cc-safe-setup 3.3.0 → 3.5.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.**
 
-Not just a destructive command blocker — 8 hooks covering safety, quality, monitoring, and developer experience.
+8 built-in hooks + 32 installable examples. Audit, create, lint, diff, watch, and learn. [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/cheatsheet.html) · [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Troubleshooting](TROUBLESHOOTING.md)
 
 ```bash
 npx cc-safe-setup
@@ -218,11 +218,17 @@ Or browse all available examples in [`examples/`](examples/):
 - **tmp-cleanup.sh** — Clean up accumulated `/tmp/claude-*-cwd` files on session end ([#8856](https://github.com/anthropics/claude-code/issues/8856))
 - **session-checkpoint.sh** — Save session state to mission file before context compaction ([#37866](https://github.com/anthropics/claude-code/issues/37866))
 - **verify-before-commit.sh** — Block git commit when lint/test commands haven't been run ([#37818](https://github.com/anthropics/claude-code/issues/37818))
+- **hook-debug-wrapper.sh** — Wrap any hook to log input/output/exit code/timing to `~/.claude/hook-debug.log`
+- **loop-detector.sh** — Detect and break command repetition loops (warn at 3, block at 5 repeats)
 
 ## Safety Checklist
 
 **[SAFETY_CHECKLIST.md](SAFETY_CHECKLIST.md)** — Copy-paste checklist for before/during/after autonomous sessions.
 
+## Troubleshooting
+
+**[TROUBLESHOOTING.md](TROUBLESHOOTING.md)** — "Hook doesn't work" → step-by-step diagnosis. Covers every common failure pattern.
+
 ## settings.json Reference
 
 **[SETTINGS_REFERENCE.md](SETTINGS_REFERENCE.md)** — Complete reference for permissions, hooks, modes, and common configurations. Includes known limitations and workarounds.

package/TROUBLESHOOTING.md

@@ -0,0 +1,212 @@
+# Troubleshooting Claude Code Hooks
+
+Your hook isn't working. Here's how to fix it, starting with the most common causes.
+
+## Quick Diagnosis
+
+```bash
+npx cc-safe-setup --doctor
+```
+
+This checks jq, settings.json, file permissions, shebangs, and common misconfigurations. If it says "All checks passed" but hooks still don't fire, read on.
+
+## "Hook doesn't block anything"
+
+### 1. Did you restart Claude Code?
+
+Hooks are loaded on startup. After installing or modifying hooks, close Claude Code completely and reopen it.
+
+### 2. Is the hook registered in settings.json?
+
+```bash
+cat ~/.claude/settings.json | jq '.hooks'
+```
+
+You should see your hook's path under the correct trigger. If not:
+
+```bash
+npx cc-safe-setup  # Re-registers all hooks
+```
+
+### 3. Is the hook file executable?
+
+```bash
+ls -la ~/.claude/hooks/your-hook.sh
+# Should show -rwxr-xr-x
+```
+
+Fix: `chmod +x ~/.claude/hooks/your-hook.sh`
+
+### 4. Is jq installed?
+
+Most hooks use jq to parse JSON input.
+
+```bash
+jq --version
+# Should print: jq-1.x
+```
+
+Install: `brew install jq` (macOS) / `apt install jq` (Linux/WSL)
+
+### 5. Does the hook work manually?
+
+Test it outside Claude Code:
+
+```bash
+echo '{"tool_input":{"command":"rm -rf /"}}' | bash ~/.claude/hooks/destructive-guard.sh
+echo $?
+# Should print: 2 (blocked)
+```
+
+If exit code is 0, the hook isn't matching the pattern.
+
+### 6. Wrong exit code
+
+| Exit Code | Meaning |
+|-----------|---------|
+| **0** | Allow (or no opinion) |
+| **2** | Block — the only code that stops execution |
+| **1** | Error (treated as allow, not block!) |
+
+Common mistake: using `exit 1` instead of `exit 2` to block. Only exit 2 blocks.
+
+## "Hook blocks everything"
+
+### 1. Overly broad grep pattern
+
+```bash
+# BAD: matches ANY command containing "rm"
+grep -q 'rm'
+
+# GOOD: matches only rm with -rf flags
+grep -qE 'rm\s+(-[rf]+\s+)*/'
+```
+
+### 2. Missing empty-input guard
+
+Every hook should handle empty input:
+
+```bash
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0  # ← This line is critical
+```
+
+Without this, the hook may exit 2 on tools that don't have `.tool_input.command` (like Read or Glob).
+
+### 3. Wrong matcher
+
+If your hook is for Bash commands but the matcher is empty, it runs on every tool call:
+
+```json
+{"matcher": "Bash"}      ← Correct: only Bash commands
+{"matcher": ""}           ← Runs on EVERY tool (Read, Edit, Glob, etc.)
+```
+
+## "Hook fires but doesn't auto-approve"
+
+### 1. JSON output format is wrong
+
+Auto-approve requires exact JSON structure:
+
+```json
+{
+  "hookSpecificOutput": {
+    "hookEventName": "PreToolUse",
+    "permissionDecision": "allow",
+    "permissionDecisionReason": "your reason"
+  }
+}
+```
+
+Missing any field = permission system ignores it.
+
+### 2. jq output is going to stderr
+
+```bash
+# BAD: output goes to stderr
+jq -n '...' >&2
+
+# GOOD: output goes to stdout
+jq -n '...'
+```
+
+Auto-approve JSON must go to stdout.
+
+## "Permission prompts still appear for compound commands"
+
+This is a known Claude Code limitation, not a hook issue. `Bash(git:*)` doesn't match `cd /path && git log`.
+
+Fix:
+
+```bash
+npx cc-safe-setup --install-example compound-command-approver
+```
+
+## "Hooks slow down Claude Code"
+
+### 1. Check execution time
+
+```bash
+npx cc-safe-setup --install-example hook-debug-wrapper
+# Then wrap your slow hook to see timing
+```
+
+Hooks should complete in <50ms. If a hook takes >200ms, it's noticeable.
+
+### 2. Too many hooks on empty matcher
+
+Hooks with `"matcher": ""` run on every single tool call. Move heavy checks to specific matchers:
+
+```json
+{"matcher": "Bash"}        ← Only when Bash runs
+{"matcher": "Edit|Write"}  ← Only when files are edited
+```
+
+### 3. Use --lint to find issues
+
+```bash
+npx cc-safe-setup --lint
+```
+
+Reports performance warnings and configuration issues.
+
+## "Hooks work locally but not for teammates"
+
+### 1. Compare settings
+
+```bash
+npx cc-safe-setup --diff teammate-settings.json
+```
+
+Shows exactly what's different between your setups.
+
+### 2. Export and share
+
+```bash
+npx cc-safe-setup --export   # Creates cc-safe-setup-export.json
+# Send to teammate
+npx cc-safe-setup --import cc-safe-setup-export.json
+```
+
+### 3. Different jq versions
+
+Some hooks use jq features not available in older versions. Check: `jq --version`
+
+## "Hooks run but don't log"
+
+Hooks write to stderr for user-visible messages. For persistent logging:
+
+```bash
+# Add to your hook
+LOG="$HOME/.claude/blocked-commands.log"
+echo "[$(date -Iseconds)] BLOCKED: reason | cmd: $COMMAND" >> "$LOG"
+```
+
+Then view with: `npx cc-safe-setup --watch` or `npx cc-safe-setup --stats`
+
+## Still Stuck?
+
+1. Wrap the hook with debug wrapper: `npx cc-safe-setup --install-example hook-debug-wrapper`
+2. Check `~/.claude/hook-debug.log` for detailed I/O traces
+3. Run `npx cc-safe-setup --doctor` for automated checks
+4. Open an issue: [cc-safe-setup issues](https://github.com/yurukusa/cc-safe-setup/issues)

package/audit-web/index.html

@@ -598,6 +598,21 @@ exit 0`
 
   return scripts[id] || '#!/bin/bash\nexit 0';
 }
+
+// Auto-load from URL parameter: ?config=base64encodedJSON
+(function() {
+  const params = new URLSearchParams(window.location.search);
+  const config = params.get('config');
+  if (config) {
+    try {
+      const json = atob(config);
+      document.getElementById('settings').value = json;
+      runAudit();
+    } catch(e) {
+      console.error('Invalid config parameter');
+    }
+  }
+})();
 </script>
 </body>
 </html>

package/docs/index.html

@@ -598,6 +598,21 @@ exit 0`
 
   return scripts[id] || '#!/bin/bash\nexit 0';
 }
+
+// Auto-load from URL parameter: ?config=base64encodedJSON
+(function() {
+  const params = new URLSearchParams(window.location.search);
+  const config = params.get('config');
+  if (config) {
+    try {
+      const json = atob(config);
+      document.getElementById('settings').value = json;
+      runAudit();
+    } catch(e) {
+      console.error('Invalid config parameter');
+    }
+  }
+})();
 </script>
 </body>
 </html>

package/examples/commit-quality-gate.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# ================================================================
+# commit-quality-gate.sh — Enforce commit message quality
+# ================================================================
+# PURPOSE:
+#   Claude Code generates commit messages that are often too long,
+#   too vague ("update code"), or contain the full diff summary.
+#   This hook enforces minimum quality standards.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# CHECKS:
+#   1. Subject line length (max 72 chars, warn at 50)
+#   2. No vague subjects ("update", "fix", "changes", "misc")
+#   3. No mega-commits (subject line shouldn't list 5+ changes)
+#   4. Body line length (max 72 chars per line)
+#   5. No empty subject line
+#
+# CONFIGURATION:
+#   CC_COMMIT_MAX_SUBJECT=72
+#   CC_COMMIT_WARN_SUBJECT=50
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# Only check git commit commands
+if ! echo "$COMMAND" | grep -qE '^\s*git\s+commit'; then
+    exit 0
+fi
+
+# Skip --amend (modifying existing) and --allow-empty
+if echo "$COMMAND" | grep -qE '\-\-amend|\-\-allow-empty'; then
+    exit 0
+fi
+
+# Extract commit message
+MSG=""
+if echo "$COMMAND" | grep -qE '\-m\s'; then
+    # -m "message" or -m 'message'
+    MSG=$(echo "$COMMAND" | grep -oP "\-m\s+['\"]?\K[^'\"]+(?=['\"]?)" | head -1)
+fi
+
+if [[ -z "$MSG" ]]; then
+    exit 0  # No inline message (might use editor)
+fi
+
+MAX_SUBJECT="${CC_COMMIT_MAX_SUBJECT:-72}"
+WARN_SUBJECT="${CC_COMMIT_WARN_SUBJECT:-50}"
+
+# Get subject line (first line before any newline)
+SUBJECT=$(echo "$MSG" | head -1)
+SUBJECT_LEN=${#SUBJECT}
+
+# Check 1: Empty subject
+if [[ -z "$SUBJECT" ]] || [[ "$SUBJECT_LEN" -lt 3 ]]; then
+    echo "WARNING: Commit subject is empty or too short." >&2
+    exit 0  # Warn only
+fi
+
+# Check 2: Subject too long
+if [[ "$SUBJECT_LEN" -gt "$MAX_SUBJECT" ]]; then
+    echo "WARNING: Commit subject is $SUBJECT_LEN chars (max $MAX_SUBJECT)." >&2
+    echo "Subject: $(echo "$SUBJECT" | head -c 80)..." >&2
+    echo "Tip: Keep the subject under $MAX_SUBJECT chars. Use the body for details." >&2
+fi
+
+# Check 3: Vague subjects
+SUBJECT_LOWER=$(echo "$SUBJECT" | tr '[:upper:]' '[:lower:]')
+VAGUE_PATTERNS="^(update|fix|change|misc|wip|tmp|test|stuff|things|minor|cleanup)$|^(update|fix|change)\s+(code|file|stuff|things)$"
+if echo "$SUBJECT_LOWER" | grep -qiE "$VAGUE_PATTERNS"; then
+    echo "WARNING: Commit subject is too vague: \"$SUBJECT\"" >&2
+    echo "Be specific about what changed and why." >&2
+fi
+
+# Check 4: Mega-commit (too many changes listed)
+COMMA_COUNT=$(echo "$SUBJECT" | grep -o ',' | wc -l)
+AND_COUNT=$(echo "$SUBJECT_LOWER" | grep -o ' and ' | wc -l)
+if [[ $((COMMA_COUNT + AND_COUNT)) -ge 4 ]]; then
+    echo "WARNING: Commit subject lists many changes. Consider splitting into smaller commits." >&2
+    echo "Subject: $(echo "$SUBJECT" | head -c 80)" >&2
+fi
+
+exit 0

package/examples/hook-debug-wrapper.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# ================================================================
+# hook-debug-wrapper.sh — Debug wrapper for any Claude Code hook
+# ================================================================
+# PURPOSE:
+#   Wraps any existing hook script and logs its input, output,
+#   exit code, and execution time. Invaluable for debugging hooks
+#   that silently fail or produce unexpected results.
+#
+# USAGE:
+#   Instead of:
+#     "command": "~/.claude/hooks/destructive-guard.sh"
+#   Use:
+#     "command": "~/.claude/hooks/hook-debug-wrapper.sh ~/.claude/hooks/destructive-guard.sh"
+#
+#   Or set CC_HOOK_DEBUG=1 to log all hooks (requires wrapper for each).
+#
+# WHAT IT LOGS:
+#   - Timestamp
+#   - Hook script path
+#   - Input JSON (truncated to 500 chars)
+#   - Exit code
+#   - stdout (truncated)
+#   - stderr (truncated)
+#   - Execution time in ms
+#
+# LOG LOCATION: ~/.claude/hook-debug.log
+#
+# TRIGGER: Any (wraps any hook)
+# MATCHER: Any
+# ================================================================
+
+HOOK_SCRIPT="$1"
+DEBUG_LOG="${CC_HOOK_DEBUG_LOG:-$HOME/.claude/hook-debug.log}"
+
+if [[ -z "$HOOK_SCRIPT" ]] || [[ ! -f "$HOOK_SCRIPT" ]]; then
+    echo "Usage: hook-debug-wrapper.sh <hook-script>" >&2
+    exit 0
+fi
+
+# Read input
+INPUT=$(cat)
+
+# Record start time
+START_MS=$(($(date +%s%N) / 1000000))
+
+# Run the actual hook, capturing all output
+STDOUT_FILE=$(mktemp)
+STDERR_FILE=$(mktemp)
+echo "$INPUT" | bash "$HOOK_SCRIPT" > "$STDOUT_FILE" 2> "$STDERR_FILE"
+EXIT_CODE=$?
+
+END_MS=$(($(date +%s%N) / 1000000))
+ELAPSED=$((END_MS - START_MS))
+
+# Read outputs
+STDOUT_CONTENT=$(cat "$STDOUT_FILE")
+STDERR_CONTENT=$(cat "$STDERR_FILE")
+rm -f "$STDOUT_FILE" "$STDERR_FILE"
+
+# Log
+HOOK_NAME=$(basename "$HOOK_SCRIPT")
+INPUT_PREVIEW=$(echo "$INPUT" | head -c 500)
+STDOUT_PREVIEW=$(echo "$STDOUT_CONTENT" | head -c 300)
+STDERR_PREVIEW=$(echo "$STDERR_CONTENT" | head -c 300)
+
+mkdir -p "$(dirname "$DEBUG_LOG")" 2>/dev/null
+{
+    echo "=== $(date -Iseconds) === ${HOOK_NAME} ==="
+    echo "exit: ${EXIT_CODE} (${ELAPSED}ms)"
+    if [[ -n "$STDERR_PREVIEW" ]]; then
+        echo "stderr: ${STDERR_PREVIEW}"
+    fi
+    if [[ -n "$STDOUT_PREVIEW" ]]; then
+        echo "stdout: ${STDOUT_PREVIEW}"
+    fi
+    echo "input: ${INPUT_PREVIEW}"
+    echo ""
+} >> "$DEBUG_LOG"
+
+# Pass through the original output
+if [[ -n "$STDOUT_CONTENT" ]]; then
+    echo "$STDOUT_CONTENT"
+fi
+if [[ -n "$STDERR_CONTENT" ]]; then
+    echo "$STDERR_CONTENT" >&2
+fi
+
+exit "$EXIT_CODE"

package/examples/loop-detector.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# ================================================================
+# loop-detector.sh — Detect and break command repetition loops
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes gets stuck repeating the same command
+#   or cycle of commands. This hook detects repetition and warns
+#   before the loop wastes context and time.
+#
+# HOW IT WORKS:
+#   1. Records last N commands in a state file
+#   2. Checks if the current command matches recent commands
+#   3. If same command appears 3+ times in last 5 calls → warn
+#   4. If same command appears 5+ times → block
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# CONFIGURATION:
+#   CC_LOOP_WARN=3    — warn after this many repeats (default: 3)
+#   CC_LOOP_BLOCK=5   — block after this many repeats (default: 5)
+#   CC_LOOP_WINDOW=10 — number of recent commands to track (default: 10)
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+STATE_FILE="/tmp/cc-loop-detector-history"
+WARN_THRESHOLD="${CC_LOOP_WARN:-3}"
+BLOCK_THRESHOLD="${CC_LOOP_BLOCK:-5}"
+WINDOW="${CC_LOOP_WINDOW:-10}"
+
+# Normalize command (strip whitespace variations)
+NORMALIZED=$(echo "$COMMAND" | sed 's/[[:space:]]\+/ /g; s/^ //; s/ $//')
+
+# Record command
+echo "$NORMALIZED" >> "$STATE_FILE"
+
+# Keep only last N entries
+if [ -f "$STATE_FILE" ]; then
+    tail -n "$WINDOW" "$STATE_FILE" > "${STATE_FILE}.tmp"
+    mv "${STATE_FILE}.tmp" "$STATE_FILE"
+fi
+
+# Count occurrences of current command in history
+COUNT=$(grep -cF "$NORMALIZED" "$STATE_FILE" 2>/dev/null || echo 0)
+
+if [ "$COUNT" -ge "$BLOCK_THRESHOLD" ]; then
+    echo "BLOCKED: Command repeated $COUNT times in last $WINDOW calls." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "This looks like an infinite loop. Try a different approach." >&2
+    echo "To reset: rm /tmp/cc-loop-detector-history" >&2
+    exit 2
+elif [ "$COUNT" -ge "$WARN_THRESHOLD" ]; then
+    echo "WARNING: Command repeated $COUNT times. Possible loop." >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+fi
+
+exit 0

package/index.mjs

@@ -80,6 +80,9 @@ const IMPORT_FILE = IMPORT_IDX !== -1 ? process.argv[IMPORT_IDX + 1] : null;
 const STATS = process.argv.includes('--stats');
 const JSON_OUTPUT = process.argv.includes('--json');
 const LINT = process.argv.includes('--lint');
+const DIFF_IDX = process.argv.findIndex(a => a === '--diff');
+const DIFF_FILE = DIFF_IDX !== -1 ? process.argv[DIFF_IDX + 1] : null;
+const SHARE = process.argv.includes('--share');
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
 const CREATE_DESC = CREATE_IDX !== -1 ? process.argv.slice(CREATE_IDX + 1).join(' ') : null;
 
@@ -101,6 +104,8 @@ if (HELP) {
     npx cc-safe-setup --audit --json  Machine-readable output for CI/CD
     npx cc-safe-setup --scan       Detect tech stack, recommend hooks
     npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --share         Generate shareable URL for your setup
+    npx cc-safe-setup --diff <file>   Compare your settings with another file
     npx cc-safe-setup --lint       Static analysis of hook configuration
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
@@ -316,6 +321,8 @@ function examples() {
       'test-before-push.sh': 'Block git push when tests have not passed',
       'timeout-guard.sh': 'Warn before long-running commands (servers, watchers)',
       'git-config-guard.sh': 'Block git config --global modifications',
+      'case-sensitive-guard.sh': 'Detect case-insensitive FS collisions (exFAT/NTFS/HFS+)',
+      'compound-command-approver.sh': 'Auto-approve safe compound commands (cd && git log)',
     },
     'Auto-Approve': {
       'auto-approve-build.sh': 'Auto-approve npm/yarn/cargo/go build, test, lint',
@@ -336,15 +343,19 @@ function examples() {
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
       'auto-snapshot.sh': 'Auto-save file snapshots before edits (rollback protection)',
+      'session-checkpoint.sh': 'Save session state before context compaction',
     },
     'UX': {
       'notify-waiting.sh': 'Desktop notification when Claude waits for input',
+      'tmp-cleanup.sh': 'Clean up /tmp/claude-*-cwd files on session end',
+      'hook-debug-wrapper.sh': 'Wrap any hook to log input/output/exit/timing',
+      'loop-detector.sh': 'Detect and break command repetition loops',
     },
   };
 
   console.log();
   console.log(c.bold + '  cc-safe-setup --examples' + c.reset);
-  console.log(c.dim + '  25 hooks beyond the 8 built-in ones' + c.reset);
+  console.log(c.dim + '  30 hooks beyond the 8 built-in ones' + c.reset);
   console.log();
 
   for (const [cat, hooks] of Object.entries(CATEGORIES)) {
@@ -769,6 +780,147 @@ async function fullSetup() {
   console.log();
 }
 
+function share() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --share' + c.reset);
+  console.log();
+
+  if (!existsSync(SETTINGS_PATH)) {
+    console.log(c.red + '  No settings.json found.' + c.reset);
+    process.exit(1);
+  }
+
+  const settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+
+  // Strip sensitive data — only keep hooks and permissions structure
+  const shareable = {
+    hooks: settings.hooks || {},
+    permissions: settings.permissions || {},
+    defaultMode: settings.defaultMode,
+  };
+
+  // Remove full file paths, keep only script names
+  for (const trigger of Object.keys(shareable.hooks)) {
+    for (const entry of shareable.hooks[trigger]) {
+      for (const h of (entry.hooks || [])) {
+        if (h.command) {
+          // Keep only the filename
+          h.command = h.command.split('/').pop();
+        }
+      }
+    }
+  }
+
+  const json = JSON.stringify(shareable);
+  const encoded = Buffer.from(json).toString('base64');
+  const url = 'https://yurukusa.github.io/cc-safe-setup/?config=' + encoded;
+
+  console.log(c.green + '  Shareable URL:' + c.reset);
+  console.log();
+  console.log('  ' + url);
+  console.log();
+  console.log(c.dim + '  Anyone with this URL can audit your hook setup in their browser.' + c.reset);
+  console.log(c.dim + '  Only hook names and permissions are shared (no file paths or secrets).' + c.reset);
+  console.log();
+}
+
+function diff(otherFile) {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --diff' + c.reset);
+  console.log();
+
+  if (!existsSync(otherFile)) {
+    console.log(c.red + '  File not found: ' + otherFile + c.reset);
+    process.exit(1);
+  }
+
+  if (!existsSync(SETTINGS_PATH)) {
+    console.log(c.red + '  No local settings.json found.' + c.reset);
+    process.exit(1);
+  }
+
+  let local, other;
+  try { local = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch { console.log(c.red + '  Cannot parse local settings.json' + c.reset); process.exit(1); }
+  try { other = JSON.parse(readFileSync(otherFile, 'utf-8')); } catch { console.log(c.red + '  Cannot parse ' + otherFile + c.reset); process.exit(1); }
+
+  const getHookCommands = (settings, trigger) => {
+    return (settings.hooks?.[trigger] || []).flatMap(e => (e.hooks || []).map(h => {
+      const cmd = h.command || '';
+      return cmd.split('/').pop().replace(/\.sh$|\.js$|\.py$/, '');
+    }));
+  };
+
+  const getAllow = (settings) => settings.permissions?.allow || [];
+  const getDeny = (settings) => settings.permissions?.deny || [];
+
+  console.log(c.dim + '  Local: ' + SETTINGS_PATH + c.reset);
+  console.log(c.dim + '  Other: ' + otherFile + c.reset);
+  console.log();
+
+  // Compare hooks
+  const triggers = [...new Set([...Object.keys(local.hooks || {}), ...Object.keys(other.hooks || {})])];
+
+  let diffs = 0;
+  for (const trigger of triggers) {
+    const localHooks = new Set(getHookCommands(local, trigger));
+    const otherHooks = new Set(getHookCommands(other, trigger));
+
+    const onlyLocal = [...localHooks].filter(h => !otherHooks.has(h));
+    const onlyOther = [...otherHooks].filter(h => !localHooks.has(h));
+    const both = [...localHooks].filter(h => otherHooks.has(h));
+
+    if (onlyLocal.length > 0 || onlyOther.length > 0) {
+      console.log(c.bold + '  ' + trigger + c.reset);
+      for (const h of both) console.log(c.dim + '    = ' + h + c.reset);
+      for (const h of onlyLocal) { console.log(c.green + '    + ' + h + ' (local only)' + c.reset); diffs++; }
+      for (const h of onlyOther) { console.log(c.red + '    - ' + h + ' (other only)' + c.reset); diffs++; }
+      console.log();
+    }
+  }
+
+  // Compare permissions
+  const localAllow = getAllow(local);
+  const otherAllow = getAllow(other);
+  const onlyLocalAllow = localAllow.filter(a => !otherAllow.includes(a));
+  const onlyOtherAllow = otherAllow.filter(a => !localAllow.includes(a));
+
+  if (onlyLocalAllow.length > 0 || onlyOtherAllow.length > 0) {
+    console.log(c.bold + '  permissions.allow' + c.reset);
+    for (const a of onlyLocalAllow) { console.log(c.green + '    + ' + a + ' (local only)' + c.reset); diffs++; }
+    for (const a of onlyOtherAllow) { console.log(c.red + '    - ' + a + ' (other only)' + c.reset); diffs++; }
+    console.log();
+  }
+
+  // Compare deny
+  const localDeny = getDeny(local);
+  const otherDeny = getDeny(other);
+  const onlyLocalDeny = localDeny.filter(a => !otherDeny.includes(a));
+  const onlyOtherDeny = otherDeny.filter(a => !localDeny.includes(a));
+
+  if (onlyLocalDeny.length > 0 || onlyOtherDeny.length > 0) {
+    console.log(c.bold + '  permissions.deny' + c.reset);
+    for (const d of onlyLocalDeny) { console.log(c.green + '    + ' + d + ' (local only)' + c.reset); diffs++; }
+    for (const d of onlyOtherDeny) { console.log(c.red + '    - ' + d + ' (other only)' + c.reset); diffs++; }
+    console.log();
+  }
+
+  // Compare mode
+  if ((local.defaultMode || 'default') !== (other.defaultMode || 'default')) {
+    console.log(c.bold + '  defaultMode' + c.reset);
+    console.log(c.green + '    local: ' + (local.defaultMode || 'default') + c.reset);
+    console.log(c.red + '    other: ' + (other.defaultMode || 'default') + c.reset);
+    console.log();
+    diffs++;
+  }
+
+  if (diffs === 0) {
+    console.log(c.green + '  No differences found.' + c.reset);
+  } else {
+    console.log(c.dim + '  ' + diffs + ' difference(s) found.' + c.reset);
+  }
+  console.log();
+}
+
 async function lint() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --lint' + c.reset);
@@ -1832,6 +1984,8 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (SHARE) return share();
+  if (DIFF_FILE) return diff(DIFF_FILE);
   if (LINT) return lint();
   if (CREATE_DESC) return createHook(CREATE_DESC);
   if (STATS) return stats();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "3.3.0",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 30 installable examples. Destructive blocker, branch guard, compound command approver, database wipe protection, tmp cleanup, and more.",
+  "version": "3.5.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 33 examples. Create, audit, lint, diff, share, watch, learn. 2,500+ daily npm downloads.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"