cc-safe-setup 6.3.1 → 7.1.0

package/README.md

@@ -64,6 +64,37 @@ Claude Code ships with no safety hooks by default. This tool fixes that.
 
 Each hook exists because a real incident happened without it.
 
+## All 26 Commands
+
+| Command | What It Does |
+|---------|-------------|
+| `npx cc-safe-setup` | Install 8 safety hooks |
+| `--create "desc"` | Generate hook from plain English |
+| `--audit [--fix\|--json\|--badge]` | Safety score 0-100 |
+| `--lint` | Static analysis of config |
+| `--diff <file>` | Compare settings |
+| `--compare <a> <b>` | Side-by-side hook comparison |
+| `--migrate` | Detect hooks from other projects |
+| `--generate-ci` | Create GitHub Actions workflow |
+| `--share` | Generate shareable URL |
+| `--benchmark` | Measure hook speed |
+| `--dashboard` | Real-time terminal UI |
+| `--issues` | GitHub Issues each hook addresses |
+| `--doctor` | Diagnose hook problems |
+| `--watch` | Live blocked command feed |
+| `--stats` | Block history analytics |
+| `--learn [--apply]` | Pattern learning |
+| `--scan [--apply]` | Tech stack detection |
+| `--export / --import` | Team config sharing |
+| `--verify` | Test each hook |
+| `--install-example <name>` | Install from 51 examples |
+| `--examples [filter]` | Browse examples by keyword |
+| `--full` | All-in-one setup |
+| `--status` | Check installed hooks |
+| `--dry-run` | Preview changes |
+| `--uninstall` | Remove all hooks |
+| `--help` | Show help |
+
 ## How It Works
 
 1. Writes hook scripts to `~/.claude/hooks/`

package/examples/auto-approve-cargo.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# auto-approve-cargo.sh — Auto-approve Rust cargo commands
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*cargo\s+(build|test|check|clippy|fmt|run|bench|doc|clean)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"cargo command auto-approved"}}'
+fi
+exit 0

package/examples/auto-approve-go.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# auto-approve-go.sh — Auto-approve Go build/test/vet commands
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*go\s+(build|test|vet|fmt|mod|run|generate|install|clean)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"go command auto-approved"}}'
+fi
+exit 0

package/examples/auto-approve-gradle.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# auto-approve-gradle.sh — Auto-approve Gradle build/test commands
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*(gradle|gradlew|./gradlew)\s+(build|test|check|assemble|clean|compileJava|compileKotlin|lint)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"gradle command auto-approved"}}'
+fi
+exit 0

package/examples/auto-approve-make.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# auto-approve-make.sh — Auto-approve common Make targets
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*make\s+(build|test|lint|format|check|clean|install|all|dev|start|run)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"make target auto-approved"}}'
+fi
+exit 0

package/examples/auto-approve-maven.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# auto-approve-maven.sh — Auto-approve Maven build/test commands
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*(mvn|mvnw|./mvnw)\s+(compile|test|verify|package|clean|install)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"maven command auto-approved"}}'
+fi
+exit 0

package/examples/max-line-length-check.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# max-line-length-check.sh — Warn on lines exceeding max length after edit
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] || [ ! -f "$FILE" ] && exit 0
+MAX="${CC_MAX_LINE_LENGTH:-120}"
+LONG=$(awk -v max="$MAX" 'length > max {count++} END {print count+0}' "$FILE" 2>/dev/null)
+[ "$LONG" -gt 0 ] && echo "NOTE: $FILE has $LONG lines exceeding $MAX characters." >&2
+exit 0

package/examples/no-deploy-friday.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# no-deploy-friday.sh — Block deploys on Fridays
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# "Don't deploy on Friday" — every ops team ever
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+DOW=$(date +%u)  # 5 = Friday
+if [ "$DOW" = "5" ]; then
+    if echo "$COMMAND" | grep -qiE '(deploy|firebase|vercel|netlify|fly\s+deploy|heroku|aws\s+s3\s+sync|kubectl\s+apply|docker\s+push)'; then
+        echo "BLOCKED: No deploys on Friday." >&2
+        echo "Come back Monday." >&2
+        exit 2
+    fi
+fi
+exit 0

package/examples/python/README.md

@@ -0,0 +1,28 @@
+# Python Hook Examples
+
+Same functionality as the bash hooks, written in Python.
+
+| Hook | What It Does |
+|------|-------------|
+| [destructive_guard.py](destructive_guard.py) | Block rm -rf, git reset --hard, PowerShell destructive |
+| [secret_guard.py](secret_guard.py) | Block git add .env, credential files |
+
+## Usage
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Bash",
+      "hooks": [{"type": "command", "command": "python3 /path/to/destructive_guard.py"}]
+    }]
+  }
+}
+```
+
+## Why Python?
+
+- Easier to extend with complex logic
+- Better string handling for pattern matching
+- Familiar to Python developers
+- Same exit code convention: 0=allow, 2=block

package/examples/python/destructive_guard.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+"""Destructive Command Guard — Python version.
+
+Blocks rm -rf on sensitive paths, git reset --hard, git clean -fd,
+PowerShell Remove-Item, and sudo with dangerous commands.
+
+Usage in settings.json:
+{
+    "hooks": {
+        "PreToolUse": [{
+            "matcher": "Bash",
+            "hooks": [{"type": "command", "command": "python3 /path/to/destructive_guard.py"}]
+        }]
+    }
+}
+"""
+
+import json
+import re
+import sys
+
+def main():
+    try:
+        data = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+
+    command = data.get("tool_input", {}).get("command", "")
+    if not command:
+        sys.exit(0)
+
+    # rm -rf on sensitive paths
+    if re.search(r'rm\s+(-[rf]+\s+)*(\/|~|\.\.\/)', command):
+        safe_dirs = {"node_modules", "dist", "build", ".cache", "__pycache__", "coverage"}
+        if not any(command.rstrip().endswith(d) for d in safe_dirs):
+            block("rm on sensitive path detected")
+
+    # git reset --hard
+    if re.search(r'(^|;|&&)\s*git\s+reset\s+--hard', command):
+        block("git reset --hard discards all uncommitted changes")
+
+    # git clean -fd
+    if re.search(r'(^|;|&&)\s*git\s+clean\s+-[a-z]*[fd]', command):
+        block("git clean removes untracked files permanently")
+
+    # git checkout/switch --force
+    if re.search(r'(^|;|&&)\s*git\s+(checkout|switch)\s+.*(--force|-f\b)', command):
+        block("git checkout --force discards uncommitted changes")
+
+    # PowerShell destructive
+    if re.search(r'Remove-Item.*-Recurse.*-Force|rd\s+/s\s+/q', command, re.IGNORECASE):
+        block("Destructive PowerShell command detected")
+
+    # sudo with dangerous commands
+    if re.search(r'^\s*sudo\s+(rm\s+-[rf]|chmod\s+(-R\s+)?777|dd\s+if=|mkfs)', command):
+        block("sudo with dangerous command detected")
+
+    sys.exit(0)
+
+def block(reason):
+    print(f"BLOCKED: {reason}", file=sys.stderr)
+    sys.exit(2)
+
+if __name__ == "__main__":
+    main()

package/examples/python/secret_guard.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+"""Secret Leak Prevention — Python version.
+
+Blocks git add .env, credential files, and git add . with .env present.
+
+Usage in settings.json:
+{
+    "hooks": {
+        "PreToolUse": [{
+            "matcher": "Bash",
+            "hooks": [{"type": "command", "command": "python3 /path/to/secret_guard.py"}]
+        }]
+    }
+}
+"""
+
+import json
+import os
+import re
+import sys
+
+def main():
+    try:
+        data = json.load(sys.stdin)
+    except (json.JSONDecodeError, EOFError):
+        sys.exit(0)
+
+    command = data.get("tool_input", {}).get("command", "")
+    if not command or not re.search(r'^\s*git\s+add', command):
+        sys.exit(0)
+
+    # Direct .env staging
+    if re.search(r'git\s+add\s+.*\.env(\s|$|\.)', command, re.IGNORECASE):
+        block(".env file staging — add to .gitignore instead")
+
+    # Credential files
+    patterns = [r'credentials', r'\.pem$', r'\.key$', r'\.p12$', r'id_rsa', r'id_ed25519']
+    for p in patterns:
+        if re.search(rf'git\s+add\s+.*{p}', command, re.IGNORECASE):
+            block("Credential/key file — never commit these")
+
+    # git add . with .env present
+    if re.search(r'git\s+add\s+(-A|--all|\.)\s*$', command):
+        if os.path.exists(".env") or os.path.exists(".env.local"):
+            block("git add . with .env present — stage specific files instead")
+
+    sys.exit(0)
+
+def block(reason):
+    print(f"BLOCKED: {reason}", file=sys.stderr)
+    sys.exit(2)
+
+if __name__ == "__main__":
+    main()

package/examples/require-issue-ref.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# require-issue-ref.sh — Warn when commit message lacks issue reference
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '^\s*git\s+commit'; then
+    MSG=$(echo "$COMMAND" | grep -oP "\-m\s+['\"]?\K[^'\"]+")
+    if [ -n "$MSG" ]; then
+        if ! echo "$MSG" | grep -qE '#[0-9]+|[A-Z]+-[0-9]+'; then
+            echo "WARNING: Commit message has no issue reference (#123 or PROJ-123)." >&2
+            echo "Consider linking to an issue for traceability." >&2
+        fi
+    fi
+fi
+exit 0

package/examples/work-hours-guard.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# ================================================================
+# work-hours-guard.sh — Restrict risky operations outside work hours
+# ================================================================
+# PURPOSE:
+#   During off-hours (nights/weekends), block high-risk operations
+#   that a human should review. Safe read-only ops still pass.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# CONFIGURATION:
+#   CC_WORK_START=9   (default: 9am)
+#   CC_WORK_END=18    (default: 6pm)
+#   CC_WORK_DAYS=12345 (default: Mon-Fri, 1=Mon 7=Sun)
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+HOUR=$(date +%H)
+DOW=$(date +%u)  # 1=Monday, 7=Sunday
+
+START="${CC_WORK_START:-9}"
+END="${CC_WORK_END:-18}"
+DAYS="${CC_WORK_DAYS:-12345}"
+
+# Check if within work hours
+IN_HOURS=0
+if echo "$DAYS" | grep -q "$DOW"; then
+    if [ "$HOUR" -ge "$START" ] && [ "$HOUR" -lt "$END" ]; then
+        IN_HOURS=1
+    fi
+fi
+
+# During work hours, allow everything
+[ "$IN_HOURS" = "1" ] && exit 0
+
+# Outside work hours, block high-risk operations
+if echo "$COMMAND" | grep -qE 'git\s+push|deploy|npm\s+publish|docker\s+push'; then
+    echo "BLOCKED: High-risk operation outside work hours ($HOUR:00)." >&2
+    echo "Command: $COMMAND" >&2
+    echo "Work hours: ${START}:00-${END}:00 (days: $DAYS)" >&2
+    exit 2
+fi
+
+exit 0

package/index.mjs

@@ -88,6 +88,7 @@ const DASHBOARD = process.argv.includes('--dashboard');
 const ISSUES = process.argv.includes('--issues');
 const MIGRATE = process.argv.includes('--migrate');
 const GENERATE_CI = process.argv.includes('--generate-ci');
+const REPORT = process.argv.includes('--report');
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
@@ -828,6 +829,70 @@ async function fullSetup() {
   console.log();
 }
 
+async function report() {
+  // Generate markdown safety report
+  let hookCount = 0;
+  let scriptCount = 0;
+  let auditScore = 0;
+
+  if (existsSync(SETTINGS_PATH)) {
+    try {
+      const s = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+      for (const entries of Object.values(s.hooks || {})) {
+        hookCount += entries.reduce((n, e) => n + (e.hooks || []).length, 0);
+      }
+      // Quick audit
+      let risks = 0;
+      const pre = s.hooks?.PreToolUse || [];
+      const post = s.hooks?.PostToolUse || [];
+      if (pre.length === 0) risks += 30;
+      const allCmds = JSON.stringify(pre).toLowerCase();
+      if (!allCmds.match(/destructive|guard|rm.*rf/)) risks += 20;
+      if (!allCmds.match(/branch|push|main/)) risks += 20;
+      if (!allCmds.match(/secret|env|credential/)) risks += 20;
+      if (post.length === 0) risks += 10;
+      auditScore = Math.max(0, 100 - risks);
+    } catch {}
+  }
+
+  if (existsSync(HOOKS_DIR)) {
+    const fsModule = await import('fs');
+    scriptCount = fsModule.readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh')).length;
+  }
+
+  const grade = auditScore >= 80 ? 'A' : auditScore >= 60 ? 'B' : auditScore >= 40 ? 'C' : 'F';
+  const emoji = auditScore >= 80 ? '🟢' : auditScore >= 50 ? '🟡' : '🔴';
+
+  const blockLog = join(HOME, '.claude', 'blocked-commands.log');
+  let totalBlocks = 0;
+  if (existsSync(blockLog)) {
+    totalBlocks = readFileSync(blockLog, 'utf-8').split('\n').filter(l => l.trim()).length;
+  }
+
+  const md = `## ${emoji} Claude Code Safety Report
+
+| Metric | Value |
+|--------|-------|
+| Safety Score | **${auditScore}/100** (Grade ${grade}) |
+| Hooks Registered | ${hookCount} |
+| Hook Scripts | ${scriptCount} |
+| Commands Blocked | ${totalBlocks} |
+| Generated | ${new Date().toISOString().split('T')[0]} |
+
+### Quick Actions
+- Audit: \`npx cc-safe-setup --audit\`
+- Dashboard: \`npx cc-safe-setup --dashboard\`
+- Find hooks: \`npx cc-hook-registry recommend\`
+`;
+
+  console.log(md);
+
+  // Also write to file
+  const reportPath = join(process.cwd(), 'SAFETY_REPORT.md');
+  writeFileSync(reportPath, md);
+  console.log(c.green + 'Report saved: ' + reportPath + c.reset);
+}
+
 function generateCI() {
   const workflowDir = join(process.cwd(), '.github', 'workflows');
   const workflowPath = join(workflowDir, 'claude-code-safety.yml');
@@ -2575,6 +2640,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (REPORT) return report();
   if (GENERATE_CI) return generateCI();
   if (MIGRATE) return migrate();
   if (COMPARE) return compare(COMPARE.a, COMPARE.b);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "6.3.1",
+  "version": "7.1.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {