npm - cc-safe-setup - Versions diffs - 29.6.8 → 29.6.10 - Mend

cc-safe-setup 29.6.8 → 29.6.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/examples/no-force-flag.sh +41 -0
package/examples/output-credential-scan.sh +26 -0
package/package.json +2 -2

package/examples/no-force-flag.sh ADDED Viewed

@@ -0,0 +1,41 @@
+#!/bin/bash
+# ================================================================
+# no-force-flag.sh — Block dangerous --force flags
+# ================================================================
+# PURPOSE:
+#   --force flags bypass safety checks in package managers and git.
+#   This hook blocks common dangerous --force patterns:
+#   - npm install --force (ignores peer dependency conflicts)
+#   - pip install --force-reinstall (skips cache, wastes time)
+#   - git push --force (overwrites remote history)
+#   - docker system prune --force (removes all unused data)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+# ================================================================
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+# npm install --force / --legacy-peer-deps
+if echo "$COMMAND" | grep -qE 'npm\s+install.*--force|npm\s+i\s.*--force'; then
+    echo "BLOCKED: npm install --force bypasses peer dependency checks." >&2
+    echo "Fix the dependency conflict instead of forcing." >&2
+    exit 2
+fi
+# git push --force (not --force-with-lease)
+if echo "$COMMAND" | grep -qE 'git\s+push.*--force($|\s)' && ! echo "$COMMAND" | grep -q 'force-with-lease'; then
+    echo "BLOCKED: git push --force can destroy remote history." >&2
+    echo "Use --force-with-lease for safer force-push." >&2
+    exit 2
+fi
+# docker system prune --force
+if echo "$COMMAND" | grep -qE 'docker\s+(system\s+)?prune.*-f|docker\s+(system\s+)?prune.*--force'; then
+    echo "BLOCKED: docker prune --force removes all unused data without confirmation." >&2
+    exit 2
+fi
+exit 0

package/examples/output-credential-scan.sh ADDED Viewed

@@ -0,0 +1,26 @@
+#!/bin/bash
+# ================================================================
+# output-credential-scan.sh — Detect credentials in command output
+# ================================================================
+# PURPOSE:
+#   Claude Code can accidentally expose credentials by running
+#   commands like `env`, `cat .env`, or `printenv`. This PostToolUse
+#   hook scans stdout for common credential patterns and warns.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+# ================================================================
+INPUT=$(cat)
+STDOUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+[ -z "$STDOUT" ] && exit 0
+# Check for common credential patterns in output
+if echo "$STDOUT" | grep -qiE '(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|AKIA[A-Z0-9]{16}|xox[bpsa]-[a-zA-Z0-9-]+|eyJ[a-zA-Z0-9_-]+\.eyJ)'; then
+    echo "⚠ Possible credential detected in command output!" >&2
+    echo "  This output may contain API keys, tokens, or secrets." >&2
+    echo "  Avoid sharing this output or committing it to version control." >&2
+fi
+exit 0

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.8",
-  "description": "One command to make Claude Code safe. 418 example hooks + 8 built-in. 52 CLI commands. 5646 tests. Works with Auto Mode.",
+  "version": "29.6.10",
+  "description": "One command to make Claude Code safe. 420 example hooks + 8 built-in. 52 CLI commands. 5662 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"