Agent
+# Action: 短時間に多数のAgent spawnがあれば警告
+
+COUNTER_FILE="/tmp/cc-subagent-spawn-counter"
+WINDOW_FILE="/tmp/cc-subagent-spawn-window"
+THRESHOLD=5      # この回数を超えたら警告
+WINDOW_SECS=300  # 5分間のウィンドウ
+
+NOW=$(date +%s)
+WINDOW_START=$(cat "$WINDOW_FILE" 2>/dev/null || echo "$NOW")
+COUNT=$(cat "$COUNTER_FILE" 2>/dev/null || echo "0")
+
+# ウィンドウ期限切れならリセット
+ELAPSED=$((NOW - WINDOW_START))
+if [ "$ELAPSED" -gt "$WINDOW_SECS" ]; then
+  COUNT=0
+  echo "$NOW" > "$WINDOW_FILE"
+fi
+
+COUNT=$((COUNT + 1))
+echo "$COUNT" > "$COUNTER_FILE"
+
+if [ "$COUNT" -gt "$THRESHOLD" ]; then
+  echo "⚠ HIGH SUBAGENT SPAWN RATE: $COUNT agents spawned in ${ELAPSED}s" >&2
+  echo "Each spawn costs ~4.7K tokens at 1.25x rate (no cache_control)." >&2
+  echo "Consider batching tasks or using fewer parallel agents. See: #50213" >&2
+fi
+
+exit 0

package/examples/subcommand-chain-guard.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# subcommand-chain-guard.sh — Block commands with excessive subcommand chains
+#
+# Solves: Claude Code silently ignores deny rules when a command contains
+# 50+ subcommands (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50).
+# Attackers chain 50 no-op "true" commands before a dangerous command
+# to bypass all security checks. (Adversa AI / CVE disclosure, April 2026)
+#
+# How it works: Counts semicolon-separated and &&/|| chained subcommands.
+# If the count exceeds a threshold (default: 20), blocks execution.
+# This catches the exploit well before the 50-command limit.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+
+set -euo pipefail
+
+THRESHOLD=${CC_SUBCOMMAND_LIMIT:-20}
+
+INPUT=$(cat)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$CMD" ] && exit 0
+
+# Count subcommands: split on ; && ||
+# Use tr to normalize separators, then count
+SUBCOMMAND_COUNT=$(echo "$CMD" | tr ';' '\n' | tr '&' '\n' | tr '|' '\n' | grep -c '[^ ]' 2>/dev/null || echo 1)
+
+if [ "$SUBCOMMAND_COUNT" -gt "$THRESHOLD" ]; then
+    echo "BLOCKED: Command contains $SUBCOMMAND_COUNT subcommands (limit: $THRESHOLD)." >&2
+    echo "  Claude Code ignores deny rules after 50 subcommands (CVE disclosure)." >&2
+    echo "  This hook blocks at $THRESHOLD to prevent security bypass." >&2
+    echo "  Override: CC_SUBCOMMAND_LIMIT=100 (not recommended)" >&2
+    exit 2
+fi
+
+# Also detect the specific attack pattern: many "true" or ":" no-ops
+NOOP_COUNT=$(echo "$CMD" | grep -oE '\btrue\b|^:|;\s*:' | wc -l 2>/dev/null || echo 0)
+if [ "$NOOP_COUNT" -gt 10 ]; then
+    echo "BLOCKED: Suspicious pattern — $NOOP_COUNT no-op commands detected." >&2
+    echo "  This resembles the subcommand-chain attack (50x true + dangerous cmd)." >&2
+    exit 2
+fi
+
+exit 0