npm - cc-safe-setup - Versions diffs - 3.2.0 → 3.2.1 - Mend

cc-safe-setup 3.2.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -215,6 +215,7 @@ Or browse all available examples in [`examples/`](examples/):
 - **path-traversal-guard.sh** — Block Edit/Write with `../../` path traversal and system directories
 - **case-sensitive-guard.sh** — Detect case-insensitive filesystems (exFAT, NTFS, HFS+) and block rm/mkdir that would collide due to case folding ([#37875](https://github.com/anthropics/claude-code/issues/37875))
 - **compound-command-approver.sh** — Auto-approve safe compound commands (`cd && git log`, `cd && npm test`) that the permission system can't match ([#30519](https://github.com/anthropics/claude-code/issues/30519) [#16561](https://github.com/anthropics/claude-code/issues/16561))
+- **tmp-cleanup.sh** — Clean up accumulated `/tmp/claude-*-cwd` files on session end ([#8856](https://github.com/anthropics/claude-code/issues/8856))
 ## Safety Checklist
@@ -234,6 +235,7 @@ Or browse all available examples in [`examples/`](examples/):
 - [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 19 ready-to-use recipes from real GitHub Issues
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
 - [Hook Test Runner](https://github.com/yurukusa/cc-hook-test) — `npx cc-hook-test <hook.sh>` to auto-test any hook
+- [Hooks Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/cheatsheet.html) — printable A4 quick reference
 - [Ecosystem Comparison](https://yurukusa.github.io/cc-safe-setup/ecosystem.html) — all Claude Code hook projects compared
 - [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf

package/docs/cheatsheet.html ADDED Viewed

@@ -0,0 +1,187 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code Hooks Cheat Sheet</title>
+<style>
+@media print { body { padding: 0; background: #fff; color: #000; font-size: 9px; } .no-print { display: none; } h1 { font-size: 14px; } h2 { font-size: 11px; } pre { font-size: 8px; border: 1px solid #ccc; } .col { break-inside: avoid; } }
+@media screen { body { background: #0d1117; color: #c9d1d9; padding: 1rem; } pre { background: #161b22; border: 1px solid #30363d; } h1 { color: #f0f6fc; } h2 { color: #f0f6fc; } a { color: #58a6ff; } }
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', monospace; font-size: 11px; line-height: 1.4; }
+.container { max-width: 900px; margin: 0 auto; columns: 2; column-gap: 1.5rem; }
+h1 { font-size: 16px; margin-bottom: 0.3rem; text-align: center; column-span: all; }
+.subtitle { text-align: center; margin-bottom: 0.8rem; font-size: 10px; opacity: 0.7; column-span: all; }
+h2 { font-size: 12px; margin: 0.6rem 0 0.3rem; border-bottom: 1px solid #30363d; padding-bottom: 0.15rem; }
+pre { padding: 0.4rem; border-radius: 4px; overflow-x: auto; font-size: 9.5px; margin: 0.2rem 0 0.4rem; white-space: pre-wrap; word-break: break-all; }
+.col { break-inside: avoid; margin-bottom: 0.3rem; }
+table { width: 100%; border-collapse: collapse; font-size: 9.5px; margin: 0.2rem 0; }
+th, td { text-align: left; padding: 0.15rem 0.3rem; border-bottom: 1px solid #21262d; }
+th { font-weight: 600; }
+code { font-size: 9px; padding: 0.1rem 0.2rem; border-radius: 2px; }
+@media screen { code { background: #161b22; } }
+.footer { text-align: center; font-size: 8px; opacity: 0.5; margin-top: 0.5rem; column-span: all; }
+</style>
+</head>
+<body>
+<h1>Claude Code Hooks Cheat Sheet</h1>
+<p class="subtitle">Quick reference · Print this page (Ctrl+P) · <a href="https://github.com/yurukusa/cc-safe-setup" class="no-print">github.com/yurukusa/cc-safe-setup</a></p>
+<div class="container">
+<div class="col">
+<h2>Hook Lifecycle</h2>
+<pre>Prompt → PreToolUse → Tool Executes → PostToolUse → Stop
+         ↑ block here                  ↑ check here    ↑ log here</pre>
+</div>
+<div class="col">
+<h2>Exit Codes</h2>
+<table>
+<tr><th>Code</th><th>Meaning</th></tr>
+<tr><td><code>0</code></td><td>Allow (or no opinion)</td></tr>
+<tr><td><code>2</code></td><td><strong>Block</strong> — tool call cancelled</td></tr>
+<tr><td>other</td><td>Error (treated as allow)</td></tr>
+</table>
+</div>
+<div class="col">
+<h2>Hook Events</h2>
+<table>
+<tr><th>Event</th><th>Matcher</th><th>Use</th></tr>
+<tr><td>PreToolUse</td><td>Bash</td><td>Block commands</td></tr>
+<tr><td>PostToolUse</td><td>Edit|Write</td><td>Syntax check</td></tr>
+<tr><td>PostToolUse</td><td>(empty)</td><td>All tools</td></tr>
+<tr><td>Stop</td><td>(empty)</td><td>Session end</td></tr>
+<tr><td>UserPromptSubmit</td><td>—</td><td>Validate input</td></tr>
+</table>
+</div>
+<div class="col">
+<h2>settings.json Structure</h2>
+<pre>{
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Bash",
+      "hooks": [{
+        "type": "command",
+        "command": "~/.claude/hooks/guard.sh"
+      }]
+    }]
+  }
+}</pre>
+</div>
+<div class="col">
+<h2>Minimal Block Hook</h2>
+<pre>#!/bin/bash
+COMMAND=$(cat | jq -r '.tool_input.command // empty')
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE 'PATTERN'; then
+    echo "BLOCKED: reason" >&2
+    exit 2
+fi
+exit 0</pre>
+</div>
+<div class="col">
+<h2>Auto-Approve Hook</h2>
+<pre>#!/bin/bash
+COMMAND=$(cat | jq -r '.tool_input.command // empty')
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*git\s+(status|log|diff)'; then
+    jq -n '{
+      "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "allow"
+      }
+    }'
+fi
+exit 0</pre>
+</div>
+<div class="col">
+<h2>PostToolUse Syntax Check</h2>
+<pre>#!/bin/bash
+FILE=$(cat | jq -r '.tool_input.file_path // empty')
+[ -z "$FILE" ] || [ ! -f "$FILE" ] && exit 0
+case "${FILE##*.}" in
+  py) python3 -m py_compile "$FILE" 2>&1 ;;
+  sh) bash -n "$FILE" 2>&1 ;;
+  json) jq empty "$FILE" 2>&1 ;;
+  js) node --check "$FILE" 2>&1 ;;
+esac
+exit 0</pre>
+</div>
+<div class="col">
+<h2>Modify Input</h2>
+<pre>#!/bin/bash
+# Strip comments from bash commands
+COMMAND=$(cat | jq -r '.tool_input.command // empty')
+CLEAN=$(echo "$COMMAND" | sed '/^#/d; /^$/d')
+[ "$CLEAN" = "$COMMAND" ] && exit 0
+jq -n --arg cmd "$CLEAN" '{
+  "hookSpecificOutput": {
+    "hookEventName": "PreToolUse",
+    "updatedInput": {"command": $cmd}
+  }
+}'</pre>
+</div>
+<div class="col">
+<h2>stdin JSON Reference</h2>
+<table>
+<tr><th>Event</th><th>Key Fields</th></tr>
+<tr><td>PreToolUse (Bash)</td><td><code>.tool_input.command</code></td></tr>
+<tr><td>PreToolUse (Edit)</td><td><code>.tool_input.file_path</code></td></tr>
+<tr><td>PostToolUse</td><td><code>.tool_input.file_path</code></td></tr>
+<tr><td>Stop</td><td><code>.stop_reason</code></td></tr>
+<tr><td>UserPromptSubmit</td><td><code>.prompt</code></td></tr>
+</table>
+</div>
+<div class="col">
+<h2>Test a Hook</h2>
+<pre># Manual test
+echo '{"tool_input":{"command":"rm -rf /"}}' \
+  | bash ~/.claude/hooks/guard.sh
+echo $?  # 2 = blocked
+# Auto-test
+npx cc-hook-test ~/.claude/hooks/guard.sh</pre>
+</div>
+<div class="col">
+<h2>Quick Setup Commands</h2>
+<table>
+<tr><td><code>npx cc-safe-setup</code></td><td>Install 8 hooks</td></tr>
+<tr><td><code>--create "desc"</code></td><td>Generate hook</td></tr>
+<tr><td><code>--audit</code></td><td>Safety score</td></tr>
+<tr><td><code>--lint</code></td><td>Config analysis</td></tr>
+<tr><td><code>--doctor</code></td><td>Diagnose issues</td></tr>
+<tr><td><code>--watch</code></td><td>Live dashboard</td></tr>
+<tr><td><code>--stats</code></td><td>Block statistics</td></tr>
+<tr><td><code>--verify</code></td><td>Test all hooks</td></tr>
+<tr><td><code>--export</code></td><td>Share with team</td></tr>
+</table>
+</div>
+<div class="col">
+<h2>Common Patterns</h2>
+<table>
+<tr><th>Block</th><th>Pattern</th></tr>
+<tr><td>rm -rf /</td><td><code>rm\s+(-[rf]+\s+)*/</code></td></tr>
+<tr><td>force push</td><td><code>git\s+push.*--force</code></td></tr>
+<tr><td>push main</td><td><code>git\s+push.*main</code></td></tr>
+<tr><td>.env commit</td><td><code>git\s+add.*\.env</code></td></tr>
+<tr><td>git reset</td><td><code>git\s+reset\s+--hard</code></td></tr>
+<tr><td>DB wipe</td><td><code>migrate:fresh|DROP\s+DB</code></td></tr>
+</table>
+</div>
+</div>
+<p class="footer">cc-safe-setup v3.2.0 · 20 recipes: <a href="https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md" class="no-print">COOKBOOK.md</a> · Full ref: <a href="https://github.com/yurukusa/cc-safe-setup/blob/main/SETTINGS_REFERENCE.md" class="no-print">SETTINGS_REFERENCE.md</a></p>
+</body>
+</html>

package/examples/tmp-cleanup.sh ADDED Viewed

@@ -0,0 +1,36 @@
+#!/bin/bash
+# ================================================================
+# tmp-cleanup.sh — Clean up /tmp/claude-*-cwd temp files
+# ================================================================
+# PURPOSE:
+#   Claude Code creates /tmp/claude-{hex}-cwd files to track working
+#   directory changes but never deletes them. Over time, thousands
+#   accumulate.
+#
+#   This hook runs on session end and cleans up stale files.
+#
+#   GitHub #8856 (67 reactions, 102 comments) — the most reported
+#   resource leak in Claude Code.
+#
+# TRIGGER: Stop
+# MATCHER: ""
+#
+# WHAT IT CLEANS:
+#   - /tmp/claude-*-cwd (working directory tracking files, ~22 bytes each)
+#   - Only files older than 1 hour (to avoid cleaning active sessions)
+#
+# WHAT IT DOES NOT CLEAN:
+#   - /tmp/claude-* directories (may be in use by other sessions)
+#   - Any non-claude temp files
+# ================================================================
+# Clean up stale cwd tracking files (older than 60 minutes)
+find /tmp -maxdepth 1 -name 'claude-*-cwd' -type f -mmin +60 -delete 2>/dev/null
+# Count remaining (for logging)
+REMAINING=$(find /tmp -maxdepth 1 -name 'claude-*-cwd' -type f 2>/dev/null | wc -l)
+if [ "$REMAINING" -gt 100 ]; then
+    echo "NOTE: $REMAINING claude-*-cwd files remain in /tmp (active sessions)" >&2
+fi
+exit 0

package/index.mjs CHANGED Viewed

@@ -93,7 +93,7 @@ if (HELP) {
     npx cc-safe-setup --verify     Test each hook with sample inputs
     npx cc-safe-setup --dry-run    Preview without installing
     npx cc-safe-setup --uninstall  Remove all installed hooks
-    npx cc-safe-setup --examples   List 27 example hooks (5 categories)
+    npx cc-safe-setup --examples   List 28 example hooks (5 categories)
     npx cc-safe-setup --install-example <name>  Install a specific example
     npx cc-safe-setup --full       Complete setup: hooks + scan + audit + badge
     npx cc-safe-setup --audit      Safety score (0-100) with fixes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 27 installable examples. Destructive blocker, branch guard, compound command approver, database wipe protection, and more.",
   "main": "index.mjs",
   "bin": {