cc-safe-setup 8.0.0 → 8.1.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 77 examples = **85 hooks**. 28 CLI commands. 423 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 92 examples = **100 hooks**. 29 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -103,6 +103,8 @@ Each hook exists because a real incident happened without it.
 
 Safe to run multiple times. Existing settings are preserved. A backup is created if settings.json can't be parsed.
 
+**Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
+
 **Preview first:** `npx cc-safe-setup --dry-run`
 
 **Check status:** `npx cc-safe-setup --status` — see which hooks are installed (exit code 1 if missing).

package/examples/backup-before-refactor.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+mv\b.*\b(src|lib|app)\b'; then
+  git stash push -m "pre-refactor-backup-$(date +%s)" 2>/dev/null
+  echo "NOTE: Stashed changes as pre-refactor backup." >&2
+fi
+exit 0

package/examples/branch-naming-convention.sh

@@ -0,0 +1,13 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+(checkout|switch)\s+-b\s+'; then
+  BRANCH=$(echo "$COMMAND" | grep -oE '(-b|--create)\s+(\S+)' | awk '{print $2}')
+  if [ -n "$BRANCH" ] && ! echo "$BRANCH" | grep -qE '^(feat|fix|chore|docs|test|refactor)/'; then
+    echo "WARNING: Branch '$BRANCH' doesn't follow convention." >&2
+    echo "Use: feat/, fix/, chore/, docs/, test/, refactor/" >&2
+  fi
+fi
+exit 0

package/examples/changelog-reminder.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# ================================================================
+# changelog-reminder.sh — Remind to update CHANGELOG on version bump
+# ================================================================
+# PURPOSE:
+#   When Claude bumps a version number (npm version, cargo set-version,
+#   etc.), this hook reminds to update CHANGELOG.md with the changes.
+#
+# TRIGGER: PostToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Detect version bump commands
+if echo "$COMMAND" | grep -qE '(npm\s+version|cargo\s+set-version|bump2version|poetry\s+version)'; then
+    if [ -f "CHANGELOG.md" ]; then
+        echo "REMINDER: Update CHANGELOG.md with the new version's changes." >&2
+    fi
+fi
+
+exit 0

package/examples/file-size-limit.sh

@@ -0,0 +1,12 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+LEN=${#CONTENT}
+MAX="${CC_MAX_FILE_SIZE:-1048576}"
+if [ "$LEN" -gt "$MAX" ]; then
+  echo "BLOCKED: File content is ${LEN} bytes (limit: ${MAX})." >&2
+  exit 2
+fi
+exit 0

package/examples/hardcoded-secret-detector.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# ================================================================
+# hardcoded-secret-detector.sh — Detect hardcoded secrets in edits
+# ================================================================
+# PURPOSE:
+#   Claude sometimes hardcodes API keys, passwords, or tokens
+#   directly into source files instead of using environment
+#   variables. This hook checks edited content for secret patterns.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+# ================================================================
+
+INPUT=$(cat)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip config/env files (secrets are expected there)
+case "$FILE" in
+    *.env*|*credentials*|*secret*|*.key|*.pem) exit 0 ;;
+esac
+
+FOUND=0
+
+# AWS keys (AKIA...)
+if echo "$CONTENT" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+    echo "WARNING: Possible AWS access key in $FILE" >&2
+    FOUND=1
+fi
+
+# Generic API key patterns
+if echo "$CONTENT" | grep -qE "(api_key|apikey|api-key|secret_key|access_token)\s*[=:]\s*['\"][a-zA-Z0-9]{20,}['\"]"; then
+    echo "WARNING: Possible hardcoded API key in $FILE" >&2
+    FOUND=1
+fi
+
+# Password patterns
+if echo "$CONTENT" | grep -qiE "(password|passwd|pwd)\s*[=:]\s*['\"][^'\"]{8,}['\"]"; then
+    echo "WARNING: Possible hardcoded password in $FILE" >&2
+    FOUND=1
+fi
+
+# JWT tokens
+if echo "$CONTENT" | grep -qE 'eyJ[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]{20,}'; then
+    echo "WARNING: Possible JWT token in $FILE" >&2
+    FOUND=1
+fi
+
+# Private keys
+if echo "$CONTENT" | grep -qE 'BEGIN (RSA |EC |DSA )?PRIVATE KEY'; then
+    echo "WARNING: Private key detected in $FILE" >&2
+    FOUND=1
+fi
+
+if [ "$FOUND" -eq 1 ]; then
+    echo "Use environment variables instead of hardcoding secrets." >&2
+fi
+
+exit 0

package/examples/license-check.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# license-check.sh — Warn when creating files without a license header
+# TRIGGER: PostToolUse  MATCHER: "Write"
+FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+case "$FILE" in *.js|*.ts|*.py|*.go|*.rs|*.java|*.rb|*.sh) ;; *) exit 0 ;; esac
+[ ! -f "$FILE" ] && exit 0
+if ! head -5 "$FILE" | grep -qiE '(license|copyright|MIT|Apache|GPL)'; then
+  if [ -f "LICENSE" ] || [ -f "LICENSE.md" ]; then
+    echo "NOTE: New source file $FILE has no license header." >&2
+  fi
+fi
+exit 0

package/examples/no-console-log.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+case "$FILE" in *.test.*|*.spec.*|*debug*) exit 0 ;; esac
+if echo "$CONTENT" | grep -qE '\bconsole\.(log|debug)\b'; then
+  echo "WARNING: console.log detected in $FILE. Use proper logging." >&2
+fi
+exit 0

package/examples/no-eval.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '\beval\s*\('; then
+  echo "WARNING: eval() detected in $FILE. Avoid eval for security." >&2
+fi
+exit 0

package/examples/no-todo-ship.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# no-todo-ship.sh — Block commits with TODO/FIXME/HACK markers
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+TODOS=$(git diff --cached 2>/dev/null | grep -cE '^\+.*\b(TODO|FIXME|HACK|XXX)\b' || echo 0)
+if [ "$TODOS" -gt 0 ]; then
+  echo "WARNING: $TODOS TODO/FIXME/HACK markers in staged changes." >&2
+  echo "Resolve them before shipping, or document why they're needed." >&2
+fi
+exit 0

package/examples/no-wildcard-import.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '(from\s+\S+\s+import\s+\*|import\s+\*\s+from)'; then
+  echo "WARNING: Wildcard import detected. Import specific names." >&2
+fi
+exit 0

package/examples/pr-description-check.sh

@@ -0,0 +1,11 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgh\s+pr\s+create\b'; then
+  if ! echo "$COMMAND" | grep -qE '\-\-body|\-b\s'; then
+    echo "WARNING: PR created without --body description." >&2
+  fi
+fi
+exit 0

package/examples/rate-limit-guard.sh

@@ -0,0 +1,15 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+STATE="/tmp/cc-rate-limit-$(echo "$PWD" | md5sum | cut -c1-8)"
+NOW=$(date +%s)
+if [ -f "$STATE" ]; then
+  LAST=$(cat "$STATE")
+  DIFF=$((NOW - LAST))
+  if [ "$DIFF" -lt 1 ]; then
+    echo "WARNING: Rapid tool calls (${DIFF}s apart). Slow down." >&2
+  fi
+fi
+echo "$NOW" > "$STATE"
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.0.0",
+  "version": "8.1.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {