cc-safe-setup 8.0.0 → 8.2.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 77 examples = **85 hooks**. 28 CLI commands. 423 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 92 examples = **100 hooks**. 29 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -103,6 +103,8 @@ Each hook exists because a real incident happened without it.
 
 Safe to run multiple times. Existing settings are preserved. A backup is created if settings.json can't be parsed.
 
+**Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
+
 **Preview first:** `npx cc-safe-setup --dry-run`
 
 **Check status:** `npx cc-safe-setup --status` — see which hooks are installed (exit code 1 if missing).

package/examples/backup-before-refactor.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+mv\b.*\b(src|lib|app)\b'; then
+  git stash push -m "pre-refactor-backup-$(date +%s)" 2>/dev/null
+  echo "NOTE: Stashed changes as pre-refactor backup." >&2
+fi
+exit 0

package/examples/branch-naming-convention.sh

@@ -0,0 +1,13 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgit\s+(checkout|switch)\s+-b\s+'; then
+  BRANCH=$(echo "$COMMAND" | grep -oE '(-b|--create)\s+(\S+)' | awk '{print $2}')
+  if [ -n "$BRANCH" ] && ! echo "$BRANCH" | grep -qE '^(feat|fix|chore|docs|test|refactor)/'; then
+    echo "WARNING: Branch '$BRANCH' doesn't follow convention." >&2
+    echo "Use: feat/, fix/, chore/, docs/, test/, refactor/" >&2
+  fi
+fi
+exit 0

package/examples/changelog-reminder.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# ================================================================
+# changelog-reminder.sh — Remind to update CHANGELOG on version bump
+# ================================================================
+# PURPOSE:
+#   When Claude bumps a version number (npm version, cargo set-version,
+#   etc.), this hook reminds to update CHANGELOG.md with the changes.
+#
+# TRIGGER: PostToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Detect version bump commands
+if echo "$COMMAND" | grep -qE '(npm\s+version|cargo\s+set-version|bump2version|poetry\s+version)'; then
+    if [ -f "CHANGELOG.md" ]; then
+        echo "REMINDER: Update CHANGELOG.md with the new version's changes." >&2
+    fi
+fi
+
+exit 0

package/examples/file-size-limit.sh

@@ -0,0 +1,12 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+LEN=${#CONTENT}
+MAX="${CC_MAX_FILE_SIZE:-1048576}"
+if [ "$LEN" -gt "$MAX" ]; then
+  echo "BLOCKED: File content is ${LEN} bytes (limit: ${MAX})." >&2
+  exit 2
+fi
+exit 0

package/examples/hardcoded-secret-detector.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# ================================================================
+# hardcoded-secret-detector.sh — Detect hardcoded secrets in edits
+# ================================================================
+# PURPOSE:
+#   Claude sometimes hardcodes API keys, passwords, or tokens
+#   directly into source files instead of using environment
+#   variables. This hook checks edited content for secret patterns.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+# ================================================================
+
+INPUT=$(cat)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+# Skip config/env files (secrets are expected there)
+case "$FILE" in
+    *.env*|*credentials*|*secret*|*.key|*.pem) exit 0 ;;
+esac
+
+FOUND=0
+
+# AWS keys (AKIA...)
+if echo "$CONTENT" | grep -qE 'AKIA[0-9A-Z]{16}'; then
+    echo "WARNING: Possible AWS access key in $FILE" >&2
+    FOUND=1
+fi
+
+# Generic API key patterns
+if echo "$CONTENT" | grep -qE "(api_key|apikey|api-key|secret_key|access_token)\s*[=:]\s*['\"][a-zA-Z0-9]{20,}['\"]"; then
+    echo "WARNING: Possible hardcoded API key in $FILE" >&2
+    FOUND=1
+fi
+
+# Password patterns
+if echo "$CONTENT" | grep -qiE "(password|passwd|pwd)\s*[=:]\s*['\"][^'\"]{8,}['\"]"; then
+    echo "WARNING: Possible hardcoded password in $FILE" >&2
+    FOUND=1
+fi
+
+# JWT tokens
+if echo "$CONTENT" | grep -qE 'eyJ[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]{20,}'; then
+    echo "WARNING: Possible JWT token in $FILE" >&2
+    FOUND=1
+fi
+
+# Private keys
+if echo "$CONTENT" | grep -qE 'BEGIN (RSA |EC |DSA )?PRIVATE KEY'; then
+    echo "WARNING: Private key detected in $FILE" >&2
+    FOUND=1
+fi
+
+if [ "$FOUND" -eq 1 ]; then
+    echo "Use environment variables instead of hardcoding secrets." >&2
+fi
+
+exit 0

package/examples/license-check.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# license-check.sh — Warn when creating files without a license header
+# TRIGGER: PostToolUse  MATCHER: "Write"
+FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+case "$FILE" in *.js|*.ts|*.py|*.go|*.rs|*.java|*.rb|*.sh) ;; *) exit 0 ;; esac
+[ ! -f "$FILE" ] && exit 0
+if ! head -5 "$FILE" | grep -qiE '(license|copyright|MIT|Apache|GPL)'; then
+  if [ -f "LICENSE" ] || [ -f "LICENSE.md" ]; then
+    echo "NOTE: New source file $FILE has no license header." >&2
+  fi
+fi
+exit 0

package/examples/no-console-log.sh

@@ -0,0 +1,10 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+case "$FILE" in *.test.*|*.spec.*|*debug*) exit 0 ;; esac
+if echo "$CONTENT" | grep -qE '\bconsole\.(log|debug)\b'; then
+  echo "WARNING: console.log detected in $FILE. Use proper logging." >&2
+fi
+exit 0

package/examples/no-eval.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '\beval\s*\('; then
+  echo "WARNING: eval() detected in $FILE. Avoid eval for security." >&2
+fi
+exit 0

package/examples/no-todo-ship.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# no-todo-ship.sh — Block commits with TODO/FIXME/HACK markers
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+TODOS=$(git diff --cached 2>/dev/null | grep -cE '^\+.*\b(TODO|FIXME|HACK|XXX)\b' || echo 0)
+if [ "$TODOS" -gt 0 ]; then
+  echo "WARNING: $TODOS TODO/FIXME/HACK markers in staged changes." >&2
+  echo "Resolve them before shipping, or document why they're needed." >&2
+fi
+exit 0

package/examples/no-wildcard-import.sh

@@ -0,0 +1,9 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qE '(from\s+\S+\s+import\s+\*|import\s+\*\s+from)'; then
+  echo "WARNING: Wildcard import detected. Import specific names." >&2
+fi
+exit 0

package/examples/pr-description-check.sh

@@ -0,0 +1,11 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bgh\s+pr\s+create\b'; then
+  if ! echo "$COMMAND" | grep -qE '\-\-body|\-b\s'; then
+    echo "WARNING: PR created without --body description." >&2
+  fi
+fi
+exit 0

package/examples/rate-limit-guard.sh

@@ -0,0 +1,15 @@
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+STATE="/tmp/cc-rate-limit-$(echo "$PWD" | md5sum | cut -c1-8)"
+NOW=$(date +%s)
+if [ -f "$STATE" ]; then
+  LAST=$(cat "$STATE")
+  DIFF=$((NOW - LAST))
+  if [ "$DIFF" -lt 1 ]; then
+    echo "WARNING: Rapid tool calls (${DIFF}s apart). Slow down." >&2
+  fi
+fi
+echo "$NOW" > "$STATE"
+exit 0

package/index.mjs

@@ -91,6 +91,7 @@ const GENERATE_CI = process.argv.includes('--generate-ci');
 const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
+const ANALYZE = process.argv.includes('--analyze');
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
@@ -126,6 +127,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --analyze     Analyze what Claude did in your last session
     npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
     npx cc-safe-setup --quickfix   Auto-detect and fix common Claude Code problems
     npx cc-safe-setup --stats      Block statistics and patterns report
@@ -833,6 +835,116 @@ async function fullSetup() {
   console.log();
 }
 
+async function analyze() {
+  const { execSync } = await import('child_process');
+  const { readdirSync, statSync } = await import('fs');
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --analyze' + c.reset);
+  console.log(c.dim + '  What Claude did in your sessions' + c.reset);
+  console.log();
+
+  // 1. Blocked commands log
+  const blockLog = join(HOME, '.claude', 'blocked-commands.log');
+  let blocks = [];
+  if (existsSync(blockLog)) {
+    const content = readFileSync(blockLog, 'utf-8');
+    blocks = content.split('\n').filter(l => l.trim());
+    const recent = blocks.slice(-20);
+    console.log(c.bold + '  Blocked Commands' + c.reset + c.dim + ` (${blocks.length} total)` + c.reset);
+    if (recent.length > 0) {
+      // Count by type
+      const types = {};
+      for (const line of blocks) {
+        const match = line.match(/BLOCKED:\s*(.+?)(?:\s*—|\s*\(|$)/);
+        if (match) {
+          const type = match[1].trim().substring(0, 40);
+          types[type] = (types[type] || 0) + 1;
+        }
+      }
+      const sorted = Object.entries(types).sort((a, b) => b[1] - a[1]);
+      for (const [type, count] of sorted.slice(0, 8)) {
+        const bar = '█'.repeat(Math.min(count, 20));
+        console.log(`    ${c.red}${bar}${c.reset} ${count}× ${type}`);
+      }
+    } else {
+      console.log(c.green + '    No blocked commands recorded.' + c.reset);
+    }
+    console.log();
+  }
+
+  // 2. Git activity (last 24h)
+  console.log(c.bold + '  Git Activity (last 24h)' + c.reset);
+  try {
+    const log = execSync('git log --oneline --since="24 hours ago" 2>/dev/null', { encoding: 'utf-8' }).trim();
+    if (log) {
+      const commits = log.split('\n');
+      console.log(c.dim + `    ${commits.length} commits` + c.reset);
+      for (const commit of commits.slice(0, 10)) {
+        console.log(`    ${c.blue}•${c.reset} ${commit}`);
+      }
+      if (commits.length > 10) console.log(c.dim + `    ... and ${commits.length - 10} more` + c.reset);
+    } else {
+      console.log(c.dim + '    No commits in last 24h' + c.reset);
+    }
+  } catch {
+    console.log(c.dim + '    Not in a git repository' + c.reset);
+  }
+  console.log();
+
+  // 3. Files changed (last 24h)
+  console.log(c.bold + '  Files Changed (last 24h)' + c.reset);
+  try {
+    const diff = execSync('git diff --stat HEAD~10 2>/dev/null || git diff --stat 2>/dev/null', { encoding: 'utf-8' }).trim();
+    if (diff) {
+      const lines = diff.split('\n');
+      const summary = lines[lines.length - 1];
+      console.log(c.dim + `    ${summary.trim()}` + c.reset);
+    }
+  } catch {}
+  console.log();
+
+  // 4. Hook health
+  console.log(c.bold + '  Hook Health' + c.reset);
+  const hookDir = join(HOME, '.claude', 'hooks');
+  if (existsSync(hookDir)) {
+    const hooks = readdirSync(hookDir).filter(f => f.endsWith('.sh') || f.endsWith('.py'));
+    let execCount = 0, nonExec = 0;
+    for (const h of hooks) {
+      const st = statSync(join(hookDir, h));
+      if (st.mode & 0o111) execCount++; else nonExec++;
+    }
+    console.log(`    ${c.green}${execCount}${c.reset} hooks executable${nonExec > 0 ? `, ${c.red}${nonExec}${c.reset} missing permissions` : ''}`);
+  }
+
+  // 5. Context usage estimate
+  console.log();
+  console.log(c.bold + '  Session Estimates' + c.reset);
+  // Check tool call log if exists
+  const toolLog = join(HOME, '.claude', 'tool-calls.log');
+  if (existsSync(toolLog)) {
+    const logContent = readFileSync(toolLog, 'utf-8');
+    const calls = logContent.split('\n').filter(l => l.trim());
+    const today = new Date().toISOString().split('T')[0];
+    const todayCalls = calls.filter(l => l.includes(today));
+    console.log(`    Tool calls today: ${todayCalls.length}`);
+  }
+
+  // Token budget state
+  const budgetFiles = existsSync('/tmp') ? readdirSync('/tmp').filter(f => f.startsWith('cc-token-budget-')) : [];
+  if (budgetFiles.length > 0) {
+    for (const bf of budgetFiles.slice(0, 3)) {
+      const tokens = parseInt(readFileSync(join('/tmp', bf), 'utf-8').trim()) || 0;
+      const costCents = Math.round(tokens * 75 / 10000);
+      console.log(`    Estimated cost: ~$${(costCents / 100).toFixed(2)} (${tokens.toLocaleString()} tokens)`);
+    }
+  }
+
+  console.log();
+  console.log(c.dim + '  Tip: Use --stats for block history analytics' + c.reset);
+  console.log(c.dim + '  Tip: Use --dashboard for real-time monitoring' + c.reset);
+  console.log();
+}
+
 async function shield() {
   const { execSync } = await import('child_process');
   const { readdirSync } = await import('fs');
@@ -3042,6 +3154,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (ANALYZE) return analyze();
   if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();
   if (REPORT) return report();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.0.0",
+  "version": "8.2.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {