cc-safe-setup 7.9.0 → 8.1.0

package/CLAUDE.md

@@ -0,0 +1,18 @@
+# Project Rules
+
+## Safety
+- Do not push to main/master directly
+- Do not force-push
+- Do not delete files outside this project
+- Do not commit .env or credential files
+- Run tests before committing
+
+## Code Style
+- Follow existing conventions
+- Keep functions small and focused
+- Add comments only when the logic isn't obvious
+
+## Git
+- Use descriptive commit messages
+- One logical change per commit
+- Create feature branches for new work

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 77 examples = **85 hooks**. 28 CLI commands. 423 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 92 examples = **100 hooks**. 29 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -103,6 +103,8 @@ Each hook exists because a real incident happened without it.
 
 Safe to run multiple times. Existing settings are preserved. A backup is created if settings.json can't be parsed.
 
+**Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
+
 **Preview first:** `npx cc-safe-setup --dry-run`
 
 **Check status:** `npx cc-safe-setup --status` — see which hooks are installed (exit code 1 if missing).

package/examples/backup-before-refactor.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+mv\b.*\b(src|lib|app)\b'; then
+  git stash push -m "pre-refactor-backup-$(date +%s)" 2>/dev/null
+  echo "NOTE: Stashed changes as pre-refactor backup." >&2
+fi
+exit 0

package/examples/branch-naming-convention.sh

@@ -0,0 +1,13 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+(checkout|switch)\s+-b\s+'; then
+  BRANCH=$(echo "$COMMAND" | grep -oE '(-b|--create)\s+(\S+)' | awk '{print $2}')
+  if [ -n "$BRANCH" ] && ! echo "$BRANCH" | grep -qE '^(feat|fix|chore|docs|test|refactor)/'; then
+    echo "WARNING: Branch '$BRANCH' doesn't follow convention." >&2
+    echo "Use: feat/, fix/, chore/, docs/, test/, refactor/" >&2
+  fi
+fi
+exit 0

package/examples/changelog-reminder.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# ================================================================
+# changelog-reminder.sh — Remind to update CHANGELOG on version bump
+# ================================================================
+# PURPOSE:
+#   When Claude bumps a version number (npm version, cargo set-version,
+#   etc.), this hook reminds to update CHANGELOG.md with the changes.
+#
+# TRIGGER: PostToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Detect version bump commands
+if echo "$COMMAND" | grep -qE '(npm\s+version|cargo\s+set-version|bump2version|poetry\s+version)'; then
+    if [ -f "CHANGELOG.md" ]; then
+        echo "REMINDER: Update CHANGELOG.md with the new version's changes." >&2
+    fi
+fi
+
+exit 0

package/examples/commit-scope-guard.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# ================================================================
+# commit-scope-guard.sh — Warn when committing too many files
+# ================================================================
+# PURPOSE:
+#   Claude Code can modify dozens of files and commit them all at
+#   once, making the commit hard to review and revert. This hook
+#   warns when staging more than a configurable number of files.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_MAX_COMMIT_FILES=15  (warn above 15 files)
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+MAX="${CC_MAX_COMMIT_FILES:-15}"
+STAGED=$(git diff --cached --name-only 2>/dev/null | wc -l)
+
+if [ "$STAGED" -gt "$MAX" ]; then
+    echo "WARNING: Committing $STAGED files (threshold: $MAX)." >&2
+    echo "Consider splitting into smaller, focused commits." >&2
+    echo "Files:" >&2
+    git diff --cached --name-only 2>/dev/null | head -10 | sed 's/^/  /' >&2
+    [ "$STAGED" -gt 10 ] && echo "  ... and $((STAGED-10)) more" >&2
+fi
+
+exit 0

package/examples/file-size-limit.sh

@@ -0,0 +1,12 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+LEN=${#CONTENT}
+MAX="${CC_MAX_FILE_SIZE:-1048576}"
+if [ "$LEN" -gt "$MAX" ]; then
+  echo "BLOCKED: File content is ${LEN} bytes (limit: ${MAX})." >&2
+  exit 2
+fi
+exit 0

package/examples/hardcoded-secret-detector.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# ================================================================
+# hardcoded-secret-detector.sh — Detect hardcoded secrets in edits
+# ================================================================
+# PURPOSE:
+#   Claude sometimes hardcodes API keys, passwords, or tokens
+#   directly into source files instead of using environment
+#   variables. This hook checks edited content for secret patterns.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+# ================================================================
+
+INPUT=$(cat)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip config/env files (secrets are expected there)
+case "$FILE" in
+    *.env*|*credentials*|*secret*|*.key|*.pem) exit 0 ;;
+esac
+
+FOUND=0
+
+# AWS keys (AKIA...)
+if echo "$CONTENT" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+    echo "WARNING: Possible AWS access key in $FILE" >&2
+    FOUND=1
+fi
+
+# Generic API key patterns
+if echo "$CONTENT" | grep -qE "(api_key|apikey|api-key|secret_key|access_token)\s*[=:]\s*['\"][a-zA-Z0-9]{20,}['\"]"; then
+    echo "WARNING: Possible hardcoded API key in $FILE" >&2
+    FOUND=1
+fi
+
+# Password patterns
+if echo "$CONTENT" | grep -qiE "(password|passwd|pwd)\s*[=:]\s*['\"][^'\"]{8,}['\"]"; then
+    echo "WARNING: Possible hardcoded password in $FILE" >&2
+    FOUND=1
+fi
+
+# JWT tokens
+if echo "$CONTENT" | grep -qE 'eyJ[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]{20,}'; then
+    echo "WARNING: Possible JWT token in $FILE" >&2
+    FOUND=1
+fi
+
+# Private keys
+if echo "$CONTENT" | grep -qE 'BEGIN (RSA |EC |DSA )?PRIVATE KEY'; then
+    echo "WARNING: Private key detected in $FILE" >&2
+    FOUND=1
+fi
+
+if [ "$FOUND" -eq 1 ]; then
+    echo "Use environment variables instead of hardcoding secrets." >&2
+fi
+
+exit 0

package/examples/license-check.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# license-check.sh — Warn when creating files without a license header
+# TRIGGER: PostToolUse  MATCHER: "Write"
+FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+case "$FILE" in *.js|*.ts|*.py|*.go|*.rs|*.java|*.rb|*.sh) ;; *) exit 0 ;; esac
+[ ! -f "$FILE" ] && exit 0
+if ! head -5 "$FILE" | grep -qiE '(license|copyright|MIT|Apache|GPL)'; then
+  if [ -f "LICENSE" ] || [ -f "LICENSE.md" ]; then
+    echo "NOTE: New source file $FILE has no license header." >&2
+  fi
+fi
+exit 0

package/examples/no-console-log.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+case "$FILE" in *.test.*|*.spec.*|*debug*) exit 0 ;; esac
+if echo "$CONTENT" | grep -qE '\bconsole\.(log|debug)\b'; then
+  echo "WARNING: console.log detected in $FILE. Use proper logging." >&2
+fi
+exit 0

package/examples/no-eval.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '\beval\s*\('; then
+  echo "WARNING: eval() detected in $FILE. Avoid eval for security." >&2
+fi
+exit 0

package/examples/no-todo-ship.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# no-todo-ship.sh — Block commits with TODO/FIXME/HACK markers
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+TODOS=$(git diff --cached 2>/dev/null | grep -cE '^\+.*\b(TODO|FIXME|HACK|XXX)\b' || echo 0)
+if [ "$TODOS" -gt 0 ]; then
+  echo "WARNING: $TODOS TODO/FIXME/HACK markers in staged changes." >&2
+  echo "Resolve them before shipping, or document why they're needed." >&2
+fi
+exit 0

package/examples/no-wildcard-import.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '(from\s+\S+\s+import\s+\*|import\s+\*\s+from)'; then
+  echo "WARNING: Wildcard import detected. Import specific names." >&2
+fi
+exit 0

package/examples/pr-description-check.sh

@@ -0,0 +1,11 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgh\s+pr\s+create\b'; then
+  if ! echo "$COMMAND" | grep -qE '\-\-body|\-b\s'; then
+    echo "WARNING: PR created without --body description." >&2
+  fi
+fi
+exit 0

package/examples/rate-limit-guard.sh

@@ -0,0 +1,15 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+STATE="/tmp/cc-rate-limit-$(echo "$PWD" | md5sum | cut -c1-8)"
+NOW=$(date +%s)
+if [ -f "$STATE" ]; then
+  LAST=$(cat "$STATE")
+  DIFF=$((NOW - LAST))
+  if [ "$DIFF" -lt 1 ]; then
+    echo "WARNING: Rapid tool calls (${DIFF}s apart). Slow down." >&2
+  fi
+fi
+echo "$NOW" > "$STATE"
+exit 0

package/examples/worktree-guard.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# ================================================================
+# worktree-guard.sh — Warn when operating in a git worktree
+# ================================================================
+# PURPOSE:
+#   Git worktrees share the same .git directory. Destructive operations
+#   in one worktree (git clean, reset) can affect the main working tree.
+#   This hook warns when Claude is operating inside a worktree.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check destructive git commands
+echo "$COMMAND" | grep -qE '\bgit\s+(clean|reset|checkout\s+--|stash\s+drop)' || exit 0
+
+# Check if we're in a worktree
+GITDIR=$(git rev-parse --git-dir 2>/dev/null)
+if echo "$GITDIR" | grep -q "worktrees"; then
+    MAIN_DIR=$(git rev-parse --path-format=absolute --git-common-dir 2>/dev/null | sed 's|/.git$||')
+    echo "WARNING: You are in a git worktree." >&2
+    echo "Main working tree: $MAIN_DIR" >&2
+    echo "Destructive git operations may affect the main tree." >&2
+fi
+
+exit 0

package/index.mjs

@@ -90,6 +90,7 @@ const MIGRATE = process.argv.includes('--migrate');
 const GENERATE_CI = process.argv.includes('--generate-ci');
 const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
+const SHIELD = process.argv.includes('--shield');
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
@@ -125,6 +126,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
     npx cc-safe-setup --quickfix   Auto-detect and fix common Claude Code problems
     npx cc-safe-setup --stats      Block statistics and patterns report
     npx cc-safe-setup --export     Export hooks config for team sharing
@@ -831,6 +833,210 @@ async function fullSetup() {
   console.log();
 }
 
+async function shield() {
+  const { execSync } = await import('child_process');
+  const { readdirSync } = await import('fs');
+  console.log();
+  console.log(c.bold + '  🛡️  cc-safe-setup --shield' + c.reset);
+  console.log(c.dim + '  Maximum safety in one command' + c.reset);
+  console.log();
+
+  // Step 1: Fix environment issues
+  console.log(c.bold + '  Step 1: Fix environment' + c.reset);
+  await quickfix();
+
+  // Step 2: Install core safety hooks
+  console.log();
+  console.log(c.bold + '  Step 2: Install safety hooks' + c.reset);
+  // Run the default install
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  let installed = 0;
+  for (const [hookId, hookMeta] of Object.entries(HOOKS)) {
+    const hookPath = join(HOOKS_DIR, `${hookId}.sh`);
+    if (!existsSync(hookPath)) {
+      writeFileSync(hookPath, SCRIPTS[hookId]);
+      chmodSync(hookPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookMeta.name}`);
+    } else {
+      console.log(c.dim + '  ✓' + c.reset + ` ${hookMeta.name} (already installed)`);
+    }
+  }
+
+  // Step 3: Detect project stack and install recommended examples
+  console.log();
+  console.log(c.bold + '  Step 3: Project-aware hooks' + c.reset);
+  const cwd = process.cwd();
+  const extras = [];
+  if (existsSync(join(cwd, 'package.json'))) {
+    extras.push('auto-approve-build');
+    try {
+      const pkg = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf-8'));
+      if (pkg.dependencies?.prisma || pkg.devDependencies?.prisma) extras.push('block-database-wipe');
+      if (pkg.scripts?.deploy) extras.push('deploy-guard');
+    } catch {}
+  }
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) extras.push('auto-approve-python');
+  if (existsSync(join(cwd, 'Dockerfile'))) extras.push('auto-approve-docker');
+  if (existsSync(join(cwd, 'go.mod'))) extras.push('auto-approve-go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) extras.push('auto-approve-cargo');
+  if (existsSync(join(cwd, 'Makefile'))) extras.push('auto-approve-make');
+  if (existsSync(join(cwd, '.env'))) extras.push('env-source-guard');
+
+  // Always include these for maximum safety
+  extras.push('scope-guard', 'no-sudo-guard', 'protect-claudemd');
+
+  for (const ex of extras) {
+    const exPath = join(__dirname, 'examples', `${ex}.sh`);
+    const hookPath = join(HOOKS_DIR, `${ex}.sh`);
+    if (existsSync(exPath) && !existsSync(hookPath)) {
+      copyFileSync(exPath, hookPath);
+      chmodSync(hookPath, 0o755);
+      console.log(c.green + '  +' + c.reset + ` ${ex}`);
+      installed++;
+    } else if (existsSync(hookPath)) {
+      console.log(c.dim + '  ✓' + c.reset + ` ${ex} (already installed)`);
+    }
+  }
+
+  // Step 4: Update settings.json
+  console.log();
+  console.log(c.bold + '  Step 4: Configure settings.json' + c.reset);
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+
+  // Collect all installed hooks
+  const hookFiles = existsSync(HOOKS_DIR)
+    ? readdirSync(HOOKS_DIR).filter(f => f.endsWith('.sh'))
+    : [];
+
+  // Build hook entries by trigger type
+  const preToolHooks = [];
+  const postToolHooks = [];
+  const stopHooks = [];
+
+  for (const f of hookFiles) {
+    const content = readFileSync(join(HOOKS_DIR, f), 'utf-8');
+    const cmd = `bash ${join(HOOKS_DIR, f)}`;
+
+    // Check if already in settings
+    const alreadyConfigured = JSON.stringify(settings.hooks).includes(f);
+    if (alreadyConfigured) continue;
+
+    // Determine trigger from file content
+    if (content.includes('TRIGGER: Stop') || f.includes('api-error') || f.includes('revert-helper') || f.includes('session-handoff') || f.includes('compact-reminder') || f.includes('notify') || f.includes('tmp-cleanup')) {
+      stopHooks.push({ type: 'command', command: cmd });
+    } else if (content.includes('TRIGGER: PostToolUse') || f.includes('syntax-check') || f.includes('context-monitor') || f.includes('output-length') || f.includes('error-memory') || f.includes('cost-tracker')) {
+      postToolHooks.push({ type: 'command', command: cmd });
+    } else {
+      // Default: PreToolUse
+      const matcher = (f.includes('edit-guard') || f.includes('protect-dotfiles') || f.includes('overwrite-guard') || f.includes('binary-file') || f.includes('parallel-edit') || f.includes('test-deletion') || f.includes('memory-write'))
+        ? 'Edit|Write'
+        : 'Bash';
+      preToolHooks.push({ type: 'command', command: cmd, _matcher: matcher });
+    }
+  }
+
+  // Group PreToolUse hooks by matcher
+  if (preToolHooks.length > 0) {
+    if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+    const bashHooks = preToolHooks.filter(h => h._matcher === 'Bash').map(({ _matcher, ...h }) => h);
+    const editHooks = preToolHooks.filter(h => h._matcher === 'Edit|Write').map(({ _matcher, ...h }) => h);
+    if (bashHooks.length > 0) {
+      const existing = settings.hooks.PreToolUse.find(e => e.matcher === 'Bash');
+      if (existing) {
+        const existingCmds = new Set(existing.hooks.map(h => h.command));
+        for (const h of bashHooks) {
+          if (!existingCmds.has(h.command)) existing.hooks.push(h);
+        }
+      } else {
+        settings.hooks.PreToolUse.push({ matcher: 'Bash', hooks: bashHooks });
+      }
+    }
+    if (editHooks.length > 0) {
+      const existing = settings.hooks.PreToolUse.find(e => e.matcher === 'Edit|Write');
+      if (existing) {
+        const existingCmds = new Set(existing.hooks.map(h => h.command));
+        for (const h of editHooks) {
+          if (!existingCmds.has(h.command)) existing.hooks.push(h);
+        }
+      } else {
+        settings.hooks.PreToolUse.push({ matcher: 'Edit|Write', hooks: editHooks });
+      }
+    }
+  }
+  if (postToolHooks.length > 0) {
+    if (!settings.hooks.PostToolUse) settings.hooks.PostToolUse = [];
+    const existing = settings.hooks.PostToolUse.find(e => e.matcher === '');
+    if (existing) {
+      const existingCmds = new Set(existing.hooks.map(h => h.command));
+      for (const h of postToolHooks) {
+        if (!existingCmds.has(h.command)) existing.hooks.push(h);
+      }
+    } else {
+      settings.hooks.PostToolUse.push({ matcher: '', hooks: postToolHooks });
+    }
+  }
+  if (stopHooks.length > 0) {
+    if (!settings.hooks.Stop) settings.hooks.Stop = [];
+    const existing = settings.hooks.Stop.find(e => e.matcher === '');
+    if (existing) {
+      const existingCmds = new Set(existing.hooks.map(h => h.command));
+      for (const h of stopHooks) {
+        if (!existingCmds.has(h.command)) existing.hooks.push(h);
+      }
+    } else {
+      settings.hooks.Stop.push({ matcher: '', hooks: stopHooks });
+    }
+  }
+
+  writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+  console.log(c.green + '  ✓' + c.reset + ' settings.json updated');
+
+  // Step 5: Generate CLAUDE.md template if none exists
+  console.log();
+  console.log(c.bold + '  Step 5: CLAUDE.md' + c.reset);
+  if (!existsSync(join(cwd, 'CLAUDE.md'))) {
+    const template = `# Project Rules
+
+## Safety
+- Do not push to main/master directly
+- Do not force-push
+- Do not delete files outside this project
+- Do not commit .env or credential files
+- Run tests before committing
+
+## Code Style
+- Follow existing conventions
+- Keep functions small and focused
+- Add comments only when the logic isn't obvious
+
+## Git
+- Use descriptive commit messages
+- One logical change per commit
+- Create feature branches for new work
+`;
+    writeFileSync(join(cwd, 'CLAUDE.md'), template);
+    console.log(c.green + '  +' + c.reset + ' Created CLAUDE.md with safety rules template');
+  } else {
+    console.log(c.dim + '  ✓' + c.reset + ' CLAUDE.md already exists');
+  }
+
+  // Summary
+  console.log();
+  const totalHooks = hookFiles.length;
+  console.log(c.bold + c.green + '  🛡️  Shield activated!' + c.reset);
+  console.log(c.dim + `  ${totalHooks} hooks installed and configured.` + c.reset);
+  console.log(c.dim + '  Your Claude Code sessions are now protected.' + c.reset);
+  console.log();
+  console.log(c.dim + '  Verify: npx cc-safe-setup --verify' + c.reset);
+  console.log(c.dim + '  Status: npx cc-safe-setup --status' + c.reset);
+  console.log();
+}
+
 async function quickfix() {
   const { execSync } = await import('child_process');
   console.log();
@@ -2836,6 +3042,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();
   if (REPORT) return report();
   if (GENERATE_CI) return generateCI();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "7.9.0",
+  "version": "8.1.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {