cc-safe-setup 7.9.0 → 8.0.0

package/CLAUDE.md

@@ -0,0 +1,18 @@
+# Project Rules
+
+## Safety
+- Do not push to main/master directly
+- Do not force-push
+- Do not delete files outside this project
+- Do not commit .env or credential files
+- Run tests before committing
+
+## Code Style
+- Follow existing conventions
+- Keep functions small and focused
+- Add comments only when the logic isn't obvious
+
+## Git
+- Use descriptive commit messages
+- One logical change per commit
+- Create feature branches for new work

package/examples/commit-scope-guard.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# ================================================================
+# commit-scope-guard.sh — Warn when committing too many files
+# ================================================================
+# PURPOSE:
+#   Claude Code can modify dozens of files and commit them all at
+#   once, making the commit hard to review and revert. This hook
+#   warns when staging more than a configurable number of files.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_MAX_COMMIT_FILES=15  (warn above 15 files)
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+MAX="${CC_MAX_COMMIT_FILES:-15}"
+STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+
+if [ "$STAGED" -gt "$MAX" ]; then
+    echo "WARNING: Committing $STAGED files (threshold: $MAX)." >&2
+    echo "Consider splitting into smaller, focused commits." >&2
+    echo "Files:" >&2
+    git diff --cached --name-only 2>/dev/null | head -10 | sed 's/^/  /' >&2
+    [ "$STAGED" -gt 10 ] && echo "  ... and $((STAGED-10)) more" >&2
+fi
+
+exit 0

package/examples/worktree-guard.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# ================================================================
+# worktree-guard.sh — Warn when operating in a git worktree
+# ================================================================
+# PURPOSE:
+#   Git worktrees share the same .git directory. Destructive operations
+#   in one worktree (git clean, reset) can affect the main working tree.
+#   This hook warns when Claude is operating inside a worktree.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check destructive git commands
+echo "$COMMAND" | grep -qE '\bgit\s+(clean|reset|checkout\s+--|stash\s+drop)' || exit 0
+
+# Check if we're in a worktree
+GITDIR=$(git rev-parse --git-dir 2>/dev/null)
+if echo "$GITDIR" | grep -q "worktrees"; then
+    MAIN_DIR=$(git rev-parse --path-format=absolute --git-common-dir 2>/dev/null | sed 's|/.git$||')
+    echo "WARNING: You are in a git worktree." >&2
+    echo "Main working tree: $MAIN_DIR" >&2
+    echo "Destructive git operations may affect the main tree." >&2
+fi
+
+exit 0

package/index.mjs

@@ -90,6 +90,7 @@ const MIGRATE = process.argv.includes('--migrate');
 const GENERATE_CI = process.argv.includes('--generate-ci');
 const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
+const SHIELD = process.argv.includes('--shield');
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
@@ -125,6 +126,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
     npx cc-safe-setup --quickfix   Auto-detect and fix common Claude Code problems
     npx cc-safe-setup --stats      Block statistics and patterns report
     npx cc-safe-setup --export     Export hooks config for team sharing
@@ -831,6 +833,210 @@ async function fullSetup() {
   console.log();
 }
 
+async function shield() {
+  const { execSync } = await import('child_process');
+  const { readdirSync } = await import('fs');
+  console.log();
+  console.log(c.bold + '  🛡️  cc-safe-setup --shield' + c.reset);
+  console.log(c.dim + '  Maximum safety in one command' + c.reset);
+  console.log();
+
+  // Step 1: Fix environment issues
+  console.log(c.bold + '  Step 1: Fix environment' + c.reset);
+  await quickfix();
+
+  // Step 2: Install core safety hooks
+  console.log();
+  console.log(c.bold + '  Step 2: Install safety hooks' + c.reset);
+  // Run the default install
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  let installed = 0;
+  for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+    const hookPath = join(HOOKS_DIR, `${hookId}.sh`);
+    if (!existsSync(hookPath)) {
+      writeFileSync(hookPath, SCRIPTS[hookId]);
+      chmodSync(hookPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookMeta.name}`);
+    } else {
+      console.log(c.dim + '  ✓' + c.reset + ` ${hookMeta.name} (already installed)`);
+    }
+  }
+
+  // Step 3: Detect project stack and install recommended examples
+  console.log();
+  console.log(c.bold + '  Step 3: Project-aware hooks' + c.reset);
+  const cwd = process.cwd();
+  const extras = [];
+  if (existsSync(join(cwd, 'package.json'))) {
+    extras.push('auto-approve-build');
+    try {
+      const pkg = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf-8'));
+      if (pkg.dependencies?.prisma || pkg.devDependencies?.prisma) extras.push('block-database-wipe');
+      if (pkg.scripts?.deploy) extras.push('deploy-guard');
+    } catch {}
+  }
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) extras.push('auto-approve-python');
+  if (existsSync(join(cwd, 'Dockerfile'))) extras.push('auto-approve-docker');
+  if (existsSync(join(cwd, 'go.mod'))) extras.push('auto-approve-go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) extras.push('auto-approve-cargo');
+  if (existsSync(join(cwd, 'Makefile'))) extras.push('auto-approve-make');
+  if (existsSync(join(cwd, '.env'))) extras.push('env-source-guard');
+
+  // Always include these for maximum safety
+  extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd');
+
+  for (const ex of extras) {
+    const exPath = join(__dirname, 'examples', `${ex}.sh`);
+    const hookPath = join(HOOKS_DIR, `${ex}.sh`);
+    if (existsSync(exPath) && !existsSync(hookPath)) {
+      copyFileSync(exPath, hookPath);
+      chmodSync(hookPath, 0o755);
+      console.log(c.green + '  +' + c.reset + ` ${ex}`);
+      installed++;
+    } else if (existsSync(hookPath)) {
+      console.log(c.dim + '  ✓' + c.reset + ` ${ex} (already installed)`);
+    }
+  }
+
+  // Step 4: Update settings.json
+  console.log();
+  console.log(c.bold + '  Step 4: Configure settings.json' + c.reset);
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+
+  // Collect all installed hooks
+  const hookFiles = existsSync(HOOKS_DIR)
+    ? readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'))
+    : [];
+
+  // Build hook entries by trigger type
+  const preToolHooks = [];
+  const postToolHooks = [];
+  const stopHooks = [];
+
+  for (const f of hookFiles) {
+    const content = readFileSync(join(HOOKS_DIR, f), 'utf-8');
+    const cmd = `bash ${join(HOOKS_DIR, f)}`;
+
+    // Check if already in settings
+    const alreadyConfigured = JSON.stringify(settings.hooks).includes(f);
+    if (alreadyConfigured) continue;
+
+    // Determine trigger from file content
+    if (content.includes('TRIGGER: Stop') || f.includes('api-error') || f.includes('revert-helper') || f.includes('session-handoff') || f.includes('compact-reminder') || f.includes('notify') || f.includes('tmp-cleanup')) {
+      stopHooks.push({ type: 'command', command: cmd });
+    } else if (content.includes('TRIGGER: PostToolUse') || f.includes('syntax-check') || f.includes('context-monitor') || f.includes('output-length') || f.includes('error-memory') || f.includes('cost-tracker')) {
+      postToolHooks.push({ type: 'command', command: cmd });
+    } else {
+      // Default: PreToolUse
+      const matcher = (f.includes('edit-guard') || f.includes('protect-dotfiles') || f.includes('overwrite-guard') || f.includes('binary-file') || f.includes('parallel-edit') || f.includes('test-deletion') || f.includes('memory-write'))
+        ? 'Edit|Write'
+        : 'Bash';
+      preToolHooks.push({ type: 'command', command: cmd, _matcher: matcher });
+    }
+  }
+
+  // Group PreToolUse hooks by matcher
+  if (preToolHooks.length > 0) {
+    if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+    const bashHooks = preToolHooks.filter(h => h._matcher === 'Bash').map(({ _matcher, ...h }) => h);
+    const editHooks = preToolHooks.filter(h => h._matcher === 'Edit|Write').map(({ _matcher, ...h }) => h);
+    if (bashHooks.length > 0) {
+      const existing = settings.hooks.PreToolUse.find(e => e.matcher === 'Bash');
+      if (existing) {
+        const existingCmds = new Set(existing.hooks.map(h => h.command));
+        for (const h of bashHooks) {
+          if (!existingCmds.has(h.command)) existing.hooks.push(h);
+        }
+      } else {
+        settings.hooks.PreToolUse.push({ matcher: 'Bash', hooks: bashHooks });
+      }
+    }
+    if (editHooks.length > 0) {
+      const existing = settings.hooks.PreToolUse.find(e => e.matcher === 'Edit|Write');
+      if (existing) {
+        const existingCmds = new Set(existing.hooks.map(h => h.command));
+        for (const h of editHooks) {
+          if (!existingCmds.has(h.command)) existing.hooks.push(h);
+        }
+      } else {
+        settings.hooks.PreToolUse.push({ matcher: 'Edit|Write', hooks: editHooks });
+      }
+    }
+  }
+  if (postToolHooks.length > 0) {
+    if (!settings.hooks.PostToolUse) settings.hooks.PostToolUse = [];
+    const existing = settings.hooks.PostToolUse.find(e => e.matcher === '');
+    if (existing) {
+      const existingCmds = new Set(existing.hooks.map(h => h.command));
+      for (const h of postToolHooks) {
+        if (!existingCmds.has(h.command)) existing.hooks.push(h);
+      }
+    } else {
+      settings.hooks.PostToolUse.push({ matcher: '', hooks: postToolHooks });
+    }
+  }
+  if (stopHooks.length > 0) {
+    if (!settings.hooks.Stop) settings.hooks.Stop = [];
+    const existing = settings.hooks.Stop.find(e => e.matcher === '');
+    if (existing) {
+      const existingCmds = new Set(existing.hooks.map(h => h.command));
+      for (const h of stopHooks) {
+        if (!existingCmds.has(h.command)) existing.hooks.push(h);
+      }
+    } else {
+      settings.hooks.Stop.push({ matcher: '', hooks: stopHooks });
+    }
+  }
+
+  writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  console.log(c.green + '  ✓' + c.reset + ' settings.json updated');
+
+  // Step 5: Generate CLAUDE.md template if none exists
+  console.log();
+  console.log(c.bold + '  Step 5: CLAUDE.md' + c.reset);
+  if (!existsSync(join(cwd, 'CLAUDE.md'))) {
+    const template = `# Project Rules
+
+## Safety
+- Do not push to main/master directly
+- Do not force-push
+- Do not delete files outside this project
+- Do not commit .env or credential files
+- Run tests before committing
+
+## Code Style
+- Follow existing conventions
+- Keep functions small and focused
+- Add comments only when the logic isn't obvious
+
+## Git
+- Use descriptive commit messages
+- One logical change per commit
+- Create feature branches for new work
+`;
+    writeFileSync(join(cwd, 'CLAUDE.md'), template);
+    console.log(c.green + '  +' + c.reset + ' Created CLAUDE.md with safety rules template');
+  } else {
+    console.log(c.dim + '  ✓' + c.reset + ' CLAUDE.md already exists');
+  }
+
+  // Summary
+  console.log();
+  const totalHooks = hookFiles.length;
+  console.log(c.bold + c.green + '  🛡️  Shield activated!' + c.reset);
+  console.log(c.dim + `  ${totalHooks} hooks installed and configured.` + c.reset);
+  console.log(c.dim + '  Your Claude Code sessions are now protected.' + c.reset);
+  console.log();
+  console.log(c.dim + '  Verify: npx cc-safe-setup --verify' + c.reset);
+  console.log(c.dim + '  Status: npx cc-safe-setup --status' + c.reset);
+  console.log();
+}
+
 async function quickfix() {
   const { execSync } = await import('child_process');
   console.log();
@@ -2836,6 +3042,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();
   if (REPORT) return report();
   if (GENERATE_CI) return generateCI();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "7.9.0",
+  "version": "8.0.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {