npm - cc-safe-setup - Versions diffs - 4.0.3 → 5.1.0 - Mend

cc-safe-setup 4.0.3 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +1 -0
package/docs/app.html +271 -0
package/examples/env-source-guard.sh +51 -0
package/index.mjs +211 -34
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -249,6 +249,7 @@ Or browse all available examples in [`examples/`](examples/):
 - [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 25 recipes from real GitHub Issues ([interactive version](https://yurukusa.github.io/claude-code-hooks/))
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
 - [Hook Test Runner](https://github.com/yurukusa/cc-hook-test) — `npx cc-hook-test <hook.sh>` to auto-test any hook
+- [Hook Registry](https://github.com/yurukusa/cc-hook-registry) — `npx cc-hook-registry search database` to find community hooks
 - [Hooks Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/cheatsheet.html) — printable A4 quick reference
 - [Ecosystem Comparison](https://yurukusa.github.io/cc-safe-setup/ecosystem.html) — all Claude Code hook projects compared
 - [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf

package/docs/app.html ADDED Viewed

@@ -0,0 +1,271 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>cc-safe-setup — Claude Code Safety Suite</title>
+<meta name="description" content="Audit, build, browse, and learn Claude Code hooks. All in one page, 100% client-side.">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0d1117;color:#c9d1d9;min-height:100vh}
+.nav{display:flex;background:#161b22;border-bottom:1px solid #30363d;overflow-x:auto}
+.nav a{padding:.75rem 1.2rem;color:#8b949e;text-decoration:none;font-size:.85rem;white-space:nowrap;border-bottom:2px solid transparent;cursor:pointer}
+.nav a.active{color:#f0f6fc;border-bottom-color:#f78166}
+.nav a:hover{color:#c9d1d9}
+.page{display:none;max-width:800px;margin:0 auto;padding:1.5rem}
+.page.active{display:block}
+h1{font-size:1.3rem;color:#f0f6fc;margin-bottom:.5rem}
+h2{font-size:1.1rem;color:#f0f6fc;margin:1.5rem 0 .5rem}
+h3{font-size:.95rem;color:#c9d1d9;margin:1rem 0 .3rem}
+p,.sub{color:#8b949e;font-size:.85rem;margin-bottom:.75rem}
+a{color:#58a6ff;text-decoration:none}
+textarea,input,select{width:100%;padding:.5rem;background:#161b22;border:1px solid #30363d;border-radius:4px;color:#c9d1d9;font-family:monospace;font-size:.8rem;margin:.25rem 0}
+textarea{height:150px;resize:vertical}
+button,.btn{background:#238636;color:#fff;border:none;padding:.5rem 1rem;border-radius:4px;cursor:pointer;font-size:.85rem;margin:.25rem .25rem .25rem 0}
+button:hover,.btn:hover{background:#2ea043}
+.btn-sm{padding:.25rem .5rem;font-size:.75rem}
+.btn-secondary{background:#30363d}
+pre{background:#161b22;border:1px solid #30363d;border-radius:4px;padding:.6rem;font-size:.75rem;overflow-x:auto;position:relative;margin:.3rem 0}
+.copy{position:absolute;top:.3rem;right:.3rem;background:#30363d;color:#c9d1d9;border:none;padding:.15rem .4rem;border-radius:3px;font-size:.65rem;cursor:pointer}
+.score{font-size:1.8rem;font-weight:bold;margin:.5rem 0}
+.score.good{color:#3fb950} .score.mid{color:#d29922} .score.bad{color:#f85149}
+.risk{background:#161b22;border:1px solid #30363d;border-radius:4px;padding:.75rem;margin:.3rem 0;font-size:.8rem}
+.good-item{color:#3fb950;margin:.2rem 0;font-size:.8rem}
+table{width:100%;border-collapse:collapse;font-size:.8rem;margin:.5rem 0}
+th,td{text-align:left;padding:.35rem .5rem;border-bottom:1px solid #21262d}
+th{font-weight:600;color:#f0f6fc}
+.recipe{background:#161b22;border:1px solid #30363d;border-radius:4px;margin:.3rem 0;overflow:hidden}
+.recipe summary{padding:.5rem .75rem;cursor:pointer;font-weight:600;color:#f0f6fc;font-size:.85rem}
+.recipe-body{padding:0 .75rem .5rem}
+.filter{padding:.2rem .5rem;border-radius:3px;border:1px solid #30363d;background:transparent;color:#8b949e;cursor:pointer;font-size:.7rem;margin:.15rem}
+.filter.active{background:#238636;border-color:#238636;color:#fff}
+.badge{display:inline-block;padding:.1rem .3rem;border-radius:3px;font-size:.65rem;font-weight:bold}
+.badge-bash{background:#1f6feb22;color:#58a6ff;border:1px solid #1f6feb44}
+.badge-js{background:#f0e68c22;color:#f0e68c;border:1px solid #f0e68c44}
+.badge-py{background:#3fb95022;color:#3fb950;border:1px solid #3fb95044}
+.badge-ts{background:#388bfd22;color:#388bfd;border:1px solid #388bfd44}
+.check{color:#3fb950} .cross{color:#484f58}
+.footer{text-align:center;color:#484f58;font-size:.7rem;padding:2rem 1rem}
+@media print{.nav{display:none} .page{display:block!important}}
+</style>
+</head>
+<body>
+<nav class="nav">
+  <a onclick="go('audit')" id="nav-audit" class="active">Audit</a>
+  <a onclick="go('builder')" id="nav-builder">Hook Builder</a>
+  <a onclick="go('cookbook')" id="nav-cookbook">Cookbook</a>
+  <a onclick="go('ecosystem')" id="nav-ecosystem">Ecosystem</a>
+  <a onclick="go('cheatsheet')" id="nav-cheatsheet">Cheat Sheet</a>
+</nav>
+<!-- PAGE: AUDIT -->
+<div class="page active" id="page-audit">
+<h1>Safety Audit</h1>
+<p>Paste your <code>~/.claude/settings.json</code>. Nothing leaves your browser.</p>
+<textarea id="settings" placeholder='{"permissions":{"allow":["Bash(git:*)"]},"hooks":{"PreToolUse":[...]}}'></textarea>
+<button onclick="runAudit()">Run Audit</button>
+<button class="btn-secondary" onclick="generateFresh()">Generate Fresh Setup</button>
+<div id="audit-results"></div>
+</div>
+<!-- PAGE: HOOK BUILDER -->
+<div class="page" id="page-builder">
+<h1>Hook Builder</h1>
+<p>Build a custom hook without writing code.</p>
+<div style="display:flex;gap:.75rem;flex-wrap:wrap">
+  <div style="flex:1;min-width:180px">
+    <label style="font-size:.75rem;color:#8b949e">Action</label>
+    <select id="hb-action"><option value="block">Block</option><option value="warn">Warn</option><option value="approve">Auto-approve</option></select>
+  </div>
+  <div style="flex:2;min-width:250px">
+    <label style="font-size:.75rem;color:#8b949e">Pattern (regex)</label>
+    <input id="hb-pattern" placeholder="e.g. rm\s+-rf, git push --force">
+  </div>
+</div>
+<label style="font-size:.75rem;color:#8b949e">Message</label>
+<input id="hb-message" placeholder="e.g. Run tests before pushing">
+<button onclick="buildHook()">Generate</button>
+<div id="hb-result"></div>
+</div>
+<!-- PAGE: COOKBOOK -->
+<div class="page" id="page-cookbook">
+<h1>Hooks Cookbook</h1>
+<p>Copy-paste recipes from real GitHub Issues.</p>
+<input id="cb-search" placeholder="Search... (database, git, deploy)" oninput="filterRecipes()">
+<div style="margin:.3rem 0" id="cb-filters"></div>
+<div id="cb-count" style="color:#8b949e;font-size:.8rem"></div>
+<div id="cb-list"></div>
+</div>
+<!-- PAGE: ECOSYSTEM -->
+<div class="page" id="page-ecosystem">
+<h1>Ecosystem Comparison</h1>
+<p>All major Claude Code hook projects compared.</p>
+<table>
+<tr><th>Project</th><th>Lang</th><th>Hooks</th><th>Install</th></tr>
+<tr><td><a href="https://github.com/kenryu42/claude-code-safety-net">safety-net</a></td><td><span class="badge badge-ts">TS</span></td><td>5</td><td>npx</td></tr>
+<tr><td><a href="https://github.com/yurukusa/cc-safe-setup">cc-safe-setup</a></td><td><span class="badge badge-bash">Bash</span></td><td>8+39</td><td>npx</td></tr>
+<tr><td><a href="https://github.com/karanb192/claude-code-hooks">karanb192</a></td><td><span class="badge badge-js">JS</span></td><td>5+</td><td>copy</td></tr>
+<tr><td><a href="https://github.com/disler/claude-code-hooks-mastery">mastery</a></td><td><span class="badge badge-py">Python</span></td><td>12</td><td>copy</td></tr>
+<tr><td><a href="https://github.com/lasso-security/claude-hooks">lasso</a></td><td><span class="badge badge-py">Python</span></td><td>1</td><td>install.sh</td></tr>
+</table>
+<h2>Feature Matrix</h2>
+<table>
+<tr><th>Feature</th><th>safety-net</th><th>cc-safe-setup</th><th>karanb192</th><th>mastery</th></tr>
+<tr><td>rm -rf blocker</td><td class="check">✓</td><td class="check">✓</td><td class="check">✓</td><td class="check">✓</td></tr>
+<tr><td>Branch guard</td><td class="check">✓</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+<tr><td>Secret guard</td><td class="cross">-</td><td class="check">✓</td><td class="check">✓</td><td class="cross">-</td></tr>
+<tr><td>Syntax check</td><td class="cross">-</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+<tr><td>Context monitor</td><td class="cross">-</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+<tr><td>Hook generator</td><td class="cross">-</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+<tr><td>Dashboard</td><td class="cross">-</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+<tr><td>GitHub Action</td><td class="cross">-</td><td class="check">✓</td><td class="cross">-</td><td class="cross">-</td></tr>
+</table>
+</div>
+<!-- PAGE: CHEAT SHEET -->
+<div class="page" id="page-cheatsheet">
+<h1>Hooks Cheat Sheet</h1>
+<p>Print this page (Ctrl+P) for a quick reference.</p>
+<h3>Lifecycle</h3>
+<pre>Prompt → PreToolUse → Tool → PostToolUse → Stop</pre>
+<h3>Exit Codes</h3>
+<table><tr><th>Code</th><th>Meaning</th></tr>
+<tr><td><code>0</code></td><td>Allow</td></tr>
+<tr><td><code>2</code></td><td><strong>Block</strong></td></tr></table>
+<h3>Minimal Block Hook</h3>
+<pre>#!/bin/bash
+CMD=$(cat | jq -r '.tool_input.command // empty')
+[ -z "$CMD" ] && exit 0
+echo "$CMD" | grep -qE 'PATTERN' && echo "BLOCKED" >&2 && exit 2
+exit 0</pre>
+<h3>Auto-Approve Hook</h3>
+<pre>#!/bin/bash
+CMD=$(cat | jq -r '.tool_input.command // empty')
+[ -z "$CMD" ] && exit 0
+echo "$CMD" | grep -qE '^git\s+(status|log|diff)' && \
+  jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}'
+exit 0</pre>
+<h3>Quick Commands</h3>
+<table>
+<tr><td><code>npx cc-safe-setup</code></td><td>Install 8 hooks</td></tr>
+<tr><td><code>--create "desc"</code></td><td>Generate hook</td></tr>
+<tr><td><code>--audit</code></td><td>Score 0-100</td></tr>
+<tr><td><code>--dashboard</code></td><td>Live status</td></tr>
+<tr><td><code>--doctor</code></td><td>Diagnose</td></tr>
+<tr><td><code>--benchmark</code></td><td>Speed test</td></tr>
+</table>
+</div>
+<div class="footer">
+  cc-safe-setup · 100% client-side · <a href="https://github.com/yurukusa/cc-safe-setup">GitHub</a> · <a href="https://www.npmjs.com/package/cc-safe-setup">npm</a>
+</div>
+<script>
+// Navigation
+function go(page) {
+  document.querySelectorAll('.page').forEach(p => p.classList.remove('active'));
+  document.querySelectorAll('.nav a').forEach(a => a.classList.remove('active'));
+  document.getElementById('page-' + page).classList.add('active');
+  document.getElementById('nav-' + page).classList.add('active');
+}
+// AUDIT
+function runAudit() {
+  const raw = document.getElementById('settings').value.trim();
+  const el = document.getElementById('audit-results');
+  if (!raw) { generateFresh(); return; }
+  let s; try { s = JSON.parse(raw); } catch { el.innerHTML='<p style="color:#f85149">Invalid JSON</p>'; return; }
+  const {risks,good,score} = analyze(s);
+  renderAudit(risks, good, score, el);
+}
+function generateFresh() {
+  const {risks,good,score} = analyze({});
+  renderAudit(risks, good, score, document.getElementById('audit-results'));
+}
+function analyze(s) {
+  const risks=[], good=[];
+  const pre=s.hooks?.PreToolUse||[], post=s.hooks?.PostToolUse||[];
+  const all=JSON.stringify(pre).toLowerCase();
+  if(!pre.length) risks.push({s:'CRITICAL',i:'No PreToolUse hooks',f:'npx cc-safe-setup'});
+  else { good.push('PreToolUse ('+pre.length+')');
+    if(!all.match(/destructive|guard|rm.*rf/)) risks.push({s:'HIGH',i:'No destructive guard',f:'npx cc-safe-setup'});
+    else good.push('Destructive protection');
+    if(!all.match(/branch|push|main/)) risks.push({s:'HIGH',i:'No branch guard',f:'npx cc-safe-setup'});
+    else good.push('Branch protection');
+    if(!all.match(/secret|env|credential/)) risks.push({s:'HIGH',i:'No secret guard',f:'npx cc-safe-setup'});
+    else good.push('Secret protection');
+  }
+  if(!post.length) risks.push({s:'MEDIUM',i:'No PostToolUse hooks',f:'npx cc-safe-setup'});
+  else good.push('PostToolUse ('+post.length+')');
+  const score=Math.max(0,100-risks.reduce((n,r)=>n+(r.s==='CRITICAL'?30:r.s==='HIGH'?20:10),0));
+  return {risks,good,score};
+}
+function renderAudit(risks,good,score,el) {
+  const cls=score>=80?'good':score>=50?'mid':'bad';
+  let h='<div class="score '+cls+'">'+score+'/100</div>';
+  if(good.length) { h+='<h3 style="color:#3fb950">Working</h3>'; good.forEach(g=>h+='<div class="good-item">✓ '+g+'</div>'); }
+  if(risks.length) { h+='<h3>Risks ('+risks.length+')</h3>'; risks.forEach(r=>h+='<div class="risk"><strong>['+r.s+']</strong> '+r.i+'<br><code>'+r.f+'</code></div>'); }
+  if(!risks.length) h+='<p style="color:#3fb950">No risks detected.</p>';
+  el.innerHTML=h;
+}
+// HOOK BUILDER
+function buildHook() {
+  const action=document.getElementById('hb-action').value;
+  const pattern=document.getElementById('hb-pattern').value.trim();
+  const message=document.getElementById('hb-message').value.trim()||'Blocked';
+  const el=document.getElementById('hb-result');
+  if(!pattern){el.innerHTML='<p style="color:#f85149">Enter a pattern</p>';return;}
+  let s='#!/bin/bash\nCMD=$(cat | jq -r \'.tool_input.command // empty\' 2>/dev/null)\n[ -z "$CMD" ] && exit 0\n';
+  if(action==='block') s+='echo "$CMD" | grep -qE \''+pattern+'\' && echo "BLOCKED: '+message+'" >&2 && exit 2\n';
+  else if(action==='warn') s+='echo "$CMD" | grep -qE \''+pattern+'\' && echo "WARNING: '+message+'" >&2\n';
+  else s+='echo "$CMD" | grep -qE \''+pattern+'\' && jq -n \'{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}\'\n';
+  s+='exit 0';
+  el.innerHTML='<h3>Script</h3><pre>'+esc(s)+'</pre><p style="font-size:.75rem;color:#8b949e">Save as ~/.claude/hooks/custom.sh, chmod +x, add to settings.json</p>';
+}
+// COOKBOOK
+const RECIPES=[
+  {cat:'block',t:'Block rm -rf',d:'Destructive commands (#36339)',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\necho "$CMD"|grep -qE \'rm\\s+(-[rf]+\\s+)*/\' && echo "BLOCKED" >&2 && exit 2\nexit 0',trigger:'PreToolUse'},
+  {cat:'block',t:'Block force push',d:'Branch protection',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\necho "$CMD"|grep -qE \'git\\s+push.*--force\' && echo "BLOCKED" >&2 && exit 2\nexit 0',trigger:'PreToolUse'},
+  {cat:'block',t:'Block .env staging',d:'Secret leak prevention (#6527)',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\necho "$CMD"|grep -qiE \'git\\s+add.*\\.env\' && echo "BLOCKED" >&2 && exit 2\nexit 0',trigger:'PreToolUse'},
+  {cat:'block',t:'Block database wipe',d:'migrate:fresh, DROP DATABASE (#37405)',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\necho "$CMD"|grep -qiE \'migrate:fresh|DROP\\s+DATABASE|prisma\\s+migrate\\s+reset\' && echo "BLOCKED" >&2 && exit 2\nexit 0',trigger:'PreToolUse'},
+  {cat:'approve',t:'Auto-approve git read',d:'git status/log/diff with -C flag (#36900)',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\necho "$CMD"|grep -qE \'^\\s*git\\s+(-C\\s+\\S+\\s+)?(status|log|diff|branch|show)\' && jq -n \'{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}\'\nexit 0',trigger:'PreToolUse'},
+  {cat:'approve',t:'Compound commands',d:'cd && git log auto-approve (#30519)',code:'# Full: npx cc-safe-setup --install-example compound-command-approver',trigger:'PreToolUse'},
+  {cat:'detect',t:'Loop detector',d:'Break command repetition (5+ times)',code:'CMD=$(cat|jq -r \'.tool_input.command // empty\')\n[ -z "$CMD" ] && exit 0\nSTATE=/tmp/cc-loop\necho "$CMD">>$STATE\ntail -n 10 $STATE>${STATE}.tmp&&mv ${STATE}.tmp $STATE\nCOUNT=$(grep -cF "$CMD" $STATE||echo 0)\n[ "$COUNT" -ge 5 ]&&echo "BLOCKED: repeated $COUNT times" >&2&&exit 2\nexit 0',trigger:'PreToolUse'},
+  {cat:'utility',t:'Session handoff',d:'Save state for next session',code:'# npx cc-safe-setup --install-example session-handoff',trigger:'Stop'},
+  {cat:'utility',t:'Cost tracker',d:'Estimate session token cost',code:'# npx cc-safe-setup --install-example cost-tracker',trigger:'PostToolUse'},
+  {cat:'utility',t:'tmp cleanup',d:'/tmp/claude-*-cwd files (#8856)',code:'find /tmp -maxdepth 1 -name \'claude-*-cwd\' -type f -mmin +60 -delete 2>/dev/null\nexit 0',trigger:'Stop'},
+];
+function initCookbook() {
+  const cats=['all','block','approve','detect','utility'];
+  document.getElementById('cb-filters').innerHTML=cats.map(c=>'<button class="filter'+(c==='all'?' active':'')+'" onclick="setCbFilter(\''+c+'\')">'+c+'</button>').join('');
+  filterRecipes();
+}
+let cbFilter='all';
+function setCbFilter(f){cbFilter=f;document.querySelectorAll('#cb-filters .filter').forEach(b=>b.classList.toggle('active',b.textContent===f));filterRecipes();}
+function filterRecipes(){
+  const q=(document.getElementById('cb-search')?.value||'').toLowerCase();
+  const filtered=RECIPES.filter(r=>(cbFilter==='all'||r.cat===cbFilter)&&(!q||r.t.toLowerCase().includes(q)||r.d.toLowerCase().includes(q)||(r.code||'').toLowerCase().includes(q)));
+  document.getElementById('cb-count').textContent=filtered.length+' recipe(s)';
+  document.getElementById('cb-list').innerHTML=filtered.map(r=>'<details class="recipe"><summary>'+esc(r.t)+' <span style="color:#484f58;font-size:.7rem">['+r.trigger+']</span></summary><div class="recipe-body"><p style="color:#8b949e;font-size:.8rem">'+esc(r.d)+'</p>'+(r.code?'<pre>'+esc(r.code)+'</pre>':'')+'</div></details>').join('');
+}
+function esc(s){return(s||'').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');}
+// URL param
+(function(){const p=new URLSearchParams(location.search);const c=p.get('config');if(c){try{document.getElementById('settings').value=atob(c);runAudit();}catch{}}})();
+initCookbook();
+</script>
+</body>
+</html>

package/examples/env-source-guard.sh ADDED Viewed

@@ -0,0 +1,51 @@
+#!/bin/bash
+# ================================================================
+# env-source-guard.sh — Block sourcing .env into shell environment
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes sources .env files directly into bash,
+#   causing environment variables to leak across commands.
+#   This caused a Laravel test suite to use development database
+#   instead of test database, wiping real data.
+#
+#   GitHub #401 (54 reactions)
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# WHAT IT BLOCKS:
+#   - source .env
+#   - . .env
+#   - source .env.local
+#   - export $(cat .env)
+#
+# WHAT IT ALLOWS:
+#   - Reading .env with cat (no sourcing)
+#   - Framework commands that load env properly
+# ================================================================
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+# Block direct sourcing of .env files
+if echo "$COMMAND" | grep -qE '(source|\.\s)\s+\.env'; then
+    echo "BLOCKED: Sourcing .env into shell environment." >&2
+    echo "Command: $COMMAND" >&2
+    echo "" >&2
+    echo "This loads all variables into the shell, affecting subsequent commands." >&2
+    echo "Use your framework's env loader (dotenv, etc.) instead." >&2
+    exit 2
+fi
+# Block export $(cat .env) pattern
+if echo "$COMMAND" | grep -qE 'export\s+\$\(cat\s+\.env'; then
+    echo "BLOCKED: Exporting .env contents into shell." >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+exit 0

package/index.mjs CHANGED Viewed

@@ -85,6 +85,7 @@ const DIFF_FILE = DIFF_IDX !== -1 ? process.argv[DIFF_IDX + 1] : null;
 const SHARE = process.argv.includes('--share');
 const BENCHMARK = process.argv.includes('--benchmark');
 const DASHBOARD = process.argv.includes('--dashboard');
+const ISSUES = process.argv.includes('--issues');
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
 const CREATE_DESC = CREATE_IDX !== -1 ? process.argv.slice(CREATE_IDX + 1).join(' ') : null;
@@ -106,6 +107,7 @@ if (HELP) {
     npx cc-safe-setup --audit --json  Machine-readable output for CI/CD
     npx cc-safe-setup --scan       Detect tech stack, recommend hooks
     npx cc-safe-setup --learn      Learn from your block history
+    npx cc-safe-setup --issues        Show GitHub Issues each hook addresses
     npx cc-safe-setup --dashboard     Real-time status dashboard
     npx cc-safe-setup --benchmark     Measure hook execution time
     npx cc-safe-setup --share         Generate shareable URL for your setup
@@ -374,9 +376,18 @@ function examples() {
   console.log();
   for (const [cat, hooks] of Object.entries(CATEGORIES)) {
-    if (filter && !cat.toLowerCase().includes(filter)) continue;
+    // Filter by category name OR hook name/description
+    const filteredHooks = filter
+      ? Object.entries(hooks).filter(([file, desc]) =>
+          cat.toLowerCase().includes(filter) ||
+          file.toLowerCase().includes(filter) ||
+          desc.toLowerCase().includes(filter))
+      : Object.entries(hooks);
+    if (filteredHooks.length === 0) continue;
     console.log('  ' + c.bold + c.blue + cat + c.reset);
-    for (const [file, desc] of Object.entries(hooks)) {
+    for (const [file, desc] of filteredHooks) {
       console.log('  ' + c.green + '*' + c.reset + ' ' + c.bold + file + c.reset);
       console.log('    ' + c.dim + desc + c.reset);
     }
@@ -796,71 +807,236 @@ async function fullSetup() {
   console.log();
 }
+function issues() {
+  // Map hooks to the GitHub Issues they address
+  const ISSUE_MAP = [
+    { hook: 'destructive-guard', issues: ['#36339 rm -rf NTFS junction (93r)', '#36640 NFS mount deletion', '#37331 PowerShell Remove-Item (13r)', '#36233 Mac filesystem deleted (67r)'] },
+    { hook: 'branch-guard', issues: ['Untested code pushed to main at 3am'] },
+    { hook: 'secret-guard', issues: ['#6527 .env committed to public repo (94r)'] },
+    { hook: 'syntax-check', issues: ['Syntax errors cascading through 30+ files'] },
+    { hook: 'context-monitor', issues: ['Sessions dying at 3% context with no warning'] },
+    { hook: 'comment-strip', issues: ['#29582 Bash comments break permissions (18r)'] },
+    { hook: 'cd-git-allow', issues: ['#32985 cd+git permission spam (9r)', '#16561 Compound commands (101r)'] },
+    { hook: 'api-error-alert', issues: ['Sessions silently dying from rate limits'] },
+    { hook: 'block-database-wipe', issues: ['#37405 Database destroyed (0r)', '#34729 Prisma migrate reset data loss'] },
+    { hook: 'compound-command-approver', issues: ['#30519 Permission matching broken (53r)', '#16561 Parse compound commands (101r)'] },
+    { hook: 'case-sensitive-guard', issues: ['#37875 exFAT case collision (0r)'] },
+    { hook: 'tmp-cleanup', issues: ['#8856 /tmp/claude-*-cwd leak (67r)', '#17609 tmp files not cleaned (29r)'] },
+    { hook: 'loop-detector', issues: ['Command repetition loops wasting context'] },
+    { hook: 'session-handoff', issues: ['#17428 Enhanced /compact (104r)', '#6354 CLAUDE.md lost after compact (27r)'] },
+    { hook: 'cost-tracker', issues: ['No visibility into session token costs'] },
+    { hook: 'deploy-guard', issues: ['#37314 Deploy without commit'] },
+    { hook: 'protect-dotfiles', issues: ['#37478 .bashrc destroyed (3r)'] },
+    { hook: 'scope-guard', issues: ['#36233 Files deleted outside project (67r)'] },
+    { hook: 'env-source-guard', issues: ['#401 .env loaded into bash environment (54r)'] },
+    { hook: 'diff-size-guard', issues: ['Unreviable mega-commits'] },
+    { hook: 'dependency-audit', issues: ['Supply chain risk from unknown packages'] },
+    { hook: 'read-before-edit', issues: ['old_string mismatch from editing unread files'] },
+  ];
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --issues' + c.reset);
+  console.log(c.dim + '  Which GitHub Issues each hook addresses' + c.reset);
+  console.log();
+  let totalIssues = 0;
+  for (const entry of ISSUE_MAP) {
+    console.log('  ' + c.green + entry.hook + c.reset);
+    for (const issue of entry.issues) {
+      const isLink = issue.startsWith('#');
+      if (isLink) {
+        const num = issue.match(/#(\d+)/)?.[1];
+        console.log('    ' + c.dim + 'https://github.com/anthropics/claude-code/issues/' + num + c.reset);
+        console.log('    ' + issue.replace(/#\d+\s*/, ''));
+      } else {
+        console.log('    ' + c.dim + issue + c.reset);
+      }
+      totalIssues++;
+    }
+    console.log();
+  }
+  console.log(c.bold + '  ' + ISSUE_MAP.length + ' hooks addressing ' + totalIssues + ' issues/problems' + c.reset);
+  console.log();
+}
 async function dashboard() {
-  const { createReadStream, watchFile } = await import('fs');
-  const { createInterface: createRL } = await import('readline');
+  const fsModule = await import('fs');
   const BLOCK_LOG = join(HOME, '.claude', 'blocked-commands.log');
+  const ERROR_LOG = join(HOME, '.claude', 'session-errors.log');
   const COST_FILE = '/tmp/cc-cost-tracker-calls';
   const CONTEXT_FILE = '/tmp/cc-context-pct';
+  const HANDOFF_FILE = join(HOME, '.claude', 'session-handoff.md');
+  const W = 60; // dashboard width
   const clear = () => process.stdout.write('\x1b[2J\x1b[H');
-  // Count hooks
-  let hookCount = 0;
-  let exampleCount = 0;
+  // ANSI box drawing helpers
+  const box = {
+    tl: '┌', tr: '┐', bl: '└', br: '┘',
+    h: '─', v: '│', lt: '├', rt: '┤',
+  };
+  function hline(left, right, w) { return left + box.h.repeat(w - 2) + right; }
+  function pad(text, w) {
+    const stripped = text.replace(/\x1b\[[0-9;]*m/g, '');
+    const padding = Math.max(0, w - 2 - stripped.length);
+    return box.v + ' ' + text + ' '.repeat(padding) + box.v;
+  }
+  function progressBar(pct, w, filledColor, emptyColor) {
+    const barW = w - 2;
+    const filled = Math.round(pct / 100 * barW);
+    return filledColor + '█'.repeat(filled) + emptyColor + '░'.repeat(barW - filled) + c.reset;
+  }
+  function sparkline(values, w) {
+    const chars = ' ▁▂▃▄▅▆▇';
+    const max = Math.max(...values, 1);
+    return values.slice(-w).map(v => chars[Math.min(7, Math.round(v / max * 7))]).join('');
+  }
+  // Collect hook info
+  let hooksByTrigger = {};
+  let totalHooks = 0;
+  let scriptCount = 0;
   if (existsSync(SETTINGS_PATH)) {
     try {
       const s = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
-      for (const entries of Object.values(s.hooks || {})) {
-        hookCount += entries.reduce((n, e) => n + (e.hooks || []).length, 0);
+      for (const [trigger, entries] of Object.entries(s.hooks || {})) {
+        const count = entries.reduce((n, e) => n + (e.hooks || []).length, 0);
+        hooksByTrigger[trigger] = count;
+        totalHooks += count;
       }
     } catch {}
   }
-  exampleCount = existsSync(join(HOOKS_DIR)) ?
-    (await import('fs')).readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh')).length : 0;
+  if (existsSync(HOOKS_DIR)) {
+    scriptCount = fsModule.readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh')).length;
+  }
+  // Audit score (cached)
+  let auditScore = '?';
+  try {
+    // Quick inline audit
+    let risks = 0;
+    const s = existsSync(SETTINGS_PATH) ? JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')) : {};
+    const pre = s.hooks?.PreToolUse || [];
+    const post = s.hooks?.PostToolUse || [];
+    if (pre.length === 0) risks += 30;
+    const allCmds = JSON.stringify(pre).toLowerCase();
+    if (!allCmds.match(/destructive|guard|rm.*rf/)) risks += 20;
+    if (!allCmds.match(/branch|push|main/)) risks += 20;
+    if (!allCmds.match(/secret|env|credential/)) risks += 20;
+    if (post.length === 0) risks += 10;
+    auditScore = Math.max(0, 100 - risks);
+  } catch {}
   function render() {
     clear();
-    // Header
-    console.log(c.bold + '  cc-safe-setup --dashboard' + c.reset + '  ' + c.dim + new Date().toLocaleTimeString() + c.reset);
-    console.log('  ' + '─'.repeat(50));
-    // Status row
-    const context = existsSync(CONTEXT_FILE) ? readFileSync(CONTEXT_FILE, 'utf-8').trim() + '%' : '?';
-    const calls = existsSync(COST_FILE) ? readFileSync(COST_FILE, 'utf-8').trim() : '0';
-    const cost = (parseInt(calls) * 0.105).toFixed(2);
+    const now = new Date();
+    const timeStr = now.toLocaleTimeString();
+    const dateStr = now.toLocaleDateString();
-    console.log('  Hooks: ' + c.green + hookCount + c.reset + ' registered  |  Scripts: ' + exampleCount);
-    console.log('  Context: ' + c.yellow + context + c.reset + '  |  Cost: ~$' + cost + ' (' + calls + ' calls)');
-    console.log('  ' + '─'.repeat(50));
+    // Read live data
+    const contextPct = existsSync(CONTEXT_FILE) ? parseInt(readFileSync(CONTEXT_FILE, 'utf-8').trim()) || 0 : -1;
+    const toolCalls = existsSync(COST_FILE) ? parseInt(readFileSync(COST_FILE, 'utf-8').trim()) || 0 : 0;
+    const costEst = (toolCalls * 0.105).toFixed(2);
-    // Recent blocks
-    console.log(c.bold + '  Recent Blocks' + c.reset);
+    // Parse block log
+    let blocks = [];
+    let blocksByHour = new Array(24).fill(0);
+    let blockReasons = {};
     if (existsSync(BLOCK_LOG)) {
       const lines = readFileSync(BLOCK_LOG, 'utf-8').split('\n').filter(l => l.trim());
-      const recent = lines.slice(-5);
-      for (const line of recent) {
-        const m = line.match(/^\[([^\]]+)\]\s*BLOCKED:\s*(.+?)\s*\|/);
+      for (const line of lines) {
+        const m = line.match(/^\[([^\]]+)\]\s*BLOCKED:\s*(.+?)\s*\|\s*cmd:\s*(.+)$/);
         if (m) {
-          const time = m[1].replace(/T/, ' ').replace(/\+.*/, '').slice(11, 16);
-          console.log('  ' + c.dim + time + c.reset + '  ' + c.red + m[2].trim() + c.reset);
+          const hour = new Date(m[1]).getHours();
+          if (!isNaN(hour)) blocksByHour[hour]++;
+          const reason = m[2].trim();
+          blockReasons[reason] = (blockReasons[reason] || 0) + 1;
+          blocks.push({ time: m[1], reason, cmd: m[3].trim() });
         }
       }
-      if (recent.length === 0) console.log(c.dim + '  (none)' + c.reset);
+    }
+    const totalBlocks = blocks.length;
+    const todayBlocks = blocks.filter(b => b.time.startsWith(dateStr.split('/').reverse().join('-'))).length;
+    // === RENDER ===
+    console.log(hline(box.tl, box.tr, W));
+    console.log(pad(c.bold + 'cc-safe-setup dashboard' + c.reset + '  ' + c.dim + timeStr + c.reset, W));
+    console.log(hline(box.lt, box.rt, W));
+    // Status panel
+    const scoreColor = auditScore >= 80 ? c.green : auditScore >= 50 ? c.yellow : c.red;
+    const grade = auditScore >= 80 ? 'A' : auditScore >= 60 ? 'B' : auditScore >= 40 ? 'C' : 'F';
+    console.log(pad('Score: ' + scoreColor + auditScore + '/100' + c.reset + ' (Grade ' + grade + ')  Hooks: ' + c.green + totalHooks + c.reset + '  Scripts: ' + scriptCount, W));
+    // Context bar
+    if (contextPct >= 0) {
+      const ctxColor = contextPct > 40 ? c.green : contextPct > 20 ? c.yellow : c.red;
+      console.log(pad('Context: ' + ctxColor + contextPct + '%' + c.reset + ' ' + progressBar(contextPct, 30, ctxColor, c.dim), W));
     } else {
-      console.log(c.dim + '  (no log yet)' + c.reset);
+      console.log(pad('Context: ' + c.dim + 'unknown' + c.reset, W));
+    }
+    // Cost
+    console.log(pad('Cost: ~$' + costEst + ' (' + toolCalls + ' tool calls, Opus)', W));
+    console.log(pad('Blocks: ' + c.red + totalBlocks + c.reset + ' total  |  Today: ' + todayBlocks, W));
+    // Hooks by trigger
+    console.log(hline(box.lt, box.rt, W));
+    console.log(pad(c.bold + 'Hooks by Trigger' + c.reset, W));
+    for (const [trigger, count] of Object.entries(hooksByTrigger)) {
+      const bar = '█'.repeat(Math.min(count, 20));
+      console.log(pad(c.dim + trigger.padEnd(18) + c.reset + c.blue + bar + c.reset + ' ' + count, W));
+    }
+    // Hourly activity sparkline
+    console.log(hline(box.lt, box.rt, W));
+    console.log(pad(c.bold + 'Block Activity (24h)' + c.reset, W));
+    console.log(pad(c.yellow + sparkline(blocksByHour, 24) + c.reset + '  ' + c.dim + '0h' + ' '.repeat(20) + '23h' + c.reset, W));
+    // Top block reasons
+    console.log(hline(box.lt, box.rt, W));
+    console.log(pad(c.bold + 'Top Block Reasons' + c.reset, W));
+    const sortedReasons = Object.entries(blockReasons).sort((a, b) => b[1] - a[1]).slice(0, 5);
+    const maxR = sortedReasons[0]?.[1] || 1;
+    for (const [reason, count] of sortedReasons) {
+      const bar = '▓'.repeat(Math.ceil(count / maxR * 15));
+      console.log(pad(c.red + bar + c.reset + ' ' + count + ' ' + c.dim + reason.slice(0, 25) + c.reset, W));
+    }
+    if (sortedReasons.length === 0) {
+      console.log(pad(c.dim + '(no blocks recorded)' + c.reset, W));
+    }
+    // Recent blocks
+    console.log(hline(box.lt, box.rt, W));
+    console.log(pad(c.bold + 'Recent Blocks' + c.reset, W));
+    const recent = blocks.slice(-5);
+    for (const b of recent) {
+      const time = b.time.replace(/T/, ' ').replace(/\+.*/, '').slice(11, 16);
+      console.log(pad(c.dim + time + c.reset + ' ' + c.red + b.reason.slice(0, 35) + c.reset, W));
+    }
+    if (recent.length === 0) console.log(pad(c.dim + '(none)' + c.reset, W));
+    // Session errors
+    let errorCount = 0;
+    if (existsSync(ERROR_LOG)) {
+      errorCount = readFileSync(ERROR_LOG, 'utf-8').split('\n').filter(l => l.trim()).length;
+    }
+    if (errorCount > 0) {
+      console.log(hline(box.lt, box.rt, W));
+      console.log(pad(c.yellow + 'Session errors: ' + errorCount + c.reset, W));
     }
-    console.log('  ' + '─'.repeat(50));
+    console.log(hline(box.bl, box.br, W));
     console.log(c.dim + '  Refreshing every 3s. Ctrl+C to exit.' + c.reset);
   }
   render();
   setInterval(render, 3000);
-  // Keep alive
   await new Promise(() => {});
 }
@@ -2151,6 +2327,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (ISSUES) return issues();
   if (DASHBOARD) return dashboard();
   if (BENCHMARK) return benchmark();
   if (SHARE) return share();

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "4.0.3",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in + 38 examples. 22 commands including dashboard, create, audit, lint, diff, benchmark. 2,500+ daily npm downloads.",
+  "version": "5.1.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in + 39 examples. 23 commands including dashboard, issues, create, audit, lint, diff. 260 tests. 2,500+ daily npm downloads.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"