cc-safe-setup 29.6.9 → 29.6.10

package/examples/output-credential-scan.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# ================================================================
+# output-credential-scan.sh — Detect credentials in command output
+# ================================================================
+# PURPOSE:
+#   Claude Code can accidentally expose credentials by running
+#   commands like `env`, `cat .env`, or `printenv`. This PostToolUse
+#   hook scans stdout for common credential patterns and warns.
+#
+# TRIGGER: PostToolUse
+# MATCHER: "Bash"
+# ================================================================
+
+INPUT=$(cat)
+STDOUT=$(echo "$INPUT" | jq -r '.tool_result.stdout // empty' 2>/dev/null)
+
+[ -z "$STDOUT" ] && exit 0
+
+# Check for common credential patterns in output
+if echo "$STDOUT" | grep -qiE '(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|AKIA[A-Z0-9]{16}|xox[bpsa]-[a-zA-Z0-9-]+|eyJ[a-zA-Z0-9_-]+\.eyJ)'; then
+    echo "⚠ Possible credential detected in command output!" >&2
+    echo "  This output may contain API keys, tokens, or secrets." >&2
+    echo "  Avoid sharing this output or committing it to version control." >&2
+fi
+
+exit 0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "29.6.9",
-  "description": "One command to make Claude Code safe. 419 example hooks + 8 built-in. 52 CLI commands. 5655 tests. Works with Auto Mode.",
+  "version": "29.6.10",
+  "description": "One command to make Claude Code safe. 420 example hooks + 8 built-in. 52 CLI commands. 5662 tests. Works with Auto Mode.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"