cc-safe-setup 3.4.0 → 3.6.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.**
 
-Not just a destructive command blocker — 8 hooks covering safety, quality, monitoring, and developer experience.
+8 built-in hooks + 32 installable examples. Audit, create, lint, diff, watch, and learn. [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/cheatsheet.html) · [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Troubleshooting](TROUBLESHOOTING.md)
 
 ```bash
 npx cc-safe-setup
@@ -218,11 +218,17 @@ Or browse all available examples in [`examples/`](examples/):
 - **tmp-cleanup.sh** — Clean up accumulated `/tmp/claude-*-cwd` files on session end ([#8856](https://github.com/anthropics/claude-code/issues/8856))
 - **session-checkpoint.sh** — Save session state to mission file before context compaction ([#37866](https://github.com/anthropics/claude-code/issues/37866))
 - **verify-before-commit.sh** — Block git commit when lint/test commands haven't been run ([#37818](https://github.com/anthropics/claude-code/issues/37818))
+- **hook-debug-wrapper.sh** — Wrap any hook to log input/output/exit code/timing to `~/.claude/hook-debug.log`
+- **loop-detector.sh** — Detect and break command repetition loops (warn at 3, block at 5 repeats)
 
 ## Safety Checklist
 
 **[SAFETY_CHECKLIST.md](SAFETY_CHECKLIST.md)** — Copy-paste checklist for before/during/after autonomous sessions.
 
+## Troubleshooting
+
+**[TROUBLESHOOTING.md](TROUBLESHOOTING.md)** — "Hook doesn't work" → step-by-step diagnosis. Covers every common failure pattern.
+
 ## settings.json Reference
 
 **[SETTINGS_REFERENCE.md](SETTINGS_REFERENCE.md)** — Complete reference for permissions, hooks, modes, and common configurations. Includes known limitations and workarounds.

package/TROUBLESHOOTING.md

@@ -0,0 +1,212 @@
+# Troubleshooting Claude Code Hooks
+
+Your hook isn't working. Here's how to fix it, starting with the most common causes.
+
+## Quick Diagnosis
+
+```bash
+npx cc-safe-setup --doctor
+```
+
+This checks jq, settings.json, file permissions, shebangs, and common misconfigurations. If it says "All checks passed" but hooks still don't fire, read on.
+
+## "Hook doesn't block anything"
+
+### 1. Did you restart Claude Code?
+
+Hooks are loaded on startup. After installing or modifying hooks, close Claude Code completely and reopen it.
+
+### 2. Is the hook registered in settings.json?
+
+```bash
+cat ~/.claude/settings.json | jq '.hooks'
+```
+
+You should see your hook's path under the correct trigger. If not:
+
+```bash
+npx cc-safe-setup  # Re-registers all hooks
+```
+
+### 3. Is the hook file executable?
+
+```bash
+ls -la ~/.claude/hooks/your-hook.sh
+# Should show -rwxr-xr-x
+```
+
+Fix: `chmod +x ~/.claude/hooks/your-hook.sh`
+
+### 4. Is jq installed?
+
+Most hooks use jq to parse JSON input.
+
+```bash
+jq --version
+# Should print: jq-1.x
+```
+
+Install: `brew install jq` (macOS) / `apt install jq` (Linux/WSL)
+
+### 5. Does the hook work manually?
+
+Test it outside Claude Code:
+
+```bash
+echo '{"tool_input":{"command":"rm -rf /"}}' | bash ~/.claude/hooks/destructive-guard.sh
+echo $?
+# Should print: 2 (blocked)
+```
+
+If exit code is 0, the hook isn't matching the pattern.
+
+### 6. Wrong exit code
+
+| Exit Code | Meaning |
+|-----------|---------|
+| **0** | Allow (or no opinion) |
+| **2** | Block — the only code that stops execution |
+| **1** | Error (treated as allow, not block!) |
+
+Common mistake: using `exit 1` instead of `exit 2` to block. Only exit 2 blocks.
+
+## "Hook blocks everything"
+
+### 1. Overly broad grep pattern
+
+```bash
+# BAD: matches ANY command containing "rm"
+grep -q 'rm'
+
+# GOOD: matches only rm with -rf flags
+grep -qE 'rm\s+(-[rf]+\s+)*/'
+```
+
+### 2. Missing empty-input guard
+
+Every hook should handle empty input:
+
+```bash
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0  # ← This line is critical
+```
+
+Without this, the hook may exit 2 on tools that don't have `.tool_input.command` (like Read or Glob).
+
+### 3. Wrong matcher
+
+If your hook is for Bash commands but the matcher is empty, it runs on every tool call:
+
+```json
+{"matcher": "Bash"}      ← Correct: only Bash commands
+{"matcher": ""}           ← Runs on EVERY tool (Read, Edit, Glob, etc.)
+```
+
+## "Hook fires but doesn't auto-approve"
+
+### 1. JSON output format is wrong
+
+Auto-approve requires exact JSON structure:
+
+```json
+{
+  "hookSpecificOutput": {
+    "hookEventName": "PreToolUse",
+    "permissionDecision": "allow",
+    "permissionDecisionReason": "your reason"
+  }
+}
+```
+
+Missing any field = permission system ignores it.
+
+### 2. jq output is going to stderr
+
+```bash
+# BAD: output goes to stderr
+jq -n '...' >&2
+
+# GOOD: output goes to stdout
+jq -n '...'
+```
+
+Auto-approve JSON must go to stdout.
+
+## "Permission prompts still appear for compound commands"
+
+This is a known Claude Code limitation, not a hook issue. `Bash(git:*)` doesn't match `cd /path && git log`.
+
+Fix:
+
+```bash
+npx cc-safe-setup --install-example compound-command-approver
+```
+
+## "Hooks slow down Claude Code"
+
+### 1. Check execution time
+
+```bash
+npx cc-safe-setup --install-example hook-debug-wrapper
+# Then wrap your slow hook to see timing
+```
+
+Hooks should complete in <50ms. If a hook takes >200ms, it's noticeable.
+
+### 2. Too many hooks on empty matcher
+
+Hooks with `"matcher": ""` run on every single tool call. Move heavy checks to specific matchers:
+
+```json
+{"matcher": "Bash"}        ← Only when Bash runs
+{"matcher": "Edit|Write"}  ← Only when files are edited
+```
+
+### 3. Use --lint to find issues
+
+```bash
+npx cc-safe-setup --lint
+```
+
+Reports performance warnings and configuration issues.
+
+## "Hooks work locally but not for teammates"
+
+### 1. Compare settings
+
+```bash
+npx cc-safe-setup --diff teammate-settings.json
+```
+
+Shows exactly what's different between your setups.
+
+### 2. Export and share
+
+```bash
+npx cc-safe-setup --export   # Creates cc-safe-setup-export.json
+# Send to teammate
+npx cc-safe-setup --import cc-safe-setup-export.json
+```
+
+### 3. Different jq versions
+
+Some hooks use jq features not available in older versions. Check: `jq --version`
+
+## "Hooks run but don't log"
+
+Hooks write to stderr for user-visible messages. For persistent logging:
+
+```bash
+# Add to your hook
+LOG="$HOME/.claude/blocked-commands.log"
+echo "[$(date -Iseconds)] BLOCKED: reason | cmd: $COMMAND" >> "$LOG"
+```
+
+Then view with: `npx cc-safe-setup --watch` or `npx cc-safe-setup --stats`
+
+## Still Stuck?
+
+1. Wrap the hook with debug wrapper: `npx cc-safe-setup --install-example hook-debug-wrapper`
+2. Check `~/.claude/hook-debug.log` for detailed I/O traces
+3. Run `npx cc-safe-setup --doctor` for automated checks
+4. Open an issue: [cc-safe-setup issues](https://github.com/yurukusa/cc-safe-setup/issues)

package/audit-web/index.html

@@ -598,6 +598,21 @@ exit 0`
 
   return scripts[id] || '#!/bin/bash\nexit 0';
 }
+
+// Auto-load from URL parameter: ?config=base64encodedJSON
+(function() {
+  const params = new URLSearchParams(window.location.search);
+  const config = params.get('config');
+  if (config) {
+    try {
+      const json = atob(config);
+      document.getElementById('settings').value = json;
+      runAudit();
+    } catch(e) {
+      console.error('Invalid config parameter');
+    }
+  }
+})();
 </script>
 </body>
 </html>

package/docs/index.html

@@ -598,6 +598,21 @@ exit 0`
 
   return scripts[id] || '#!/bin/bash\nexit 0';
 }
+
+// Auto-load from URL parameter: ?config=base64encodedJSON
+(function() {
+  const params = new URLSearchParams(window.location.search);
+  const config = params.get('config');
+  if (config) {
+    try {
+      const json = atob(config);
+      document.getElementById('settings').value = json;
+      runAudit();
+    } catch(e) {
+      console.error('Invalid config parameter');
+    }
+  }
+})();
 </script>
 </body>
 </html>

package/examples/commit-quality-gate.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# ================================================================
+# commit-quality-gate.sh — Enforce commit message quality
+# ================================================================
+# PURPOSE:
+#   Claude Code generates commit messages that are often too long,
+#   too vague ("update code"), or contain the full diff summary.
+#   This hook enforces minimum quality standards.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# CHECKS:
+#   1. Subject line length (max 72 chars, warn at 50)
+#   2. No vague subjects ("update", "fix", "changes", "misc")
+#   3. No mega-commits (subject line shouldn't list 5+ changes)
+#   4. Body line length (max 72 chars per line)
+#   5. No empty subject line
+#
+# CONFIGURATION:
+#   CC_COMMIT_MAX_SUBJECT=72
+#   CC_COMMIT_WARN_SUBJECT=50
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# Only check git commit commands
+if ! echo "$COMMAND" | grep -qE '^\s*git\s+commit'; then
+    exit 0
+fi
+
+# Skip --amend (modifying existing) and --allow-empty
+if echo "$COMMAND" | grep -qE '\-\-amend|\-\-allow-empty'; then
+    exit 0
+fi
+
+# Extract commit message
+MSG=""
+if echo "$COMMAND" | grep -qE '\-m\s'; then
+    # -m "message" or -m 'message'
+    MSG=$(echo "$COMMAND" | grep -oP "\-m\s+['\"]?\K[^'\"]+(?=['\"]?)" | head -1)
+fi
+
+if [[ -z "$MSG" ]]; then
+    exit 0  # No inline message (might use editor)
+fi
+
+MAX_SUBJECT="${CC_COMMIT_MAX_SUBJECT:-72}"
+WARN_SUBJECT="${CC_COMMIT_WARN_SUBJECT:-50}"
+
+# Get subject line (first line before any newline)
+SUBJECT=$(echo "$MSG" | head -1)
+SUBJECT_LEN=${#SUBJECT}
+
+# Check 1: Empty subject
+if [[ -z "$SUBJECT" ]] || [[ "$SUBJECT_LEN" -lt 3 ]]; then
+    echo "WARNING: Commit subject is empty or too short." >&2
+    exit 0  # Warn only
+fi
+
+# Check 2: Subject too long
+if [[ "$SUBJECT_LEN" -gt "$MAX_SUBJECT" ]]; then
+    echo "WARNING: Commit subject is $SUBJECT_LEN chars (max $MAX_SUBJECT)." >&2
+    echo "Subject: $(echo "$SUBJECT" | head -c 80)..." >&2
+    echo "Tip: Keep the subject under $MAX_SUBJECT chars. Use the body for details." >&2
+fi
+
+# Check 3: Vague subjects
+SUBJECT_LOWER=$(echo "$SUBJECT" | tr '[:upper:]' '[:lower:]')
+VAGUE_PATTERNS="^(update|fix|change|misc|wip|tmp|test|stuff|things|minor|cleanup)$|^(update|fix|change)\s+(code|file|stuff|things)$"
+if echo "$SUBJECT_LOWER" | grep -qiE "$VAGUE_PATTERNS"; then
+    echo "WARNING: Commit subject is too vague: \"$SUBJECT\"" >&2
+    echo "Be specific about what changed and why." >&2
+fi
+
+# Check 4: Mega-commit (too many changes listed)
+COMMA_COUNT=$(echo "$SUBJECT" | grep -o ',' | wc -l)
+AND_COUNT=$(echo "$SUBJECT_LOWER" | grep -o ' and ' | wc -l)
+if [[ $((COMMA_COUNT + AND_COUNT)) -ge 4 ]]; then
+    echo "WARNING: Commit subject lists many changes. Consider splitting into smaller commits." >&2
+    echo "Subject: $(echo "$SUBJECT" | head -c 80)" >&2
+fi
+
+exit 0

package/examples/hook-debug-wrapper.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# ================================================================
+# hook-debug-wrapper.sh — Debug wrapper for any Claude Code hook
+# ================================================================
+# PURPOSE:
+#   Wraps any existing hook script and logs its input, output,
+#   exit code, and execution time. Invaluable for debugging hooks
+#   that silently fail or produce unexpected results.
+#
+# USAGE:
+#   Instead of:
+#     "command": "~/.claude/hooks/destructive-guard.sh"
+#   Use:
+#     "command": "~/.claude/hooks/hook-debug-wrapper.sh ~/.claude/hooks/destructive-guard.sh"
+#
+#   Or set CC_HOOK_DEBUG=1 to log all hooks (requires wrapper for each).
+#
+# WHAT IT LOGS:
+#   - Timestamp
+#   - Hook script path
+#   - Input JSON (truncated to 500 chars)
+#   - Exit code
+#   - stdout (truncated)
+#   - stderr (truncated)
+#   - Execution time in ms
+#
+# LOG LOCATION: ~/.claude/hook-debug.log
+#
+# TRIGGER: Any (wraps any hook)
+# MATCHER: Any
+# ================================================================
+
+HOOK_SCRIPT="$1"
+DEBUG_LOG="${CC_HOOK_DEBUG_LOG:-$HOME/.claude/hook-debug.log}"
+
+if [[ -z "$HOOK_SCRIPT" ]] || [[ ! -f "$HOOK_SCRIPT" ]]; then
+    echo "Usage: hook-debug-wrapper.sh <hook-script>" >&2
+    exit 0
+fi
+
+# Read input
+INPUT=$(cat)
+
+# Record start time
+START_MS=$(($(date +%s%N) / 1000000))
+
+# Run the actual hook, capturing all output
+STDOUT_FILE=$(mktemp)
+STDERR_FILE=$(mktemp)
+echo "$INPUT" | bash "$HOOK_SCRIPT" > "$STDOUT_FILE" 2> "$STDERR_FILE"
+EXIT_CODE=$?
+
+END_MS=$(($(date +%s%N) / 1000000))
+ELAPSED=$((END_MS - START_MS))
+
+# Read outputs
+STDOUT_CONTENT=$(cat "$STDOUT_FILE")
+STDERR_CONTENT=$(cat "$STDERR_FILE")
+rm -f "$STDOUT_FILE" "$STDERR_FILE"
+
+# Log
+HOOK_NAME=$(basename "$HOOK_SCRIPT")
+INPUT_PREVIEW=$(echo "$INPUT" | head -c 500)
+STDOUT_PREVIEW=$(echo "$STDOUT_CONTENT" | head -c 300)
+STDERR_PREVIEW=$(echo "$STDERR_CONTENT" | head -c 300)
+
+mkdir -p "$(dirname "$DEBUG_LOG")" 2>/dev/null
+{
+    echo "=== $(date -Iseconds) === ${HOOK_NAME} ==="
+    echo "exit: ${EXIT_CODE} (${ELAPSED}ms)"
+    if [[ -n "$STDERR_PREVIEW" ]]; then
+        echo "stderr: ${STDERR_PREVIEW}"
+    fi
+    if [[ -n "$STDOUT_PREVIEW" ]]; then
+        echo "stdout: ${STDOUT_PREVIEW}"
+    fi
+    echo "input: ${INPUT_PREVIEW}"
+    echo ""
+} >> "$DEBUG_LOG"
+
+# Pass through the original output
+if [[ -n "$STDOUT_CONTENT" ]]; then
+    echo "$STDOUT_CONTENT"
+fi
+if [[ -n "$STDERR_CONTENT" ]]; then
+    echo "$STDERR_CONTENT" >&2
+fi
+
+exit "$EXIT_CODE"

package/examples/loop-detector.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# ================================================================
+# loop-detector.sh — Detect and break command repetition loops
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes gets stuck repeating the same command
+#   or cycle of commands. This hook detects repetition and warns
+#   before the loop wastes context and time.
+#
+# HOW IT WORKS:
+#   1. Records last N commands in a state file
+#   2. Checks if the current command matches recent commands
+#   3. If same command appears 3+ times in last 5 calls → warn
+#   4. If same command appears 5+ times → block
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# CONFIGURATION:
+#   CC_LOOP_WARN=3    — warn after this many repeats (default: 3)
+#   CC_LOOP_BLOCK=5   — block after this many repeats (default: 5)
+#   CC_LOOP_WINDOW=10 — number of recent commands to track (default: 10)
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+STATE_FILE="/tmp/cc-loop-detector-history"
+WARN_THRESHOLD="${CC_LOOP_WARN:-3}"
+BLOCK_THRESHOLD="${CC_LOOP_BLOCK:-5}"
+WINDOW="${CC_LOOP_WINDOW:-10}"
+
+# Normalize command (strip whitespace variations)
+NORMALIZED=$(echo "$COMMAND" | sed 's/[[:space:]]\+/ /g; s/^ //; s/ $//')
+
+# Record command
+echo "$NORMALIZED" >> "$STATE_FILE"
+
+# Keep only last N entries
+if [ -f "$STATE_FILE" ]; then
+    tail -n "$WINDOW" "$STATE_FILE" > "${STATE_FILE}.tmp"
+    mv "${STATE_FILE}.tmp" "$STATE_FILE"
+fi
+
+# Count occurrences of current command in history
+COUNT=$(grep -cF "$NORMALIZED" "$STATE_FILE" 2>/dev/null || echo 0)
+
+if [ "$COUNT" -ge "$BLOCK_THRESHOLD" ]; then
+    echo "BLOCKED: Command repeated $COUNT times in last $WINDOW calls." >&2
+    echo "" >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "This looks like an infinite loop. Try a different approach." >&2
+    echo "To reset: rm /tmp/cc-loop-detector-history" >&2
+    exit 2
+elif [ "$COUNT" -ge "$WARN_THRESHOLD" ]; then
+    echo "WARNING: Command repeated $COUNT times. Possible loop." >&2
+    echo "Command: $(echo "$COMMAND" | head -c 100)" >&2
+fi
+
+exit 0

package/examples/session-handoff.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+# ================================================================
+# session-handoff.sh — Auto-save session state for next session
+# ================================================================
+# PURPOSE:
+#   When a Claude Code session ends (Stop event), automatically
+#   captures the current state and writes a handoff file that the
+#   next session can read to resume work.
+#
+#   Solves the "I forgot what I was doing" problem after /compact
+#   or session restart.
+#
+# TRIGGER: Stop
+# MATCHER: ""
+#
+# WHAT IT CAPTURES:
+#   - Current git branch and uncommitted changes
+#   - Last 5 commands from shell history
+#   - Modified files (git diff --stat)
+#   - Current working directory
+#   - Timestamp
+#
+# OUTPUT: ~/.claude/session-handoff.md
+#   Next session can read this to understand where the last one left off.
+#
+# CONFIGURATION:
+#   CC_HANDOFF_FILE — path to handoff file
+#     default: ~/.claude/session-handoff.md
+# ================================================================
+
+HANDOFF="${CC_HANDOFF_FILE:-$HOME/.claude/session-handoff.md}"
+
+# Detect project directory from recent tool calls
+PROJECT_DIR=""
+if [ -d ".git" ]; then
+    PROJECT_DIR="$(pwd)"
+elif [ -f "$HOME/.claude/projects" ]; then
+    PROJECT_DIR=$(ls -td "$HOME/.claude/projects/"*/ 2>/dev/null | head -1)
+fi
+
+{
+    echo "# Session Handoff"
+    echo ""
+    echo "**Last session ended:** $(date -Iseconds)"
+    echo ""
+
+    # Git state
+    if command -v git &>/dev/null && [ -d ".git" ]; then
+        BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
+        echo "## Git State"
+        echo "- Branch: \`$BRANCH\`"
+
+        MODIFIED=$(git diff --stat 2>/dev/null | tail -1)
+        if [ -n "$MODIFIED" ]; then
+            echo "- Changes: $MODIFIED"
+            echo ""
+            echo "### Modified files"
+            echo '```'
+            git diff --name-only 2>/dev/null | head -10
+            echo '```'
+        else
+            echo "- Changes: clean working tree"
+        fi
+
+        STAGED=$(git diff --cached --stat 2>/dev/null | tail -1)
+        if [ -n "$STAGED" ]; then
+            echo "- Staged: $STAGED"
+        fi
+
+        LAST_COMMIT=$(git log --oneline -1 2>/dev/null)
+        echo "- Last commit: $LAST_COMMIT"
+        echo ""
+    fi
+
+    # Recent blocked commands (if any)
+    BLOCK_LOG="$HOME/.claude/blocked-commands.log"
+    if [ -f "$BLOCK_LOG" ]; then
+        RECENT_BLOCKS=$(tail -3 "$BLOCK_LOG" 2>/dev/null)
+        if [ -n "$RECENT_BLOCKS" ]; then
+            echo "## Recent Blocks"
+            echo '```'
+            echo "$RECENT_BLOCKS"
+            echo '```'
+            echo ""
+        fi
+    fi
+
+    # Session errors
+    ERROR_LOG="$HOME/.claude/session-errors.log"
+    if [ -f "$ERROR_LOG" ]; then
+        RECENT_ERRORS=$(tail -3 "$ERROR_LOG" 2>/dev/null)
+        if [ -n "$RECENT_ERRORS" ]; then
+            echo "## Recent Errors"
+            echo '```'
+            echo "$RECENT_ERRORS"
+            echo '```'
+            echo ""
+        fi
+    fi
+
+    echo "---"
+    echo "*Auto-generated by session-handoff hook. Read this at session start to resume.*"
+
+} > "$HANDOFF"
+
+exit 0

package/index.mjs

@@ -82,6 +82,7 @@ const JSON_OUTPUT = process.argv.includes('--json');
 const LINT = process.argv.includes('--lint');
 const DIFF_IDX = process.argv.findIndex(a => a === '--diff');
 const DIFF_FILE = DIFF_IDX !== -1 ? process.argv[DIFF_IDX + 1] : null;
+const SHARE = process.argv.includes('--share');
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
 const CREATE_DESC = CREATE_IDX !== -1 ? process.argv.slice(CREATE_IDX + 1).join(' ') : null;
 
@@ -103,6 +104,7 @@ if (HELP) {
     npx cc-safe-setup --audit --json  Machine-readable output for CI/CD
     npx cc-safe-setup --scan       Detect tech stack, recommend hooks
     npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --share         Generate shareable URL for your setup
     npx cc-safe-setup --diff <file>   Compare your settings with another file
     npx cc-safe-setup --lint       Static analysis of hook configuration
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
@@ -319,6 +321,8 @@ function examples() {
       'test-before-push.sh': 'Block git push when tests have not passed',
       'timeout-guard.sh': 'Warn before long-running commands (servers, watchers)',
       'git-config-guard.sh': 'Block git config --global modifications',
+      'case-sensitive-guard.sh': 'Detect case-insensitive FS collisions (exFAT/NTFS/HFS+)',
+      'compound-command-approver.sh': 'Auto-approve safe compound commands (cd && git log)',
     },
     'Auto-Approve': {
       'auto-approve-build.sh': 'Auto-approve npm/yarn/cargo/go build, test, lint',
@@ -339,15 +343,19 @@ function examples() {
     'Recovery': {
       'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
       'auto-snapshot.sh': 'Auto-save file snapshots before edits (rollback protection)',
+      'session-checkpoint.sh': 'Save session state before context compaction',
     },
     'UX': {
       'notify-waiting.sh': 'Desktop notification when Claude waits for input',
+      'tmp-cleanup.sh': 'Clean up /tmp/claude-*-cwd files on session end',
+      'hook-debug-wrapper.sh': 'Wrap any hook to log input/output/exit/timing',
+      'loop-detector.sh': 'Detect and break command repetition loops',
     },
   };
 
   console.log();
   console.log(c.bold + '  cc-safe-setup --examples' + c.reset);
-  console.log(c.dim + '  25 hooks beyond the 8 built-in ones' + c.reset);
+  console.log(c.dim + '  30 hooks beyond the 8 built-in ones' + c.reset);
   console.log();
 
   for (const [cat, hooks] of Object.entries(CATEGORIES)) {
@@ -772,6 +780,50 @@ async function fullSetup() {
   console.log();
 }
 
+function share() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --share' + c.reset);
+  console.log();
+
+  if (!existsSync(SETTINGS_PATH)) {
+    console.log(c.red + '  No settings.json found.' + c.reset);
+    process.exit(1);
+  }
+
+  const settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+
+  // Strip sensitive data — only keep hooks and permissions structure
+  const shareable = {
+    hooks: settings.hooks || {},
+    permissions: settings.permissions || {},
+    defaultMode: settings.defaultMode,
+  };
+
+  // Remove full file paths, keep only script names
+  for (const trigger of Object.keys(shareable.hooks)) {
+    for (const entry of shareable.hooks[trigger]) {
+      for (const h of (entry.hooks || [])) {
+        if (h.command) {
+          // Keep only the filename
+          h.command = h.command.split('/').pop();
+        }
+      }
+    }
+  }
+
+  const json = JSON.stringify(shareable);
+  const encoded = Buffer.from(json).toString('base64');
+  const url = 'https://yurukusa.github.io/cc-safe-setup/?config=' + encoded;
+
+  console.log(c.green + '  Shareable URL:' + c.reset);
+  console.log();
+  console.log('  ' + url);
+  console.log();
+  console.log(c.dim + '  Anyone with this URL can audit your hook setup in their browser.' + c.reset);
+  console.log(c.dim + '  Only hook names and permissions are shared (no file paths or secrets).' + c.reset);
+  console.log();
+}
+
 function diff(otherFile) {
   console.log();
   console.log(c.bold + '  cc-safe-setup --diff' + c.reset);
@@ -1932,6 +1984,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (SHARE) return share();
   if (DIFF_FILE) return diff(DIFF_FILE);
   if (LINT) return lint();
   if (CREATE_DESC) return createHook(CREATE_DESC);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "3.4.0",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 30 installable examples. Destructive blocker, branch guard, compound command approver, database wipe protection, tmp cleanup, and more.",
+  "version": "3.6.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 34 examples. Create, audit, lint, diff, share, watch, learn. Session handoff, loop detection, commit quality gate.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"