cc-safe-setup 8.8.0 → 8.9.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 100 examples = **108 hooks**. 33 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 102 examples = **110 hooks**. 34 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/docs/settings-reference.html

@@ -0,0 +1,317 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code settings.json Complete Reference</title>
+<meta name="description" content="Every settings.json field explained with examples. Hooks, permissions, env vars — the definitive reference.">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0d1117;color:#c9d1d9;padding:1.5rem;line-height:1.6}
+.c{max-width:820px;margin:0 auto}
+h1{color:#f0f6fc;font-size:1.4rem;margin-bottom:.3rem}
+h2{color:#f0f6fc;font-size:1.05rem;margin:1.3rem 0 .4rem;padding-bottom:.3rem;border-bottom:1px solid #21262d}
+h3{color:#c9d1d9;font-size:.88rem;margin:.7rem 0 .2rem}
+.sub{color:#8b949e;font-size:.83rem;margin-bottom:1rem}
+a{color:#58a6ff;text-decoration:none}
+code{background:#161b22;padding:.12rem .25rem;border-radius:3px;font-size:.82rem}
+pre{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.6rem;font-size:.78rem;color:#e6edf3;overflow-x:auto;margin:.3rem 0;position:relative}
+.copy{position:absolute;top:.3rem;right:.3rem;background:#21262d;border:1px solid #30363d;color:#8b949e;padding:.15rem .4rem;border-radius:3px;cursor:pointer;font-size:.65rem}
+.copy:hover{color:#f0f6fc}
+table{width:100%;border-collapse:collapse;margin:.4rem 0;font-size:.8rem}
+th,td{padding:.35rem .5rem;border:1px solid #21262d;text-align:left}
+th{background:#161b22;color:#f0f6fc}
+.note{background:#161b22;border-left:3px solid #58a6ff;padding:.4rem .7rem;margin:.4rem 0;font-size:.8rem;color:#8b949e}
+.warn{border-left-color:#d29922}
+.field{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.6rem;margin:.4rem 0}
+.field-name{font-weight:700;color:#f0f6fc;font-family:monospace;font-size:.85rem}
+.field-type{color:#d29922;font-size:.7rem;margin-left:.4rem}
+.field-desc{color:#8b949e;font-size:.8rem;margin:.2rem 0}
+.footer{text-align:center;color:#484f58;font-size:.7rem;margin-top:2rem;padding-top:1rem;border-top:1px solid #21262d}
+.toc{columns:2;font-size:.8rem;margin:.5rem 0}
+.toc a{display:block;padding:.15rem 0}
+</style>
+</head>
+<body>
+<div class="c">
+
+<h1>settings.json Reference</h1>
+<p class="sub">Every field, every option, with practical examples. <a href="https://docs.anthropic.com/en/docs/claude-code/settings">Official docs</a></p>
+
+<div class="toc">
+<a href="#locations">File Locations</a>
+<a href="#hooks">hooks</a>
+<a href="#permissions">permissions</a>
+<a href="#env">env</a>
+<a href="#model">model</a>
+<a href="#projects">projects</a>
+<a href="#examples">Full Examples</a>
+</div>
+
+<h2 id="locations">File Locations</h2>
+
+<table>
+<tr><th>File</th><th>Scope</th><th>Priority</th></tr>
+<tr><td><code>~/.claude/settings.json</code></td><td>Global (all projects)</td><td>Lowest</td></tr>
+<tr><td><code>.claude/settings.json</code></td><td>Project (in repo)</td><td>Medium</td></tr>
+<tr><td><code>.claude/settings.local.json</code></td><td>Project local (gitignored)</td><td>Highest</td></tr>
+</table>
+
+<div class="note">
+Project settings merge with global. Higher priority files override lower ones for the same key. For hooks, they are <strong>combined</strong>, not replaced.
+</div>
+
+<h2 id="hooks">hooks</h2>
+
+<div class="field">
+<span class="field-name">hooks</span> <span class="field-type">object</span>
+<div class="field-desc">Shell scripts that run at lifecycle points. The core of safety configuration.</div>
+</div>
+
+<h3>Structure</h3>
+<pre><code>{
+  "hooks": {
+    "EVENT": [
+      {
+        "matcher": "REGEX",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash path/to/hook.sh"
+          }
+        ]
+      }
+    ]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<h3>Events</h3>
+<table>
+<tr><th>Event</th><th>When</th><th>stdin JSON</th></tr>
+<tr><td><code>PreToolUse</code></td><td>Before tool executes</td><td><code>tool_name</code>, <code>tool_input</code></td></tr>
+<tr><td><code>PostToolUse</code></td><td>After tool completes</td><td><code>tool_name</code>, <code>tool_input</code>, <code>tool_result</code></td></tr>
+<tr><td><code>Stop</code></td><td>Claude finishes responding</td><td><code>stop_reason</code></td></tr>
+<tr><td><code>SubagentStop</code></td><td>Subagent finishes</td><td>Subagent context</td></tr>
+<tr><td><code>UserPromptSubmit</code></td><td>User sends a message</td><td>Prompt content</td></tr>
+</table>
+
+<h3>Matcher</h3>
+<table>
+<tr><th>Value</th><th>Matches</th></tr>
+<tr><td><code>""</code></td><td>All tools</td></tr>
+<tr><td><code>"Bash"</code></td><td>Shell commands only</td></tr>
+<tr><td><code>"Edit"</code></td><td>File edits only</td></tr>
+<tr><td><code>"Write"</code></td><td>File writes only</td></tr>
+<tr><td><code>"Read"</code></td><td>File reads only</td></tr>
+<tr><td><code>"Edit|Write"</code></td><td>Any file modification</td></tr>
+<tr><td><code>"Bash|Edit|Write"</code></td><td>Multiple tools (regex OR)</td></tr>
+</table>
+
+<h3>Exit Codes</h3>
+<table>
+<tr><th>Code</th><th>Effect</th></tr>
+<tr><td><code>0</code></td><td>Allow (default)</td></tr>
+<tr><td><code>2</code></td><td>Block the action</td></tr>
+<tr><td><code>1</code></td><td>Hook error (ignored, action proceeds)</td></tr>
+</table>
+
+<h3>stdout Override</h3>
+<pre><code>// Auto-approve
+echo '{"decision":"approve","reason":"Safe command"}'
+
+// Block with reason
+echo '{"decision":"block","reason":"Too dangerous"}'</code></pre>
+
+<h3>Practical Example</h3>
+<pre><code>{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {"type": "command", "command": "bash ~/.claude/hooks/destructive-guard.sh"},
+          {"type": "command", "command": "bash ~/.claude/hooks/branch-guard.sh"},
+          {"type": "command", "command": "bash ~/.claude/hooks/secret-guard.sh"}
+        ]
+      },
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {"type": "command", "command": "bash ~/.claude/hooks/scope-guard.sh"}
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {"type": "command", "command": "bash ~/.claude/hooks/syntax-check.sh"}
+        ]
+      },
+      {
+        "matcher": "",
+        "hooks": [
+          {"type": "command", "command": "bash ~/.claude/hooks/context-monitor.sh"}
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "matcher": "",
+        "hooks": [
+          {"type": "command", "command": "bash ~/.claude/hooks/api-error-alert.sh"}
+        ]
+      }
+    ]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<h2 id="permissions">permissions</h2>
+
+<div class="field">
+<span class="field-name">permissions</span> <span class="field-type">object</span>
+<div class="field-desc">Allow/deny rules for tool usage without prompting.</div>
+</div>
+
+<pre><code>{
+  "permissions": {
+    "allow": [
+      "Bash(npm test)",
+      "Bash(git status)",
+      "Bash(git log *)",
+      "Read(*)",
+      "Bash(ls *)"
+    ],
+    "deny": [
+      "Bash(rm -rf *)",
+      "Bash(sudo *)",
+      "Bash(git push * --force)"
+    ]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<div class="note warn">
+<strong>Gotcha:</strong> Permissions use glob patterns, not regex. <code>*</code> matches anything. Claude adds flags like <code>-C /path</code> that can break exact matches — use hooks for reliable blocking.
+</div>
+
+<h2 id="env">env</h2>
+
+<div class="field">
+<span class="field-name">env</span> <span class="field-type">object</span>
+<div class="field-desc">Environment variables passed to Claude Code and hooks.</div>
+</div>
+
+<pre><code>{
+  "env": {
+    "CC_TOKEN_BUDGET": "20",
+    "CC_MAX_LINE_LENGTH": "120",
+    "CC_DISK_WARN_PCT": "90",
+    "CC_ALLOWLIST_FILE": "~/.claude/allowlist.txt"
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<h2 id="model">model</h2>
+
+<div class="field">
+<span class="field-name">model</span> <span class="field-type">string</span>
+<div class="field-desc">Default model for Claude Code sessions.</div>
+</div>
+
+<pre><code>{
+  "model": "claude-sonnet-4-6"
+}</code></pre>
+
+<table>
+<tr><th>Model</th><th>Best for</th></tr>
+<tr><td><code>claude-opus-4-6</code></td><td>Complex reasoning, architecture</td></tr>
+<tr><td><code>claude-sonnet-4-6</code></td><td>Fast daily coding (default)</td></tr>
+<tr><td><code>claude-haiku-4-5</code></td><td>Quick tasks, high volume</td></tr>
+</table>
+
+<h2 id="projects">Project-Level Settings</h2>
+
+<pre><code>// .claude/settings.json (commit to repo)
+{
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Bash",
+      "hooks": [{
+        "type": "command",
+        "command": "bash .claude/hooks/guard.sh"
+      }]
+    }]
+  }
+}
+
+// .claude/settings.local.json (gitignored, personal)
+{
+  "permissions": {
+    "allow": ["Bash(npm test)"]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<div class="note">
+Use relative paths in project settings (<code>.claude/hooks/guard.sh</code>) so they work for all team members. Use <code>npx cc-safe-setup --team</code> to set this up automatically.
+</div>
+
+<h2 id="examples">Full Working Examples</h2>
+
+<h3>Minimal Safe Setup</h3>
+<pre><code>{
+  "hooks": {
+    "PreToolUse": [{
+      "matcher": "Bash",
+      "hooks": [
+        {"type": "command", "command": "bash ~/.claude/hooks/destructive-guard.sh"},
+        {"type": "command", "command": "bash ~/.claude/hooks/branch-guard.sh"},
+        {"type": "command", "command": "bash ~/.claude/hooks/secret-guard.sh"}
+      ]
+    }]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<h3>Node.js Project</h3>
+<pre><code>{
+  "hooks": {
+    "PreToolUse": [
+      {"matcher": "Bash", "hooks": [
+        {"type": "command", "command": "bash ~/.claude/hooks/destructive-guard.sh"},
+        {"type": "command", "command": "bash ~/.claude/hooks/branch-guard.sh"},
+        {"type": "command", "command": "bash ~/.claude/hooks/secret-guard.sh"},
+        {"type": "command", "command": "bash ~/.claude/hooks/auto-approve-build.sh"}
+      ]},
+      {"matcher": "Edit|Write", "hooks": [
+        {"type": "command", "command": "bash ~/.claude/hooks/syntax-check.sh"}
+      ]}
+    ]
+  },
+  "permissions": {
+    "allow": ["Bash(npm test)", "Bash(npm run lint)", "Read(*)"]
+  }
+}</code><button class="copy" onclick="cp(this)">Copy</button></pre>
+
+<h3>Maximum Safety (Autonomous)</h3>
+<pre><code>// Generated by: npx cc-safe-setup --profile strict
+// 33 hooks for autonomous/production use
+// Run: npx cc-safe-setup --shield</code></pre>
+
+<div class="footer">
+  <a href="hooks-cheatsheet.html">Cheat Sheet</a> ·
+  <a href="builder.html">Builder</a> ·
+  <a href="faq.html">FAQ</a> ·
+  <a href="by-example.html">Examples</a> ·
+  <a href="migration-guide.html">Migration</a> ·
+  <a href="https://github.com/yurukusa/cc-safe-setup">GitHub</a>
+</div>
+</div>
+
+<script>
+function cp(btn) {
+  const code = btn.parentElement.querySelector('code').textContent;
+  navigator.clipboard.writeText(code);
+  btn.textContent = 'Copied!';
+  setTimeout(() => btn.textContent = 'Copy', 1500);
+}
+</script>
+</body>
+</html>

package/examples/git-blame-context.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# ================================================================
+# git-blame-context.sh — Show file ownership before major edits
+# ================================================================
+# PURPOSE:
+#   Before Claude rewrites a file, show who wrote most of it.
+#   Helps prevent accidentally breaking code you don't understand
+#   the history of. Especially useful in team repositories.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+[ ! -f "$FILE" ] && exit 0
+
+# Only warn on substantial edits (old_string > 10 lines)
+OLD=$(echo "$INPUT" | jq -r '.tool_input.old_string // empty' 2>/dev/null)
+[ -z "$OLD" ] && exit 0
+OLD_LINES=$(echo "$OLD" | wc -l)
+[ "$OLD_LINES" -lt 10 ] && exit 0
+
+# Get top contributors for this file
+CONTRIBUTORS=$(git log --format='%an' -- "$FILE" 2>/dev/null | sort | uniq -c | sort -rn | head -3)
+if [ -n "$CONTRIBUTORS" ]; then
+    TOTAL_COMMITS=$(git log --oneline -- "$FILE" 2>/dev/null | wc -l)
+    LAST_AUTHOR=$(git log -1 --format='%an' -- "$FILE" 2>/dev/null)
+    echo "NOTE: Editing $OLD_LINES+ lines in $FILE" >&2
+    echo "  Last edited by: $LAST_AUTHOR" >&2
+    echo "  Top contributors ($TOTAL_COMMITS commits):" >&2
+    echo "$CONTRIBUTORS" | head -3 | sed 's/^/    /' >&2
+fi
+
+exit 0

package/examples/import-cycle-warn.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# ================================================================
+# import-cycle-warn.sh — Detect potential circular imports
+# ================================================================
+# PURPOSE:
+#   Claude adds imports without considering dependency cycles.
+#   After an edit that adds an import/require, check if the
+#   target file imports back from the edited file.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit"
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+NEW=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+[ -z "$NEW" ] && exit 0
+
+# Extract newly added imports
+BASENAME=$(basename "$FILE" | sed 's/\.[^.]*$//')
+
+# JS/TS: import ... from './target' or require('./target')
+IMPORTS=$(echo "$NEW" | grep -oE "(from\s+['\"]\.\/[^'\"]+|require\(['\"]\.\/[^'\"]+)" | grep -oE '\./[^"'"'"']+' | sed 's/^\.\///')
+
+# Python: from .target import or import target
+if [ -z "$IMPORTS" ]; then
+    IMPORTS=$(echo "$NEW" | grep -oE "from\s+\.\w+" | awk '{print $2}' | sed 's/^\.//')
+fi
+
+[ -z "$IMPORTS" ] && exit 0
+
+DIR=$(dirname "$FILE")
+for imp in $IMPORTS; do
+    # Check if target imports back
+    for ext in .js .ts .jsx .tsx .py .mjs; do
+        TARGET="$DIR/$imp$ext"
+        [ -f "$TARGET" ] || continue
+        if grep -qE "(from\s+['\"].*${BASENAME}|import\s+.*${BASENAME}|require.*${BASENAME})" "$TARGET" 2>/dev/null; then
+            echo "WARNING: Potential circular import detected." >&2
+            echo "  $FILE imports $imp" >&2
+            echo "  $TARGET imports back from $BASENAME" >&2
+            break
+        fi
+    done
+done
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.8.0",
+  "version": "8.9.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {