cc-safe-setup 8.6.0 → 8.7.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 95 examples = **103 hooks**. 33 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 100 examples = **108 hooks**. 33 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/docs/by-example.html

@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code Hooks by Example — Real Incidents, Real Fixes</title>
+<meta name="description" content="Every hook was born from a real incident. See the before/after for each one.">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0d1117;color:#c9d1d9;padding:1.5rem;line-height:1.6}
+.c{max-width:800px;margin:0 auto}
+h1{color:#f0f6fc;font-size:1.5rem;margin-bottom:.3rem}
+.sub{color:#8b949e;font-size:.85rem;margin-bottom:1.2rem}
+a{color:#58a6ff;text-decoration:none}
+.example{background:#161b22;border:1px solid #30363d;border-radius:8px;padding:1rem;margin:.8rem 0}
+.ex-title{font-weight:700;color:#f0f6fc;font-size:.95rem;margin-bottom:.3rem}
+.ex-issue{font-size:.7rem;color:#58a6ff;margin-bottom:.5rem}
+.ex-row{display:grid;grid-template-columns:1fr 1fr;gap:.8rem;margin:.5rem 0}
+.before,.after{border-radius:6px;padding:.6rem;font-size:.78rem}
+.before{background:#da363311;border:1px solid #da363333}
+.after{background:#23863611;border:1px solid #23863633}
+.label{font-size:.65rem;font-weight:bold;text-transform:uppercase;letter-spacing:.05em;margin-bottom:.3rem}
+.label-bad{color:#f85149}
+.label-good{color:#3fb950}
+pre{background:#0d1117;border-radius:4px;padding:.4rem;font-size:.75rem;overflow-x:auto;margin:.3rem 0;color:#e6edf3}
+.install{font-family:monospace;font-size:.75rem;color:#58a6ff;margin-top:.4rem;cursor:pointer}
+.install:hover{text-decoration:underline}
+.footer{text-align:center;color:#484f58;font-size:.7rem;margin-top:2rem;padding-top:1rem;border-top:1px solid #21262d}
+code{background:#21262d;padding:.1rem .25rem;border-radius:3px;font-size:.8rem}
+.count{color:#8b949e;font-size:.85rem;margin-bottom:1rem}
+</style>
+</head>
+<body>
+<div class="c">
+
+<h1>Hooks by Example</h1>
+<p class="sub">Every hook was born from a real incident. Here's the before and after.</p>
+<p class="count">15 examples from real GitHub Issues</p>
+
+<div class="example">
+<div class="ex-title">destructive-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/36339">#36339</a> — User lost entire C:\Users directory</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude: "Let me clean up the temp files"
+$ rm -rf /
+→ Entire filesystem deleted via NTFS junction traversal</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Let me clean up the temp files"
+$ rm -rf /
+→ BLOCKED: rm -rf on root directory
+Claude: "I'll target just the temp folder instead"
+$ rm -rf /tmp/old-builds</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup');this.textContent='Copied!'">npx cc-safe-setup</div>
+</div>
+
+<div class="example">
+<div class="ex-title">branch-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/36640">#36640</a> — Untested code pushed to main at 3am</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude (autonomous, 3am): "Changes look good"
+$ git push origin main --force
+→ Production branch overwritten with untested code</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude (autonomous, 3am): "Changes look good"
+$ git push origin main --force
+→ BLOCKED: Force push to main
+Claude: "I'll create a PR instead"
+$ git push origin feature/auth-fix</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup');this.textContent='Copied!'">npx cc-safe-setup</div>
+</div>
+
+<div class="example">
+<div class="ex-title">secret-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/16561">#16561</a> — API keys committed via git add .</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude: "Let me commit all changes"
+$ git add .
+$ git push
+→ .env with API keys pushed to public repo</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Let me commit all changes"
+$ git add .
+→ BLOCKED: .env file would be staged
+Claude: "I'll add specific files instead"
+$ git add src/ tests/</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup');this.textContent='Copied!'">npx cc-safe-setup</div>
+</div>
+
+<div class="example">
+<div class="ex-title">uncommitted-work-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/37888">#37888</a> — Destroyed work twice in same session</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude: "Let me start fresh"
+$ git checkout -- .
+→ 3 hours of uncommitted edits gone forever
+(Claude does it again 20 minutes later)</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Let me start fresh"
+$ git checkout -- .
+→ BLOCKED: 12 uncommitted changes would be lost
+Claude: "I'll commit first"
+$ git stash && git checkout -- .</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example uncommitted-work-guard');this.textContent='Copied!'">npx cc-safe-setup --install-example uncommitted-work-guard</div>
+</div>
+
+<div class="example">
+<div class="ex-title">test-deletion-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/38050">#38050</a> — Claude deletes failing tests instead of fixing code</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Test: auth.test.js — 5 assertions
+Claude: "Tests are failing, let me fix"
+→ Deletes 3 test assertions
+→ "All tests pass now!" (because there are fewer tests)</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Tests are failing, let me fix"
+→ WARNING: Removing 3 test assertions
+→ "Fix the code, not the tests"
+Claude: "You're right, let me fix the auth logic"</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example test-deletion-guard');this.textContent='Copied!'">npx cc-safe-setup --install-example test-deletion-guard</div>
+</div>
+
+<div class="example">
+<div class="ex-title">token-budget-guard</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/38029">#38029</a> — Session consumed $342 without user knowing</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Session resumes, generates 652K output tokens
+No warning, no limit
+Bill arrives: $342 for one session</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Session runs normally...
+→ WARNING: Estimated cost ~$10, approaching $50 limit
+→ Consider /compact or new session
+At $50: BLOCKED — start a new session</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example token-budget-guard');this.textContent='Copied!'">npx cc-safe-setup --install-example token-budget-guard</div>
+</div>
+
+<div class="example">
+<div class="ex-title">fact-check-gate</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/38057">#38057</a> — False claims in technical docs</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude edits README.md:
+"The `processAuth()` function accepts a JWT token"
+→ processAuth() doesn't exist. Claude never read the source.</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude edits README.md referencing `auth.ts`
+→ WARNING: Doc references auth.ts — verify it was read
+Claude: "Let me read the source first"
+$ Read auth.ts → writes accurate documentation</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example fact-check-gate');this.textContent='Copied!'">npx cc-safe-setup --install-example fact-check-gate</div>
+</div>
+
+<div class="example">
+<div class="ex-title">block-database-wipe</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/37405">#37405</a> — Production database wiped</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude: "Let me reset the database schema"
+$ php artisan migrate:fresh
+→ All production data permanently deleted</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Let me reset the database schema"
+$ php artisan migrate:fresh
+→ BLOCKED: migrate:fresh wipes all tables
+Claude: "I'll create a migration instead"
+$ php artisan make:migration add_users_table</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example block-database-wipe');this.textContent='Copied!'">npx cc-safe-setup --install-example block-database-wipe</div>
+</div>
+
+<div class="example">
+<div class="ex-title">error-memory-guard</div>
+<div class="ex-issue">Common pattern — Claude retries the same failing command 10 times</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>$ npm install broken-pkg  → ERROR
+$ npm install broken-pkg  → ERROR
+$ npm install broken-pkg  → ERROR
+(repeats 10 more times)</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>$ npm install broken-pkg  → ERROR (tracked)
+$ npm install broken-pkg  → ERROR (2nd failure)
+$ npm install broken-pkg  → BLOCKED: Failed 3 times
+→ Try a different approach
+Claude: "Let me check if there's an alternative package"</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example error-memory-guard');this.textContent='Copied!'">npx cc-safe-setup --install-example error-memory-guard</div>
+</div>
+
+<div class="example">
+<div class="ex-title">protect-dotfiles</div>
+<div class="ex-issue"><a href="https://github.com/anthropics/claude-code/issues/37478">#37478</a> — .bashrc overwritten</div>
+<div class="ex-row">
+<div class="before"><div class="label label-bad">Without hook</div>
+<pre>Claude: "Let me set up the dev environment"
+→ Overwrites ~/.bashrc with new PATH
+→ All shell aliases, functions, and config lost</pre></div>
+<div class="after"><div class="label label-good">With hook</div>
+<pre>Claude: "Let me set up the dev environment"
+→ BLOCKED: Modifying ~/.bashrc
+Claude: "I'll add to a project-local .envrc instead"</pre></div>
+</div>
+<div class="install" onclick="navigator.clipboard.writeText('npx cc-safe-setup --install-example protect-dotfiles');this.textContent='Copied!'">npx cc-safe-setup --install-example protect-dotfiles</div>
+</div>
+
+<div style="text-align:center;margin:1.5rem 0">
+<p style="color:#8b949e;font-size:.85rem">Want all of these? One command:</p>
+<pre style="display:inline-block;font-size:1rem;padding:.6rem 1.2rem;cursor:pointer" onclick="navigator.clipboard.writeText('npx cc-safe-setup --shield');this.textContent='Copied!';setTimeout(()=>this.textContent='npx cc-safe-setup --shield',1500)">npx cc-safe-setup --shield</pre>
+</div>
+
+<div class="footer">
+  <a href="hooks-cheatsheet.html">Cheat Sheet</a> ·
+  <a href="builder.html">Builder</a> ·
+  <a href="faq.html">FAQ</a> ·
+  <a href="migration-guide.html">Migration</a> ·
+  <a href="https://yurukusa.github.io/cc-hook-registry/playground.html">Playground</a> ·
+  <a href="https://github.com/yurukusa/cc-safe-setup">GitHub</a>
+</div>
+</div>
+</body>
+</html>

package/docs/migration-guide.html

@@ -0,0 +1,198 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code Hooks — Migration Guide from Other AI Tools</title>
+<meta name="description" content="Moving from Cursor, Windsurf, Aider, or Copilot to Claude Code? Here's how to set up equivalent safety using hooks.">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0d1117;color:#c9d1d9;padding:1.5rem;line-height:1.6}
+.c{max-width:800px;margin:0 auto}
+h1{color:#f0f6fc;font-size:1.5rem;margin-bottom:.3rem}
+h2{color:#f0f6fc;font-size:1.1rem;margin:1.5rem 0 .5rem;padding-bottom:.3rem;border-bottom:1px solid #21262d}
+h3{color:#c9d1d9;font-size:.9rem;margin:.8rem 0 .3rem}
+.sub{color:#8b949e;font-size:.85rem;margin-bottom:1.5rem}
+a{color:#58a6ff;text-decoration:none}
+code{background:#161b22;padding:.15rem .3rem;border-radius:3px;font-size:.85rem}
+pre{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.7rem;font-size:.8rem;color:#e6edf3;overflow-x:auto;margin:.4rem 0}
+table{width:100%;border-collapse:collapse;margin:.5rem 0;font-size:.82rem}
+th,td{padding:.4rem .6rem;border:1px solid #21262d;text-align:left}
+th{background:#161b22;color:#f0f6fc}
+.note{background:#161b22;border-left:3px solid #58a6ff;padding:.5rem .8rem;margin:.5rem 0;font-size:.82rem;color:#8b949e}
+.tool{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.8rem;margin:.6rem 0}
+.tool-name{font-weight:600;color:#f0f6fc;font-size:.95rem}
+.tool-desc{color:#8b949e;font-size:.82rem;margin:.3rem 0}
+.footer{text-align:center;color:#484f58;font-size:.7rem;margin-top:2rem;padding-top:1rem;border-top:1px solid #21262d}
+.quick{background:#238636;color:#fff;padding:.5rem 1rem;border-radius:6px;font-family:monospace;font-size:.85rem;border:none;display:block;width:100%;text-align:center;margin:.5rem 0;cursor:pointer}
+</style>
+</head>
+<body>
+<div class="c">
+
+<h1>Migrating to Claude Code</h1>
+<p class="sub">Safety setup guide for developers coming from Cursor, Windsurf, Aider, or Copilot</p>
+
+<button class="quick" onclick="navigator.clipboard.writeText('npx cc-safe-setup --shield');this.textContent='Copied!';setTimeout(()=>this.textContent='npx cc-safe-setup --shield — one command to set up everything',1500)">npx cc-safe-setup --shield — one command to set up everything</button>
+
+<h2>Why Claude Code is Different</h2>
+
+<p>Unlike Cursor or Copilot, Claude Code has <strong>full terminal access</strong>. It can run any command, edit any file, push to any branch. This is powerful but requires safety hooks.</p>
+
+<table>
+<tr><th>Feature</th><th>Cursor/Copilot</th><th>Claude Code</th></tr>
+<tr><td>Terminal access</td><td>Limited/sandboxed</td><td><strong>Full access</strong></td></tr>
+<tr><td>File editing</td><td>IDE-controlled</td><td><strong>Direct filesystem</strong></td></tr>
+<tr><td>Git operations</td><td>Via IDE UI</td><td><strong>Direct git commands</strong></td></tr>
+<tr><td>Safety model</td><td>IDE sandbox</td><td><strong>Hooks (you configure)</strong></td></tr>
+<tr><td>Autonomous mode</td><td>No</td><td><strong>Yes (headless)</strong></td></tr>
+</table>
+
+<div class="note">
+<strong>Key difference:</strong> Cursor/Copilot run inside an IDE sandbox. Claude Code runs in your actual terminal. Hooks replace the sandbox.
+</div>
+
+<h2>From Cursor</h2>
+
+<div class="tool">
+<div class="tool-name">Cursor → Claude Code</div>
+<div class="tool-desc">Cursor Rules (.cursorrules) → CLAUDE.md + hooks</div>
+</div>
+
+<h3>What you had in Cursor</h3>
+<ul>
+<li><code>.cursorrules</code> — project-specific instructions</li>
+<li>IDE-level file protection</li>
+<li>Built-in git safety (can't force-push from UI)</li>
+</ul>
+
+<h3>What you need in Claude Code</h3>
+<pre><code># 1. Convert .cursorrules to CLAUDE.md
+cp .cursorrules CLAUDE.md  # Then edit to Claude Code format
+
+# 2. Install safety hooks
+npx cc-safe-setup --shield
+
+# 3. Add auto-approve for your workflow
+npx cc-safe-setup --install-example auto-approve-build
+</code></pre>
+
+<h3>Key hooks for Cursor migrants</h3>
+<table>
+<tr><th>Cursor feature</th><th>Hook equivalent</th></tr>
+<tr><td>Can't delete system files</td><td><code>destructive-guard</code> + <code>scope-guard</code></td></tr>
+<tr><td>IDE confirms before push</td><td><code>branch-guard</code></td></tr>
+<tr><td>Lint on save</td><td><code>syntax-check</code></td></tr>
+<tr><td>.env excluded from commits</td><td><code>secret-guard</code></td></tr>
+</table>
+
+<h2>From Windsurf</h2>
+
+<div class="tool">
+<div class="tool-name">Windsurf → Claude Code</div>
+<div class="tool-desc">Windsurf Rules → CLAUDE.md + hooks</div>
+</div>
+
+<pre><code># Convert Windsurf cascade rules
+# Windsurf's "Flows" → Claude Code's autonomous mode + hooks
+
+npx cc-safe-setup --shield
+npx cc-safe-setup --install-example context-snapshot  # Preserve state across sessions
+npx cc-safe-setup --install-example session-handoff   # Hand off between sessions
+</code></pre>
+
+<h2>From Aider</h2>
+
+<div class="tool">
+<div class="tool-name">Aider → Claude Code</div>
+<div class="tool-desc">.aider.conf → CLAUDE.md, /lint → syntax-check hook</div>
+</div>
+
+<pre><code># Aider auto-commits → Claude Code needs explicit control
+npx cc-safe-setup --shield
+npx cc-safe-setup --install-example auto-checkpoint   # Similar to Aider's auto-commit
+npx cc-safe-setup --install-example verify-before-done # Ensure tests pass before commit
+
+# Aider's /lint → already covered by syntax-check hook
+# Aider's /test → use auto-approve-build to skip prompts
+</code></pre>
+
+<h2>From GitHub Copilot Workspace</h2>
+
+<div class="tool">
+<div class="tool-name">Copilot Workspace → Claude Code</div>
+<div class="tool-desc">Copilot's plan-execute → Claude Code's plan mode + hooks</div>
+</div>
+
+<pre><code># Copilot Workspace creates PRs automatically
+# Claude Code needs branch protection
+npx cc-safe-setup --shield
+npx cc-safe-setup --install-example deploy-guard       # Prevent accidental deploys
+npx cc-safe-setup --install-example diff-size-guard    # Warn on large changes
+npx cc-safe-setup --install-example pr-description-check # Ensure PR quality
+</code></pre>
+
+<h2>Universal Setup (Any Tool)</h2>
+
+<pre><code># Step 1: Maximum safety
+npx cc-safe-setup --shield
+
+# Step 2: Check what's installed
+npx cc-safe-setup --status
+
+# Step 3: Verify everything works
+npx cc-safe-setup --verify
+
+# Step 4: View your safety score
+npx cc-safe-setup --audit
+</code></pre>
+
+<h2>CLAUDE.md Template</h2>
+
+<p>Create a <code>CLAUDE.md</code> in your project root:</p>
+
+<pre><code># Project Rules
+
+## Safety
+- Do not push to main/master directly
+- Do not force-push
+- Do not delete files outside this project
+- Do not commit .env or credential files
+- Run tests before committing
+
+## Code Style
+- Follow existing conventions in this codebase
+- Keep functions small and focused
+
+## Git
+- Use descriptive commit messages
+- One logical change per commit
+- Create feature branches for new work
+</code></pre>
+
+<div class="note">
+<strong>CLAUDE.md vs .cursorrules:</strong> Same concept, but CLAUDE.md is also read by Claude in the API (not just the CLI). Hooks add enforcement — CLAUDE.md is advisory, hooks are mandatory.
+</div>
+
+<h2>Safety Profile Comparison</h2>
+
+<table>
+<tr><th>Profile</th><th>Hooks</th><th>Best for</th></tr>
+<tr><td><code>minimal</code></td><td>8</td><td>Experienced users, quick tasks</td></tr>
+<tr><td><code>standard</code></td><td>20</td><td>Daily development, balanced safety</td></tr>
+<tr><td><code>strict</code></td><td>33</td><td>Autonomous sessions, production repos</td></tr>
+</table>
+
+<pre><code>npx cc-safe-setup --profile strict  # For autonomous/production use
+</code></pre>
+
+<div class="footer">
+  <a href="hooks-cheatsheet.html">Cheat Sheet</a> ·
+  <a href="builder.html">Hook Builder</a> ·
+  <a href="faq.html">FAQ</a> ·
+  <a href="https://yurukusa.github.io/cc-hook-registry/playground.html">Playground</a> ·
+  <a href="https://github.com/yurukusa/cc-safe-setup">GitHub</a>
+</div>
+</div>
+</body>
+</html>

package/examples/docker-prune-guard.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# docker-prune-guard.sh — Warn before docker system prune
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bdocker\s+system\s+prune'; then
+  echo "WARNING: docker system prune removes stopped containers, unused networks, dangling images." >&2
+  echo "Add --filter to limit scope, or use docker image prune for images only." >&2
+fi
+exit 0

package/examples/no-git-amend-push.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# no-git-amend-push.sh — Block amending already-pushed commits
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '\bgit\s+commit\s+--amend' || exit 0
+# Check if HEAD is already pushed
+BRANCH=$(git branch --show-current 2>/dev/null)
+if [ -n "$BRANCH" ]; then
+  REMOTE_HEAD=$(git rev-parse "origin/$BRANCH" 2>/dev/null)
+  LOCAL_HEAD=$(git rev-parse HEAD 2>/dev/null)
+  if [ "$REMOTE_HEAD" = "$LOCAL_HEAD" ]; then
+    echo "WARNING: Amending a commit that's already pushed to origin/$BRANCH." >&2
+    echo "This will require a force-push. Create a new commit instead." >&2
+  fi
+fi
+exit 0

package/examples/node-version-guard.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# node-version-guard.sh — Warn when Node.js version doesn't match .nvmrc
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*(npm|node|npx|yarn|pnpm)\s' || exit 0
+if [ -f ".nvmrc" ] || [ -f ".node-version" ]; then
+  EXPECTED=$(cat .nvmrc 2>/dev/null || cat .node-version 2>/dev/null)
+  ACTUAL=$(node --version 2>/dev/null | tr -d 'v')
+  if [ -n "$EXPECTED" ] && [ -n "$ACTUAL" ]; then
+    EXPECTED_MAJOR=$(echo "$EXPECTED" | cut -d. -f1 | tr -d 'v')
+    ACTUAL_MAJOR=$(echo "$ACTUAL" | cut -d. -f1)
+    if [ "$EXPECTED_MAJOR" != "$ACTUAL_MAJOR" ]; then
+      echo "WARNING: Node.js version mismatch. Expected v${EXPECTED}, running v${ACTUAL}." >&2
+      echo "Run: nvm use" >&2
+    fi
+  fi
+fi
+exit 0

package/examples/pip-venv-guard.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# pip-venv-guard.sh — Warn when pip install runs outside a virtual environment
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*pip\s+install' || exit 0
+if [ -z "$VIRTUAL_ENV" ] && [ ! -d ".venv" ] && [ ! -d "venv" ]; then
+  echo "WARNING: pip install without active virtual environment." >&2
+  echo "Packages will be installed system-wide." >&2
+  echo "Create a venv: python -m venv .venv && source .venv/bin/activate" >&2
+fi
+exit 0

package/examples/sensitive-regex-guard.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# sensitive-regex-guard.sh — Warn on ReDoS-vulnerable regex patterns
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+# Detect common ReDoS patterns: nested quantifiers
+if echo "$CONTENT" | grep -qE '\([^)]*[+*][^)]*\)[+*]|\(\.\*\)\+'; then
+  echo "WARNING: Possible ReDoS-vulnerable regex detected." >&2
+  echo "Nested quantifiers like (a+)+ or (.*)+ can cause catastrophic backtracking." >&2
+fi
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.6.0",
+  "version": "8.7.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {