cc-safe-setup 8.9.0 → 9.1.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 102 examples = **110 hooks**. 34 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **112 hooks**. 34 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/examples/env-drift-guard.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# ================================================================
+# env-drift-guard.sh — Detect .env vs .env.example drift
+# ================================================================
+# PURPOSE:
+#   When Claude edits .env.example (adding new required vars),
+#   warn if .env is missing those variables. Prevents deploy
+#   failures from missing environment configuration.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit|Write"
+# ================================================================
+
+FILE=$(cat | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only trigger when .env.example or .env is edited
+case "$FILE" in
+    *.env.example|*.env.sample|*.env.template) ;;
+    *) exit 0 ;;
+esac
+
+# Compare keys in .env.example vs .env
+EXAMPLE="$FILE"
+ENV_FILE="$(dirname "$FILE")/.env"
+[ -f "$EXAMPLE" ] || exit 0
+[ -f "$ENV_FILE" ] || { echo "WARNING: $ENV_FILE does not exist but $EXAMPLE was updated." >&2; exit 0; }
+
+# Extract variable names (KEY=... lines, skip comments)
+EXAMPLE_KEYS=$(grep -E '^[A-Z_]+=' "$EXAMPLE" 2>/dev/null | cut -d= -f1 | sort)
+ENV_KEYS=$(grep -E '^[A-Z_]+=' "$ENV_FILE" 2>/dev/null | cut -d= -f1 | sort)
+
+MISSING=$(comm -23 <(echo "$EXAMPLE_KEYS") <(echo "$ENV_KEYS"))
+if [ -n "$MISSING" ]; then
+    COUNT=$(echo "$MISSING" | wc -l)
+    echo "WARNING: $COUNT variable(s) in $EXAMPLE missing from .env:" >&2
+    echo "$MISSING" | head -5 | sed 's/^/  /' >&2
+    echo "Update .env to match $EXAMPLE." >&2
+fi
+
+exit 0

package/examples/package-script-guard.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# ================================================================
+# package-script-guard.sh — Warn when package.json scripts change
+# ================================================================
+# PURPOSE:
+#   package.json scripts are critical infrastructure — they're
+#   often wired into CI/CD. Claude sometimes modifies them without
+#   understanding the downstream impact. This hook warns on changes.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit"
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+# Only check package.json
+case "$FILE" in
+    */package.json|package.json) ;;
+    *) exit 0 ;;
+esac
+
+OLD=$(echo "$INPUT" | jq -r '.tool_input.old_string // empty' 2>/dev/null)
+NEW=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+[ -z "$OLD" ] && exit 0
+
+# Check if scripts section is being modified
+if echo "$OLD" | grep -q '"scripts"' || echo "$NEW" | grep -q '"scripts"'; then
+    echo "NOTE: Modifying package.json scripts section." >&2
+    echo "These are often wired into CI/CD pipelines." >&2
+    echo "Verify: npm test, npm run build still work after this change." >&2
+fi
+
+# Check if dependencies are being modified
+if echo "$OLD" | grep -qE '"(dependencies|devDependencies|peerDependencies)"' || \
+   echo "$NEW" | grep -qE '"(dependencies|devDependencies|peerDependencies)"'; then
+    echo "NOTE: Modifying package.json dependencies." >&2
+    echo "Run npm install after this change." >&2
+fi
+
+exit 0

package/index.mjs

@@ -1866,7 +1866,7 @@ function generateCI() {
 
   const workflow = `# Claude Code Safety Audit
 # Generated by: npx cc-safe-setup --generate-ci
-# Checks safety score on every PR and fails if below threshold
+# Runs safety checks on every PR and push to main
 
 name: Claude Code Safety
 on:
@@ -1880,24 +1880,55 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Run safety audit
-        uses: yurukusa/cc-safe-setup@main
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
         with:
-          threshold: 70
+          node-version: 20
 
-      - name: Comment PR with score
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const score = '\${{ steps.audit.outputs.score }}' || '?';
-            const grade = '\${{ steps.audit.outputs.grade }}' || '?';
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: \`## Claude Code Safety: \${score}/100 (Grade \${grade})\\n\\nRun \\\`npx cc-safe-setup --audit\\\` locally for details.\`
-            });
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Run safety audit
+        id: audit
+        run: |
+          npx cc-safe-setup --audit --json > /tmp/audit.json 2>&1 || true
+          SCORE=\$(cat /tmp/audit.json | jq -r '.score // 0' 2>/dev/null || echo 0)
+          echo "score=\$SCORE" >> \$GITHUB_OUTPUT
+          echo "Safety score: \$SCORE/100"
+          if [ "\$SCORE" -lt 70 ]; then
+            echo "::error::Safety score \$SCORE is below threshold (70)"
+            exit 1
+          fi
+
+      - name: Verify hooks syntax
+        run: |
+          ERRORS=0
+          for f in .claude/hooks/*.sh 2>/dev/null; do
+            [ -f "\$f" ] || continue
+            if ! bash -n "\$f" 2>/dev/null; then
+              echo "::error file=\$f::Syntax error in hook"
+              ERRORS=\$((ERRORS+1))
+            fi
+          done
+          echo "Checked hooks: \$ERRORS error(s)"
+          [ "\$ERRORS" -gt 0 ] && exit 1 || true
+
+      - name: Check settings.json validity
+        run: |
+          if [ -f ".claude/settings.json" ]; then
+            python3 -c "import json; json.load(open('.claude/settings.json'))" || {
+              echo "::error::.claude/settings.json has invalid JSON"
+              exit 1
+            }
+            echo "settings.json: valid"
+          fi
+          if [ -f ".claude/settings.local.json" ]; then
+            python3 -c "import json; json.load(open('.claude/settings.local.json'))" || {
+              echo "::error::.claude/settings.local.json has invalid JSON"
+              exit 1
+            }
+            echo "settings.local.json: valid"
+          fi
 `;
 
   console.log();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "8.9.0",
+  "version": "9.1.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {