cc-safe-setup 3.6.0 → 3.7.0

package/README.md

@@ -220,6 +220,10 @@ Or browse all available examples in [`examples/`](examples/):
 - **verify-before-commit.sh** — Block git commit when lint/test commands haven't been run ([#37818](https://github.com/anthropics/claude-code/issues/37818))
 - **hook-debug-wrapper.sh** — Wrap any hook to log input/output/exit code/timing to `~/.claude/hook-debug.log`
 - **loop-detector.sh** — Detect and break command repetition loops (warn at 3, block at 5 repeats)
+- **commit-quality-gate.sh** — Warn on vague commit messages ("update code"), long subjects, mega-commits
+- **session-handoff.sh** — Auto-save git state and session info to `~/.claude/session-handoff.md` on session end
+- **diff-size-guard.sh** — Warn/block when committing too many files at once (default: warn at 10, block at 50)
+- **dependency-audit.sh** — Warn when installing packages not in manifest (npm/pip/cargo supply chain awareness)
 
 ## Safety Checklist
 

package/examples/dependency-audit.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# ================================================================
+# dependency-audit.sh — Warn before installing unknown packages
+# ================================================================
+# PURPOSE:
+#   Claude Code may install packages you've never heard of.
+#   This hook warns when npm/pip/cargo installs a new dependency,
+#   giving you a chance to review before it executes.
+#
+#   Doesn't block devDependencies or packages already in
+#   package.json/requirements.txt.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# WHAT IT WARNS ON:
+#   - npm install <pkg> (not in package.json)
+#   - pip install <pkg> (not in requirements.txt)
+#   - cargo add <pkg> (not in Cargo.toml)
+#
+# WHAT IT ALLOWS:
+#   - npm install (no args = install from package.json)
+#   - pip install -r requirements.txt
+#   - Packages already in manifest files
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# npm install <package>
+if echo "$COMMAND" | grep -qE '^\s*npm\s+install\s+\S'; then
+    # Skip if no specific package (just `npm install`)
+    PKG=$(echo "$COMMAND" | grep -oP 'npm\s+install\s+(-[DSg]\s+)*\K[^-\s]\S*' | head -1)
+    if [[ -n "$PKG" ]] && [[ -f "package.json" ]]; then
+        if ! grep -q "\"$PKG\"" package.json 2>/dev/null; then
+            echo "NOTE: Installing new npm package: $PKG" >&2
+            echo "Not found in package.json. Review before proceeding." >&2
+        fi
+    fi
+fi
+
+# pip install <package>
+if echo "$COMMAND" | grep -qE '^\s*(pip3?|python3?\s+-m\s+pip)\s+install\s+\S'; then
+    # Skip -r requirements.txt
+    if ! echo "$COMMAND" | grep -qE '\-r\s+'; then
+        PKG=$(echo "$COMMAND" | grep -oP '(pip3?|python3?\s+-m\s+pip)\s+install\s+(-[^\s]+\s+)*\K[^-\s]\S*' | head -1)
+        if [[ -n "$PKG" ]] && [[ -f "requirements.txt" ]]; then
+            if ! grep -qi "$PKG" requirements.txt 2>/dev/null; then
+                echo "NOTE: Installing new pip package: $PKG" >&2
+                echo "Not found in requirements.txt." >&2
+            fi
+        fi
+    fi
+fi
+
+# cargo add <package>
+if echo "$COMMAND" | grep -qE '^\s*cargo\s+add\s+\S'; then
+    PKG=$(echo "$COMMAND" | grep -oP 'cargo\s+add\s+\K\S+' | head -1)
+    if [[ -n "$PKG" ]] && [[ -f "Cargo.toml" ]]; then
+        if ! grep -q "$PKG" Cargo.toml 2>/dev/null; then
+            echo "NOTE: Adding new cargo dependency: $PKG" >&2
+        fi
+    fi
+fi
+
+exit 0

package/examples/diff-size-guard.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# ================================================================
+# diff-size-guard.sh — Warn on large uncommitted changes
+# ================================================================
+# PURPOSE:
+#   Claude Code can modify dozens of files in a single session
+#   without committing. By the time you notice, the diff is
+#   unmanageable. This hook warns when the working tree has
+#   too many changed files.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# WHEN IT FIRES:
+#   On git commit — checks if the commit is too large
+#   Configurable thresholds via environment variables
+#
+# CONFIGURATION:
+#   CC_DIFF_WARN=10    — warn when staging 10+ files (default)
+#   CC_DIFF_BLOCK=50   — block when staging 50+ files (default)
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# Only check git commit and git add
+if ! echo "$COMMAND" | grep -qE '^\s*git\s+(commit|add\s+(-A|--all|\.))'; then
+    exit 0
+fi
+
+# Check number of changed files
+if ! command -v git &>/dev/null || ! [ -d .git ]; then
+    exit 0
+fi
+
+WARN="${CC_DIFF_WARN:-10}"
+BLOCK="${CC_DIFF_BLOCK:-50}"
+
+# Count staged + unstaged changed files
+CHANGED=$(git diff --name-only HEAD 2>/dev/null | wc -l)
+STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+TOTAL=$((CHANGED + STAGED))
+
+if [ "$TOTAL" -ge "$BLOCK" ]; then
+    echo "BLOCKED: $TOTAL files changed — too large for one commit." >&2
+    echo "" >&2
+    echo "Break this into smaller, reviewable commits:" >&2
+    echo "  git add src/feature/ && git commit -m 'feat: add feature'" >&2
+    echo "  git add tests/ && git commit -m 'test: add feature tests'" >&2
+    echo "" >&2
+    echo "Set CC_DIFF_BLOCK to adjust the limit (current: $BLOCK)." >&2
+    exit 2
+elif [ "$TOTAL" -ge "$WARN" ]; then
+    echo "WARNING: $TOTAL files changed. Consider splitting into smaller commits." >&2
+fi
+
+exit 0

package/index.mjs

@@ -83,6 +83,7 @@ const LINT = process.argv.includes('--lint');
 const DIFF_IDX = process.argv.findIndex(a => a === '--diff');
 const DIFF_FILE = DIFF_IDX !== -1 ? process.argv[DIFF_IDX + 1] : null;
 const SHARE = process.argv.includes('--share');
+const BENCHMARK = process.argv.includes('--benchmark');
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
 const CREATE_DESC = CREATE_IDX !== -1 ? process.argv.slice(CREATE_IDX + 1).join(' ') : null;
 
@@ -104,6 +105,7 @@ if (HELP) {
     npx cc-safe-setup --audit --json  Machine-readable output for CI/CD
     npx cc-safe-setup --scan       Detect tech stack, recommend hooks
     npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --benchmark     Measure hook execution time
     npx cc-safe-setup --share         Generate shareable URL for your setup
     npx cc-safe-setup --diff <file>   Compare your settings with another file
     npx cc-safe-setup --lint       Static analysis of hook configuration
@@ -350,6 +352,10 @@ function examples() {
       'tmp-cleanup.sh': 'Clean up /tmp/claude-*-cwd files on session end',
       'hook-debug-wrapper.sh': 'Wrap any hook to log input/output/exit/timing',
       'loop-detector.sh': 'Detect and break command repetition loops',
+      'session-handoff.sh': 'Auto-save session state for next session resume',
+      'commit-quality-gate.sh': 'Warn on vague or too-long commit messages',
+      'diff-size-guard.sh': 'Warn/block on large diffs (10+ files warn, 50+ block)',
+      'dependency-audit.sh': 'Warn on new package installs not in manifest',
     },
   };
 
@@ -780,6 +786,89 @@ async function fullSetup() {
   console.log();
 }
 
+async function benchmark() {
+  const { spawnSync } = await import('child_process');
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --benchmark' + c.reset);
+  console.log(c.dim + '  Measuring hook execution time (10 runs each)...' + c.reset);
+  console.log();
+
+  if (!existsSync(SETTINGS_PATH)) {
+    console.log(c.red + '  No settings.json found.' + c.reset);
+    process.exit(1);
+  }
+
+  const settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+  const hooks = settings.hooks || {};
+  const results = [];
+  const testInput = JSON.stringify({ tool_input: { command: 'echo hello' } });
+  const RUNS = 10;
+
+  for (const [trigger, entries] of Object.entries(hooks)) {
+    for (const entry of entries) {
+      for (const h of (entry.hooks || [])) {
+        if (h.type !== 'command') continue;
+        let scriptPath = (h.command || '').replace(/^(bash|sh|node)\s+/, '').split(/\s+/)[0];
+        scriptPath = scriptPath.replace(/^~/, HOME);
+        if (!existsSync(scriptPath)) continue;
+
+        const name = scriptPath.split('/').pop();
+        const times = [];
+
+        for (let i = 0; i < RUNS; i++) {
+          const start = process.hrtime.bigint();
+          spawnSync('bash', [scriptPath], {
+            input: testInput,
+            timeout: 5000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+          });
+          const end = process.hrtime.bigint();
+          times.push(Number(end - start) / 1_000_000); // ms
+        }
+
+        const avg = times.reduce((a, b) => a + b, 0) / times.length;
+        const max = Math.max(...times);
+        const min = Math.min(...times);
+
+        results.push({ name, trigger, avg, max, min, matcher: entry.matcher || '(all)' });
+      }
+    }
+  }
+
+  // Sort by avg time descending
+  results.sort((a, b) => b.avg - a.avg);
+
+  // Display
+  const maxAvg = results[0]?.avg || 1;
+  console.log(c.bold + '  Hook                          Avg     Min     Max    Trigger' + c.reset);
+  console.log('  ' + '-'.repeat(75));
+
+  for (const r of results) {
+    const bar = '█'.repeat(Math.ceil(r.avg / maxAvg * 15));
+    const avgColor = r.avg > 100 ? c.red : r.avg > 50 ? c.yellow : c.green;
+    console.log(
+      '  ' + r.name.padEnd(30) +
+      avgColor + r.avg.toFixed(1).padStart(6) + 'ms' + c.reset +
+      r.min.toFixed(1).padStart(6) + 'ms' +
+      r.max.toFixed(1).padStart(6) + 'ms' +
+      '  ' + c.dim + r.trigger + c.reset
+    );
+  }
+
+  console.log();
+  const totalAvg = results.reduce((s, r) => s + r.avg, 0);
+  const slow = results.filter(r => r.avg > 50);
+
+  console.log(c.dim + '  Total avg per tool call: ' + totalAvg.toFixed(1) + 'ms (sum of all hooks on that trigger)' + c.reset);
+  if (slow.length > 0) {
+    console.log(c.yellow + '  ' + slow.length + ' hook(s) over 50ms — consider optimizing' + c.reset);
+  } else {
+    console.log(c.green + '  All hooks under 50ms — good performance' + c.reset);
+  }
+  console.log();
+}
+
 function share() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --share' + c.reset);
@@ -1984,6 +2073,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (BENCHMARK) return benchmark();
   if (SHARE) return share();
   if (DIFF_FILE) return diff(DIFF_FILE);
   if (LINT) return lint();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "3.6.0",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 34 examples. Create, audit, lint, diff, share, watch, learn. Session handoff, loop detection, commit quality gate.",
+  "version": "3.7.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in + 36 examples. 21 commands: create, audit, lint, diff, share, benchmark, watch, learn. 2,500+ daily npm downloads.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"