cc-safe-setup 8.2.0 → 8.4.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 92 examples = **100 hooks**. 29 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 92 examples = **100 hooks**. 31 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/index.mjs

@@ -92,6 +92,9 @@ const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
 const ANALYZE = process.argv.includes('--analyze');
+const TEAM = process.argv.includes('--team');
+const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
+const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
@@ -127,6 +130,8 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --team         Set up project-level hooks (commit to repo for team)
+    npx cc-safe-setup --profile <level>  Switch safety profile (strict/standard/minimal)
     npx cc-safe-setup --analyze     Analyze what Claude did in your last session
     npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
     npx cc-safe-setup --quickfix   Auto-detect and fix common Claude Code problems
@@ -835,6 +840,228 @@ async function fullSetup() {
   console.log();
 }
 
+async function team() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --team' + c.reset);
+  console.log(c.dim + '  Set up project-level hooks (commit to repo for team sharing)' + c.reset);
+  console.log();
+
+  const cwd = process.cwd();
+  const projectHooksDir = join(cwd, '.claude', 'hooks');
+  const projectSettings = join(cwd, '.claude', 'settings.local.json');
+
+  // Create .claude/hooks/ in project
+  mkdirSync(projectHooksDir, { recursive: true });
+
+  // Copy core safety hooks to project
+  const coreHooks = ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check',
+    'context-monitor', 'comment-strip', 'cd-git-allow', 'api-error-alert'];
+
+  let installed = 0;
+  for (const hookId of coreHooks) {
+    const destPath = join(projectHooksDir, `${hookId}.sh`);
+    if (existsSync(destPath)) {
+      console.log(c.dim + '  ✓' + c.reset + ` ${hookId}`);
+      continue;
+    }
+
+    if (SCRIPTS[hookId]) {
+      writeFileSync(destPath, SCRIPTS[hookId]);
+      chmodSync(destPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookId}`);
+    }
+  }
+
+  // Detect stack and add relevant hooks
+  const extras = [];
+  if (existsSync(join(cwd, 'package.json'))) extras.push('auto-approve-build');
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) extras.push('auto-approve-python');
+  if (existsSync(join(cwd, 'go.mod'))) extras.push('auto-approve-go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) extras.push('auto-approve-cargo');
+  if (existsSync(join(cwd, 'Dockerfile'))) extras.push('auto-approve-docker');
+
+  for (const ex of extras) {
+    const destPath = join(projectHooksDir, `${ex}.sh`);
+    const srcPath = join(__dirname, 'examples', `${ex}.sh`);
+    if (existsSync(destPath)) continue;
+    if (existsSync(srcPath)) {
+      copyFileSync(srcPath, destPath);
+      chmodSync(destPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${ex} (project-specific)`);
+    }
+  }
+
+  // Generate settings.local.json
+  const allHooks = [...coreHooks, ...extras].filter(h => existsSync(join(projectHooksDir, `${h}.sh`)));
+
+  const bashHooks = allHooks.map(h => ({
+    type: 'command',
+    command: `bash .claude/hooks/${h}.sh`
+  }));
+
+  const settings = {
+    hooks: {
+      PreToolUse: [
+        { matcher: 'Bash', hooks: bashHooks.filter((_, i) => {
+          const name = allHooks[i];
+          return !['syntax-check', 'context-monitor', 'api-error-alert'].includes(name);
+        })},
+        { matcher: 'Edit|Write', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/syntax-check.sh' }
+        ]}
+      ],
+      PostToolUse: [
+        { matcher: '', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/context-monitor.sh' }
+        ]}
+      ],
+      Stop: [
+        { matcher: '', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/api-error-alert.sh' }
+        ]}
+      ]
+    }
+  };
+
+  writeFileSync(projectSettings, JSON.stringify(settings, null, 2));
+  console.log();
+  console.log(c.green + '  ✓' + c.reset + ' Created .claude/settings.local.json');
+
+  // Add .claude/hooks to .gitignore if not there
+  const gitignorePath = join(cwd, '.gitignore');
+  if (existsSync(gitignorePath)) {
+    const gi = readFileSync(gitignorePath, 'utf-8');
+    if (!gi.includes('.claude/')) {
+      // Don't add — hooks should be committed for team sharing
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Next steps:' + c.reset);
+  console.log(c.dim + '  1. git add .claude/' + c.reset);
+  console.log(c.dim + '  2. git commit -m "chore: add Claude Code safety hooks"' + c.reset);
+  console.log(c.dim + '  3. Team members get hooks automatically on git pull' + c.reset);
+  console.log();
+  console.log(c.dim + `  ${installed} hooks installed, ${allHooks.length} total configured.` + c.reset);
+  console.log(c.dim + '  Hooks use relative paths (.claude/hooks/) — portable across machines.' + c.reset);
+  console.log();
+}
+
+async function profile(level) {
+  const { readdirSync } = await import('fs');
+  console.log();
+
+  const PROFILES = {
+    strict: {
+      desc: 'Maximum safety — blocks everything dangerous, requires verification',
+      hooks: ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check',
+        'context-monitor', 'comment-strip', 'cd-git-allow', 'api-error-alert',
+        'scope-guard', 'no-sudo-guard', 'protect-claudemd', 'env-source-guard',
+        'no-install-global', 'deploy-guard', 'protect-dotfiles', 'symlink-guard',
+        'strict-allowlist', 'uncommitted-work-guard', 'test-deletion-guard',
+        'overwrite-guard', 'error-memory-guard', 'hardcoded-secret-detector',
+        'conflict-marker-guard', 'token-budget-guard', 'fact-check-gate',
+        'block-database-wipe', 'no-eval', 'file-size-limit', 'large-read-guard',
+        'loop-detector', 'verify-before-done', 'diff-size-guard', 'commit-scope-guard']
+    },
+    standard: {
+      desc: 'Balanced — blocks dangerous commands, auto-approves safe ones',
+      hooks: ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check',
+        'context-monitor', 'comment-strip', 'cd-git-allow', 'api-error-alert',
+        'scope-guard', 'no-sudo-guard', 'protect-claudemd',
+        'auto-approve-build', 'auto-approve-python', 'auto-approve-docker',
+        'loop-detector', 'deploy-guard', 'block-database-wipe',
+        'compound-command-approver', 'session-handoff', 'cost-tracker']
+    },
+    minimal: {
+      desc: 'Essential only — just the 8 core safety hooks',
+      hooks: ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check',
+        'context-monitor', 'comment-strip', 'cd-git-allow', 'api-error-alert']
+    },
+  };
+
+  if (!level || !PROFILES[level]) {
+    console.log(c.bold + '  Safety Profiles' + c.reset);
+    console.log();
+    for (const [name, prof] of Object.entries(PROFILES)) {
+      console.log(`  ${c.bold}${name}${c.reset} (${prof.hooks.length} hooks)`);
+      console.log(`  ${c.dim}${prof.desc}${c.reset}`);
+      console.log(`  ${c.dim}npx cc-safe-setup --profile ${name}${c.reset}`);
+      console.log();
+    }
+    return;
+  }
+
+  const prof = PROFILES[level];
+  console.log(c.bold + `  Applying "${level}" profile` + c.reset);
+  console.log(c.dim + `  ${prof.desc}` + c.reset);
+  console.log();
+
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  let installed = 0;
+
+  for (const hookId of prof.hooks) {
+    const hookPath = join(HOOKS_DIR, `${hookId}.sh`);
+    if (existsSync(hookPath)) {
+      console.log(c.dim + '  ✓' + c.reset + ` ${hookId}`);
+      continue;
+    }
+
+    // Try built-in first
+    if (SCRIPTS[hookId]) {
+      writeFileSync(hookPath, SCRIPTS[hookId]);
+      chmodSync(hookPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookId}`);
+      continue;
+    }
+
+    // Try examples
+    const exPath = join(__dirname, 'examples', `${hookId}.sh`);
+    if (existsSync(exPath)) {
+      copyFileSync(exPath, hookPath);
+      chmodSync(hookPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookId}`);
+      continue;
+    }
+
+    console.log(c.yellow + '  ?' + c.reset + ` ${hookId} (not found)`);
+  }
+
+  // Update settings.json
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+
+  // Register all hooks in settings
+  const hookFiles = prof.hooks.filter(h => existsSync(join(HOOKS_DIR, `${h}.sh`)));
+  const bashHooks = hookFiles.map(h => ({ type: 'command', command: `bash ${join(HOOKS_DIR, h + '.sh')}` }));
+
+  // Simplified: put all under PreToolUse Bash for now
+  if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
+  const existing = settings.hooks.PreToolUse.find(e => e.matcher === 'Bash');
+  if (existing) {
+    const existingCmds = new Set(existing.hooks.map(h => h.command));
+    for (const h of bashHooks) {
+      if (!existingCmds.has(h.command)) existing.hooks.push(h);
+    }
+  } else {
+    settings.hooks.PreToolUse.push({ matcher: 'Bash', hooks: bashHooks });
+  }
+
+  writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+
+  console.log();
+  console.log(c.green + `  ✓ "${level}" profile applied (${installed} new hooks installed)` + c.reset);
+  console.log(c.dim + `  ${prof.hooks.length} hooks total in profile` + c.reset);
+  console.log();
+}
+
 async function analyze() {
   const { execSync } = await import('child_process');
   const { readdirSync, statSync } = await import('fs');
@@ -3154,6 +3381,8 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (TEAM) return team();
+  if (PROFILE_IDX !== -1) return profile(PROFILE);
   if (ANALYZE) return analyze();
   if (SHIELD) return shield();
   if (QUICKFIX) return quickfix();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.2.0",
+  "version": "8.4.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {