cc-safe-setup 8.3.0 → 8.5.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 92 examples = **100 hooks**. 29 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 92 examples = **100 hooks**. 32 CLI commands. 457 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -105,6 +105,8 @@ Safe to run multiple times. Existing settings are preserved. A backup is created
 
 **Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
 
+**Team setup:** `npx cc-safe-setup --team` — copy hooks to `.claude/hooks/` with relative paths, commit to repo for team sharing.
+
 **Preview first:** `npx cc-safe-setup --dry-run`
 
 **Check status:** `npx cc-safe-setup --status` — see which hooks are installed (exit code 1 if missing).

package/examples/go/destructive_guard.go

@@ -0,0 +1,69 @@
+// destructive_guard.go — Claude Code PreToolUse hook in Go
+//
+// Blocks rm -rf /, git reset --hard, git clean -fd, and similar
+// destructive commands. Exit code 2 = block, 0 = allow.
+//
+// Build: go build -o destructive-guard destructive_guard.go
+// Usage in settings.json:
+//   {"type": "command", "command": "/path/to/destructive-guard"}
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+	"strings"
+)
+
+type HookInput struct {
+	ToolInput struct {
+		Command string `json:"command"`
+	} `json:"tool_input"`
+}
+
+var dangerousPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`\brm\s+.*-rf\s+(/|~/?\s*$|\.\./)`),
+	regexp.MustCompile(`\bgit\s+reset\s+--hard`),
+	regexp.MustCompile(`\bgit\s+clean\s+-[a-zA-Z]*f`),
+	regexp.MustCompile(`\bgit\s+checkout\s+--force`),
+	regexp.MustCompile(`\bchmod\s+(-R\s+)?777\s+/`),
+	regexp.MustCompile(`\bfind\s+/\s+-delete`),
+	regexp.MustCompile(`Remove-Item.*-Recurse.*-Force`),
+	regexp.MustCompile(`--no-preserve-root`),
+	regexp.MustCompile(`\bsudo\s+mkfs\b`),
+}
+
+func main() {
+	data, err := io.ReadAll(os.Stdin)
+	if err != nil {
+		os.Exit(0) // Don't block on read error
+	}
+
+	var input HookInput
+	if err := json.Unmarshal(data, &input); err != nil {
+		os.Exit(0) // Don't block on parse error
+	}
+
+	cmd := input.ToolInput.Command
+	if cmd == "" {
+		os.Exit(0)
+	}
+
+	// Skip if command is in an echo/printf context
+	lower := strings.ToLower(cmd)
+	if strings.HasPrefix(strings.TrimSpace(lower), "echo ") ||
+		strings.HasPrefix(strings.TrimSpace(lower), "printf ") {
+		os.Exit(0)
+	}
+
+	for _, pattern := range dangerousPatterns {
+		if pattern.MatchString(cmd) {
+			fmt.Fprintf(os.Stderr, "BLOCKED: Dangerous command detected\nCommand: %s\n", cmd)
+			os.Exit(2)
+		}
+	}
+
+	os.Exit(0)
+}

package/examples/typescript/destructive-guard.ts

@@ -0,0 +1,64 @@
+#!/usr/bin/env -S npx tsx
+/**
+ * destructive-guard.ts — Claude Code PreToolUse hook in TypeScript
+ *
+ * Blocks rm -rf /, git reset --hard, git clean -fd, and similar
+ * destructive commands. Exit code 2 = block, 0 = allow.
+ *
+ * Run with: npx tsx destructive-guard.ts
+ * Or compile: npx tsc destructive-guard.ts && node destructive-guard.js
+ */
+
+interface HookInput {
+  tool_input: {
+    command?: string;
+  };
+}
+
+const DANGEROUS_PATTERNS: RegExp[] = [
+  /\brm\s+.*-rf\s+(\/|~\/?\s*$|\.\.\/)/,
+  /\bgit\s+reset\s+--hard/,
+  /\bgit\s+clean\s+-[a-zA-Z]*f/,
+  /\bgit\s+checkout\s+--force/,
+  /\bchmod\s+(-R\s+)?777\s+\//,
+  /\bfind\s+\/\s+-delete/,
+  /Remove-Item.*-Recurse.*-Force/,
+  /--no-preserve-root/,
+  /\bsudo\s+mkfs\b/,
+];
+
+async function main(): Promise<void> {
+  let data = '';
+  for await (const chunk of process.stdin) {
+    data += chunk;
+  }
+
+  let input: HookInput;
+  try {
+    input = JSON.parse(data);
+  } catch {
+    process.exit(0); // Don't block on parse error
+  }
+
+  const cmd = input.tool_input?.command;
+  if (!cmd) {
+    process.exit(0);
+  }
+
+  // Skip echo/printf context
+  const trimmed = cmd.trimStart().toLowerCase();
+  if (trimmed.startsWith('echo ') || trimmed.startsWith('printf ')) {
+    process.exit(0);
+  }
+
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(cmd)) {
+      process.stderr.write(`BLOCKED: Dangerous command detected\nCommand: ${cmd}\n`);
+      process.exit(2);
+    }
+  }
+
+  process.exit(0);
+}
+
+main();

package/index.mjs

@@ -92,6 +92,9 @@ const REPORT = process.argv.includes('--report');
 const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
 const ANALYZE = process.argv.includes('--analyze');
+const TEAM = process.argv.includes('--team');
+const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
+const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
 const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
@@ -129,6 +132,8 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --migrate-from <tool>  Migrate from safety-net/hooks-mastery/etc.
+    npx cc-safe-setup --team         Set up project-level hooks (commit to repo for team)
     npx cc-safe-setup --profile <level>  Switch safety profile (strict/standard/minimal)
     npx cc-safe-setup --analyze     Analyze what Claude did in your last session
     npx cc-safe-setup --shield     Maximum safety in one command (fix + scan + install + CLAUDE.md)
@@ -838,6 +843,250 @@ async function fullSetup() {
   console.log();
 }
 
+async function migrateFrom(tool) {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --migrate-from ' + (tool || '?') + c.reset);
+  console.log();
+
+  const KNOWN_TOOLS = {
+    'safety-net': {
+      name: 'Claude Code Safety Net',
+      npm: '@anthropic-ai/claude-code-safety-net',
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = readFileSync(SETTINGS_PATH, 'utf-8');
+        return s.includes('safety-net') || s.includes('claude-code-safety-net');
+      },
+      mapping: {
+        'destructive-commands': 'destructive-guard',
+        'secret-files': 'secret-guard',
+        'branch-protection': 'branch-guard',
+        'git-operations': 'branch-guard',
+      },
+      desc: 'TypeScript hooks with configurable severity levels'
+    },
+    'hooks-mastery': {
+      name: 'Claude Code Hooks Mastery',
+      npm: null,
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = readFileSync(SETTINGS_PATH, 'utf-8');
+        return s.includes('hooks_mastery') || s.includes('hooks-mastery');
+      },
+      mapping: {
+        'safety': 'destructive-guard',
+        'git-safety': 'branch-guard',
+      },
+      desc: 'Python hooks for all events + LLM integration'
+    },
+    'manual': {
+      name: 'Custom/Manual Hooks',
+      npm: null,
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+        return Object.keys(s.hooks || {}).length > 0;
+      },
+      mapping: {},
+      desc: 'Hand-written hooks in settings.json'
+    }
+  };
+
+  if (!tool) {
+    console.log(c.bold + '  Supported migration sources:' + c.reset);
+    console.log();
+    for (const [id, info] of Object.entries(KNOWN_TOOLS)) {
+      const detected = info.detect();
+      const icon = detected ? c.green + '●' + c.reset : c.dim + '○' + c.reset;
+      console.log(`  ${icon} ${c.bold}${id}${c.reset} — ${info.desc}`);
+      if (detected) console.log(`    ${c.green}Detected in your settings${c.reset}`);
+      console.log(`    ${c.dim}npx cc-safe-setup --migrate-from ${id}${c.reset}`);
+      console.log();
+    }
+    return;
+  }
+
+  const source = KNOWN_TOOLS[tool];
+  if (!source) {
+    console.log(c.red + `  Unknown tool: ${tool}` + c.reset);
+    console.log(c.dim + '  Supported: ' + Object.keys(KNOWN_TOOLS).join(', ') + c.reset);
+    return;
+  }
+
+  console.log(c.dim + `  Migrating from: ${source.name}` + c.reset);
+  console.log();
+
+  // Read current settings
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+
+  // Analyze existing hooks
+  let existingHooks = [];
+  for (const [trigger, groups] of Object.entries(settings.hooks || {})) {
+    for (const group of groups) {
+      for (const hook of (group.hooks || [])) {
+        existingHooks.push({ trigger, matcher: group.matcher, command: hook.command || '' });
+      }
+    }
+  }
+
+  console.log(`  Found ${existingHooks.length} existing hook(s) in settings.json`);
+  console.log();
+
+  // Identify what cc-safe-setup equivalents exist
+  const replacements = [];
+  for (const h of existingHooks) {
+    const cmd = h.command.toLowerCase();
+    let replacement = null;
+
+    // Try source-specific mapping
+    for (const [pattern, ccHook] of Object.entries(source.mapping)) {
+      if (cmd.includes(pattern)) {
+        replacement = ccHook;
+        break;
+      }
+    }
+
+    // Generic detection
+    if (!replacement) {
+      if (cmd.includes('rm') || cmd.includes('destruct')) replacement = 'destructive-guard';
+      else if (cmd.includes('branch') || cmd.includes('push')) replacement = 'branch-guard';
+      else if (cmd.includes('secret') || cmd.includes('env')) replacement = 'secret-guard';
+      else if (cmd.includes('syntax') || cmd.includes('lint')) replacement = 'syntax-check';
+      else if (cmd.includes('context') || cmd.includes('monitor')) replacement = 'context-monitor';
+    }
+
+    if (replacement) {
+      replacements.push({ old: h.command, new: replacement });
+      console.log(`  ${c.yellow}→${c.reset} ${h.command.substring(0, 50)}`);
+      console.log(`    ${c.green}→${c.reset} cc-safe-setup: ${replacement}`);
+    } else {
+      console.log(`  ${c.dim}?${c.reset} ${h.command.substring(0, 50)} (no equivalent, keeping)`);
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Migration plan:' + c.reset);
+  console.log(`  ${c.green}${replacements.length}${c.reset} hooks can be replaced with cc-safe-setup equivalents`);
+  console.log(`  ${c.dim}${existingHooks.length - replacements.length}${c.reset} hooks will be kept as-is`);
+  console.log();
+  console.log(c.dim + '  To apply: npx cc-safe-setup --shield' + c.reset);
+  console.log(c.dim + '  This installs cc-safe-setup hooks alongside existing ones.' + c.reset);
+  console.log(c.dim + '  Remove old hooks manually after verifying the new ones work.' + c.reset);
+  console.log();
+}
+
+async function team() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --team' + c.reset);
+  console.log(c.dim + '  Set up project-level hooks (commit to repo for team sharing)' + c.reset);
+  console.log();
+
+  const cwd = process.cwd();
+  const projectHooksDir = join(cwd, '.claude', 'hooks');
+  const projectSettings = join(cwd, '.claude', 'settings.local.json');
+
+  // Create .claude/hooks/ in project
+  mkdirSync(projectHooksDir, { recursive: true });
+
+  // Copy core safety hooks to project
+  const coreHooks = ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check',
+    'context-monitor', 'comment-strip', 'cd-git-allow', 'api-error-alert'];
+
+  let installed = 0;
+  for (const hookId of coreHooks) {
+    const destPath = join(projectHooksDir, `${hookId}.sh`);
+    if (existsSync(destPath)) {
+      console.log(c.dim + '  ✓' + c.reset + ` ${hookId}`);
+      continue;
+    }
+
+    if (SCRIPTS[hookId]) {
+      writeFileSync(destPath, SCRIPTS[hookId]);
+      chmodSync(destPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${hookId}`);
+    }
+  }
+
+  // Detect stack and add relevant hooks
+  const extras = [];
+  if (existsSync(join(cwd, 'package.json'))) extras.push('auto-approve-build');
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) extras.push('auto-approve-python');
+  if (existsSync(join(cwd, 'go.mod'))) extras.push('auto-approve-go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) extras.push('auto-approve-cargo');
+  if (existsSync(join(cwd, 'Dockerfile'))) extras.push('auto-approve-docker');
+
+  for (const ex of extras) {
+    const destPath = join(projectHooksDir, `${ex}.sh`);
+    const srcPath = join(__dirname, 'examples', `${ex}.sh`);
+    if (existsSync(destPath)) continue;
+    if (existsSync(srcPath)) {
+      copyFileSync(srcPath, destPath);
+      chmodSync(destPath, 0o755);
+      installed++;
+      console.log(c.green + '  +' + c.reset + ` ${ex} (project-specific)`);
+    }
+  }
+
+  // Generate settings.local.json
+  const allHooks = [...coreHooks, ...extras].filter(h => existsSync(join(projectHooksDir, `${h}.sh`)));
+
+  const bashHooks = allHooks.map(h => ({
+    type: 'command',
+    command: `bash .claude/hooks/${h}.sh`
+  }));
+
+  const settings = {
+    hooks: {
+      PreToolUse: [
+        { matcher: 'Bash', hooks: bashHooks.filter((_, i) => {
+          const name = allHooks[i];
+          return !['syntax-check', 'context-monitor', 'api-error-alert'].includes(name);
+        })},
+        { matcher: 'Edit|Write', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/syntax-check.sh' }
+        ]}
+      ],
+      PostToolUse: [
+        { matcher: '', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/context-monitor.sh' }
+        ]}
+      ],
+      Stop: [
+        { matcher: '', hooks: [
+          { type: 'command', command: 'bash .claude/hooks/api-error-alert.sh' }
+        ]}
+      ]
+    }
+  };
+
+  writeFileSync(projectSettings, JSON.stringify(settings, null, 2));
+  console.log();
+  console.log(c.green + '  ✓' + c.reset + ' Created .claude/settings.local.json');
+
+  // Add .claude/hooks to .gitignore if not there
+  const gitignorePath = join(cwd, '.gitignore');
+  if (existsSync(gitignorePath)) {
+    const gi = readFileSync(gitignorePath, 'utf-8');
+    if (!gi.includes('.claude/')) {
+      // Don't add — hooks should be committed for team sharing
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Next steps:' + c.reset);
+  console.log(c.dim + '  1. git add .claude/' + c.reset);
+  console.log(c.dim + '  2. git commit -m "chore: add Claude Code safety hooks"' + c.reset);
+  console.log(c.dim + '  3. Team members get hooks automatically on git pull' + c.reset);
+  console.log();
+  console.log(c.dim + `  ${installed} hooks installed, ${allHooks.length} total configured.` + c.reset);
+  console.log(c.dim + '  Hooks use relative paths (.claude/hooks/) — portable across machines.' + c.reset);
+  console.log();
+}
+
 async function profile(level) {
   const { readdirSync } = await import('fs');
   console.log();
@@ -3270,6 +3519,8 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (MIGRATE_FROM_IDX !== -1) return migrateFrom(MIGRATE_FROM);
+  if (TEAM) return team();
   if (PROFILE_IDX !== -1) return profile(PROFILE);
   if (ANALYZE) return analyze();
   if (SHIELD) return shield();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.3.0",
+  "version": "8.5.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {