cc-safe-setup 8.4.0 → 8.6.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 92 examples = **100 hooks**. 31 CLI commands. 433 tests. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 95 examples = **103 hooks**. 33 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -105,6 +105,8 @@ Safe to run multiple times. Existing settings are preserved. A backup is created
 
 **Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
 
+**Team setup:** `npx cc-safe-setup --team` — copy hooks to `.claude/hooks/` with relative paths, commit to repo for team sharing.
+
 **Preview first:** `npx cc-safe-setup --dry-run`
 
 **Check status:** `npx cc-safe-setup --status` — see which hooks are installed (exit code 1 if missing).

package/examples/context-snapshot.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# ================================================================
+# context-snapshot.sh — Save session state before context loss
+# ================================================================
+# PURPOSE:
+#   After /compact or when context is low, Claude loses track of
+#   what files were being edited, which branch it's on, and what
+#   the current task was. This hook saves a snapshot of the session
+#   state after every Stop event, so the next message can recover.
+#
+# TRIGGER: Stop  MATCHER: ""
+#
+# Creates: .claude/session-snapshot.md (overwritten each time)
+# ================================================================
+
+SNAPSHOT=".claude/session-snapshot.md"
+mkdir -p .claude 2>/dev/null
+
+{
+  echo "# Session Snapshot (auto-generated)"
+  echo "Updated: $(date -Iseconds)"
+  echo ""
+
+  # Git state
+  BRANCH=$(git branch --show-current 2>/dev/null)
+  if [ -n "$BRANCH" ]; then
+    echo "## Git"
+    echo "- Branch: \`$BRANCH\`"
+    DIRTY=$(git status --porcelain 2>/dev/null | wc -l)
+    echo "- Uncommitted changes: $DIRTY file(s)"
+    if [ "$DIRTY" -gt 0 ]; then
+      echo '```'
+      git status --short 2>/dev/null | head -15
+      echo '```'
+    fi
+    echo "- Last commit: $(git log --oneline -1 2>/dev/null)"
+    echo ""
+  fi
+
+  # Recently modified files
+  echo "## Recent Files"
+  echo '```'
+  find . -name '*.js' -o -name '*.ts' -o -name '*.py' -o -name '*.go' -o -name '*.rs' \
+    -o -name '*.java' -o -name '*.sh' -o -name '*.md' 2>/dev/null \
+    | xargs ls -lt 2>/dev/null | head -10 | awk '{print $NF}'
+  echo '```'
+  echo ""
+
+  # Active TODO/FIXME
+  TODOS=$(grep -rl 'TODO\|FIXME' --include='*.js' --include='*.ts' --include='*.py' . 2>/dev/null | wc -l)
+  if [ "$TODOS" -gt 0 ]; then
+    echo "## Active TODOs: $TODOS file(s)"
+    echo ""
+  fi
+
+} > "$SNAPSHOT" 2>/dev/null
+
+exit 0

package/examples/git-lfs-guard.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# ================================================================
+# git-lfs-guard.sh — Suggest Git LFS for large binary files
+# ================================================================
+# PURPOSE:
+#   Claude sometimes git-adds large binary files (images, videos,
+#   compiled binaries) that bloat the repository. This hook warns
+#   when staging files larger than a threshold and suggests LFS.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_LFS_THRESHOLD_KB=500  (warn above 500KB)
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+echo "$COMMAND" | grep -qE '^\s*git\s+add' || exit 0
+
+THRESHOLD="${CC_LFS_THRESHOLD_KB:-500}"
+
+# Extract files being added
+FILES=$(echo "$COMMAND" | sed 's/git add//' | tr ' ' '\n' | grep -v '^-' | grep -v '^$')
+
+for f in $FILES; do
+    [ -f "$f" ] || continue
+    SIZE_KB=$(du -k "$f" 2>/dev/null | cut -f1)
+    [ -z "$SIZE_KB" ] && continue
+
+    if [ "$SIZE_KB" -gt "$THRESHOLD" ]; then
+        echo "WARNING: $f is ${SIZE_KB}KB — consider Git LFS." >&2
+        echo "  git lfs track '$f' && git add .gitattributes $f" >&2
+    fi
+done
+
+exit 0

package/examples/go/destructive_guard.go

@@ -0,0 +1,69 @@
+// destructive_guard.go — Claude Code PreToolUse hook in Go
+//
+// Blocks rm -rf /, git reset --hard, git clean -fd, and similar
+// destructive commands. Exit code 2 = block, 0 = allow.
+//
+// Build: go build -o destructive-guard destructive_guard.go
+// Usage in settings.json:
+//   {"type": "command", "command": "/path/to/destructive-guard"}
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+	"strings"
+)
+
+type HookInput struct {
+	ToolInput struct {
+		Command string `json:"command"`
+	} `json:"tool_input"`
+}
+
+var dangerousPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`\brm\s+.*-rf\s+(/|~/?\s*$|\.\./)`),
+	regexp.MustCompile(`\bgit\s+reset\s+--hard`),
+	regexp.MustCompile(`\bgit\s+clean\s+-[a-zA-Z]*f`),
+	regexp.MustCompile(`\bgit\s+checkout\s+--force`),
+	regexp.MustCompile(`\bchmod\s+(-R\s+)?777\s+/`),
+	regexp.MustCompile(`\bfind\s+/\s+-delete`),
+	regexp.MustCompile(`Remove-Item.*-Recurse.*-Force`),
+	regexp.MustCompile(`--no-preserve-root`),
+	regexp.MustCompile(`\bsudo\s+mkfs\b`),
+}
+
+func main() {
+	data, err := io.ReadAll(os.Stdin)
+	if err != nil {
+		os.Exit(0) // Don't block on read error
+	}
+
+	var input HookInput
+	if err := json.Unmarshal(data, &input); err != nil {
+		os.Exit(0) // Don't block on parse error
+	}
+
+	cmd := input.ToolInput.Command
+	if cmd == "" {
+		os.Exit(0)
+	}
+
+	// Skip if command is in an echo/printf context
+	lower := strings.ToLower(cmd)
+	if strings.HasPrefix(strings.TrimSpace(lower), "echo ") ||
+		strings.HasPrefix(strings.TrimSpace(lower), "printf ") {
+		os.Exit(0)
+	}
+
+	for _, pattern := range dangerousPatterns {
+		if pattern.MatchString(cmd) {
+			fmt.Fprintf(os.Stderr, "BLOCKED: Dangerous command detected\nCommand: %s\n", cmd)
+			os.Exit(2)
+		}
+	}
+
+	os.Exit(0)
+}

package/examples/lockfile-guard.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# ================================================================
+# lockfile-guard.sh — Warn when lockfiles are modified unexpectedly
+# ================================================================
+# PURPOSE:
+#   Claude sometimes runs npm install or pip install that modifies
+#   lockfiles (package-lock.json, yarn.lock, Cargo.lock, etc.)
+#   without the user intending a dependency change. This hook warns
+#   when a lockfile appears in staged changes.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check git commit
+echo "$COMMAND" | grep -qE '^\s*git\s+(commit|add)' || exit 0
+
+# Check for lockfile changes
+LOCKFILES=$(git diff --cached --name-only 2>/dev/null | grep -E '(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|Cargo\.lock|Gemfile\.lock|poetry\.lock|composer\.lock|go\.sum)' 2>/dev/null)
+
+if [ -n "$LOCKFILES" ]; then
+    COUNT=$(echo "$LOCKFILES" | wc -l)
+    echo "WARNING: $COUNT lockfile(s) modified:" >&2
+    echo "$LOCKFILES" | sed 's/^/  /' >&2
+    echo "Verify the dependency change was intentional." >&2
+fi
+
+exit 0

package/examples/typescript/destructive-guard.ts

@@ -0,0 +1,64 @@
+#!/usr/bin/env -S npx tsx
+/**
+ * destructive-guard.ts — Claude Code PreToolUse hook in TypeScript
+ *
+ * Blocks rm -rf /, git reset --hard, git clean -fd, and similar
+ * destructive commands. Exit code 2 = block, 0 = allow.
+ *
+ * Run with: npx tsx destructive-guard.ts
+ * Or compile: npx tsc destructive-guard.ts && node destructive-guard.js
+ */
+
+interface HookInput {
+  tool_input: {
+    command?: string;
+  };
+}
+
+const DANGEROUS_PATTERNS: RegExp[] = [
+  /\brm\s+.*-rf\s+(\/|~\/?\s*$|\.\.\/)/,
+  /\bgit\s+reset\s+--hard/,
+  /\bgit\s+clean\s+-[a-zA-Z]*f/,
+  /\bgit\s+checkout\s+--force/,
+  /\bchmod\s+(-R\s+)?777\s+\//,
+  /\bfind\s+\/\s+-delete/,
+  /Remove-Item.*-Recurse.*-Force/,
+  /--no-preserve-root/,
+  /\bsudo\s+mkfs\b/,
+];
+
+async function main(): Promise<void> {
+  let data = '';
+  for await (const chunk of process.stdin) {
+    data += chunk;
+  }
+
+  let input: HookInput;
+  try {
+    input = JSON.parse(data);
+  } catch {
+    process.exit(0); // Don't block on parse error
+  }
+
+  const cmd = input.tool_input?.command;
+  if (!cmd) {
+    process.exit(0);
+  }
+
+  // Skip echo/printf context
+  const trimmed = cmd.trimStart().toLowerCase();
+  if (trimmed.startsWith('echo ') || trimmed.startsWith('printf ')) {
+    process.exit(0);
+  }
+
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(cmd)) {
+      process.stderr.write(`BLOCKED: Dangerous command detected\nCommand: ${cmd}\n`);
+      process.exit(2);
+    }
+  }
+
+  process.exit(0);
+}
+
+main();

package/index.mjs

@@ -93,6 +93,8 @@ const QUICKFIX = process.argv.includes('--quickfix');
 const SHIELD = process.argv.includes('--shield');
 const ANALYZE = process.argv.includes('--analyze');
 const TEAM = process.argv.includes('--team');
+const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
+const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
 const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
@@ -130,6 +132,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --migrate-from <tool>  Migrate from safety-net/hooks-mastery/etc.
     npx cc-safe-setup --team         Set up project-level hooks (commit to repo for team)
     npx cc-safe-setup --profile <level>  Switch safety profile (strict/standard/minimal)
     npx cc-safe-setup --analyze     Analyze what Claude did in your last session
@@ -840,6 +843,141 @@ async function fullSetup() {
   console.log();
 }
 
+async function migrateFrom(tool) {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --migrate-from ' + (tool || '?') + c.reset);
+  console.log();
+
+  const KNOWN_TOOLS = {
+    'safety-net': {
+      name: 'Claude Code Safety Net',
+      npm: '@anthropic-ai/claude-code-safety-net',
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = readFileSync(SETTINGS_PATH, 'utf-8');
+        return s.includes('safety-net') || s.includes('claude-code-safety-net');
+      },
+      mapping: {
+        'destructive-commands': 'destructive-guard',
+        'secret-files': 'secret-guard',
+        'branch-protection': 'branch-guard',
+        'git-operations': 'branch-guard',
+      },
+      desc: 'TypeScript hooks with configurable severity levels'
+    },
+    'hooks-mastery': {
+      name: 'Claude Code Hooks Mastery',
+      npm: null,
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = readFileSync(SETTINGS_PATH, 'utf-8');
+        return s.includes('hooks_mastery') || s.includes('hooks-mastery');
+      },
+      mapping: {
+        'safety': 'destructive-guard',
+        'git-safety': 'branch-guard',
+      },
+      desc: 'Python hooks for all events + LLM integration'
+    },
+    'manual': {
+      name: 'Custom/Manual Hooks',
+      npm: null,
+      detect: () => {
+        if (!existsSync(SETTINGS_PATH)) return false;
+        const s = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8'));
+        return Object.keys(s.hooks || {}).length > 0;
+      },
+      mapping: {},
+      desc: 'Hand-written hooks in settings.json'
+    }
+  };
+
+  if (!tool) {
+    console.log(c.bold + '  Supported migration sources:' + c.reset);
+    console.log();
+    for (const [id, info] of Object.entries(KNOWN_TOOLS)) {
+      const detected = info.detect();
+      const icon = detected ? c.green + '●' + c.reset : c.dim + '○' + c.reset;
+      console.log(`  ${icon} ${c.bold}${id}${c.reset} — ${info.desc}`);
+      if (detected) console.log(`    ${c.green}Detected in your settings${c.reset}`);
+      console.log(`    ${c.dim}npx cc-safe-setup --migrate-from ${id}${c.reset}`);
+      console.log();
+    }
+    return;
+  }
+
+  const source = KNOWN_TOOLS[tool];
+  if (!source) {
+    console.log(c.red + `  Unknown tool: ${tool}` + c.reset);
+    console.log(c.dim + '  Supported: ' + Object.keys(KNOWN_TOOLS).join(', ') + c.reset);
+    return;
+  }
+
+  console.log(c.dim + `  Migrating from: ${source.name}` + c.reset);
+  console.log();
+
+  // Read current settings
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+
+  // Analyze existing hooks
+  let existingHooks = [];
+  for (const [trigger, groups] of Object.entries(settings.hooks || {})) {
+    for (const group of groups) {
+      for (const hook of (group.hooks || [])) {
+        existingHooks.push({ trigger, matcher: group.matcher, command: hook.command || '' });
+      }
+    }
+  }
+
+  console.log(`  Found ${existingHooks.length} existing hook(s) in settings.json`);
+  console.log();
+
+  // Identify what cc-safe-setup equivalents exist
+  const replacements = [];
+  for (const h of existingHooks) {
+    const cmd = h.command.toLowerCase();
+    let replacement = null;
+
+    // Try source-specific mapping
+    for (const [pattern, ccHook] of Object.entries(source.mapping)) {
+      if (cmd.includes(pattern)) {
+        replacement = ccHook;
+        break;
+      }
+    }
+
+    // Generic detection
+    if (!replacement) {
+      if (cmd.includes('rm') || cmd.includes('destruct')) replacement = 'destructive-guard';
+      else if (cmd.includes('branch') || cmd.includes('push')) replacement = 'branch-guard';
+      else if (cmd.includes('secret') || cmd.includes('env')) replacement = 'secret-guard';
+      else if (cmd.includes('syntax') || cmd.includes('lint')) replacement = 'syntax-check';
+      else if (cmd.includes('context') || cmd.includes('monitor')) replacement = 'context-monitor';
+    }
+
+    if (replacement) {
+      replacements.push({ old: h.command, new: replacement });
+      console.log(`  ${c.yellow}→${c.reset} ${h.command.substring(0, 50)}`);
+      console.log(`    ${c.green}→${c.reset} cc-safe-setup: ${replacement}`);
+    } else {
+      console.log(`  ${c.dim}?${c.reset} ${h.command.substring(0, 50)} (no equivalent, keeping)`);
+    }
+  }
+
+  console.log();
+  console.log(c.bold + '  Migration plan:' + c.reset);
+  console.log(`  ${c.green}${replacements.length}${c.reset} hooks can be replaced with cc-safe-setup equivalents`);
+  console.log(`  ${c.dim}${existingHooks.length - replacements.length}${c.reset} hooks will be kept as-is`);
+  console.log();
+  console.log(c.dim + '  To apply: npx cc-safe-setup --shield' + c.reset);
+  console.log(c.dim + '  This installs cc-safe-setup hooks alongside existing ones.' + c.reset);
+  console.log(c.dim + '  Remove old hooks manually after verifying the new ones work.' + c.reset);
+  console.log();
+}
+
 async function team() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --team' + c.reset);
@@ -3381,6 +3519,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (MIGRATE_FROM_IDX !== -1) return migrateFrom(MIGRATE_FROM);
   if (TEAM) return team();
   if (PROFILE_IDX !== -1) return profile(PROFILE);
   if (ANALYZE) return analyze();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.4.0",
+  "version": "8.6.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {