cc-safe-setup 9.2.0 → 9.4.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 104 examples = **112 hooks**. 34 CLI commands. 457 tests. 4 languages. [Web Tool](https://yurukusa.github.io/cc-safe-setup/) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Migration](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **112 hooks**. 35 CLI commands. 457 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/examples/ci-skip-guard.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# ci-skip-guard.sh — Warn when commit message skips CI
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+if echo "$COMMAND" | grep -qiE '\[skip ci\]|\[ci skip\]|\[no ci\]|--no-verify'; then
+  echo "WARNING: Commit will skip CI checks." >&2
+  echo "Remove [skip ci] or --no-verify unless you have a good reason." >&2
+fi
+exit 0

package/examples/debug-leftover-guard.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# debug-leftover-guard.sh — Detect debug code in commits
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+LEFTOVERS=$(git diff --cached 2>/dev/null | grep -cE '^\+.*(debugger|console\.debug|pdb\.set_trace|binding\.pry|pp\s|var_dump|print_r)' || echo 0)
+if [ "$LEFTOVERS" -gt 0 ]; then
+  echo "WARNING: $LEFTOVERS debug statement(s) in staged changes." >&2
+  echo "Remove debugger/pdb/binding.pry before committing." >&2
+fi
+exit 0

package/examples/rust/destructive_guard.rs

@@ -0,0 +1,72 @@
+// destructive_guard.rs — Claude Code PreToolUse hook in Rust
+//
+// Blocks rm -rf /, git reset --hard, git clean -fd, and similar
+// destructive commands. Exit code 2 = block, 0 = allow.
+//
+// Build: rustc destructive_guard.rs -o destructive-guard
+// Usage: {"type": "command", "command": "/path/to/destructive-guard"}
+
+use std::io::{self, Read};
+use std::process;
+
+fn main() {
+    let mut input = String::new();
+    if io::stdin().read_to_string(&mut input).is_err() {
+        process::exit(0);
+    }
+
+    // Simple JSON parsing without serde (zero dependencies)
+    let cmd = extract_command(&input);
+    if cmd.is_empty() {
+        process::exit(0);
+    }
+
+    // Skip echo/printf context
+    let trimmed = cmd.trim_start().to_lowercase();
+    if trimmed.starts_with("echo ") || trimmed.starts_with("printf ") {
+        process::exit(0);
+    }
+
+    let patterns: &[&str] = &[
+        "rm -rf /",
+        "rm -rf ~/",
+        "rm -rf ../",
+        "rm -rf .",
+        "git reset --hard",
+        "git clean -f",
+        "git checkout --force",
+        "chmod 777 /",
+        "find / -delete",
+        "--no-preserve-root",
+        "sudo mkfs",
+    ];
+
+    for pattern in patterns {
+        if cmd.to_lowercase().contains(&pattern.to_lowercase()) {
+            eprintln!("BLOCKED: Dangerous command detected");
+            eprintln!("Command: {}", cmd);
+            process::exit(2);
+        }
+    }
+
+    process::exit(0);
+}
+
+fn extract_command(json: &str) -> String {
+    // Extract .tool_input.command from JSON without a parser
+    if let Some(pos) = json.find("\"command\"") {
+        let rest = &json[pos + 9..];
+        if let Some(start) = rest.find('"') {
+            let value_start = start + 1;
+            let mut end = value_start;
+            let bytes = rest.as_bytes();
+            while end < bytes.len() {
+                if bytes[end] == b'"' && (end == 0 || bytes[end - 1] != b'\\') {
+                    return rest[value_start..end].replace("\\\"", "\"").replace("\\\\", "\\");
+                }
+                end += 1;
+            }
+        }
+    }
+    String::new()
+}

package/index.mjs

@@ -96,6 +96,7 @@ const TEAM = process.argv.includes('--team');
 const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
 const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const HEALTH = process.argv.includes('--health');
+const FROM_CLAUDEMD = process.argv.includes('--from-claudemd');
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
 const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
@@ -133,6 +134,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
     npx cc-safe-setup --health        Hook health dashboard (size, permissions, age)
     npx cc-safe-setup --migrate-from <tool>  Migrate from safety-net/hooks-mastery/etc.
     npx cc-safe-setup --team         Set up project-level hooks (commit to repo for team)
@@ -845,6 +847,89 @@ async function fullSetup() {
   console.log();
 }
 
+async function fromClaudeMd() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --from-claudemd' + c.reset);
+  console.log(c.dim + '  Convert CLAUDE.md rules into enforceable hooks' + c.reset);
+  console.log();
+
+  // Find CLAUDE.md
+  const cwd = process.cwd();
+  let claudeMdPath = null;
+  for (const p of [join(cwd, 'CLAUDE.md'), join(cwd, '.claude', 'CLAUDE.md')]) {
+    if (existsSync(p)) { claudeMdPath = p; break; }
+  }
+
+  if (!claudeMdPath) {
+    console.log(c.yellow + '  No CLAUDE.md found in project.' + c.reset);
+    console.log(c.dim + '  Run: npx cc-safe-setup --shield (creates one)' + c.reset);
+    return;
+  }
+
+  const content = readFileSync(claudeMdPath, 'utf-8').toLowerCase();
+  console.log(c.dim + '  Reading: ' + claudeMdPath + c.reset);
+  console.log();
+
+  // Pattern matching: CLAUDE.md rules → hooks
+  const RULE_MAP = [
+    { patterns: ['do not push to main', 'don\'t push to main', 'no push main', 'never push to main'], hook: 'branch-guard', desc: '"Do not push to main" → branch-guard' },
+    { patterns: ['do not force', 'no force push', 'don\'t force push'], hook: 'branch-guard', desc: '"No force push" → branch-guard' },
+    { patterns: ['do not delete', 'don\'t delete', 'no rm -rf', 'never delete'], hook: 'destructive-guard', desc: '"Do not delete files" → destructive-guard' },
+    { patterns: ['do not commit .env', 'don\'t commit secret', 'no credentials', 'never commit .env'], hook: 'secret-guard', desc: '"No .env commits" → secret-guard' },
+    { patterns: ['run tests before', 'test before commit', 'tests must pass'], hook: 'verify-before-done', desc: '"Run tests first" → verify-before-done' },
+    { patterns: ['do not use sudo', 'no sudo', 'don\'t use sudo'], hook: 'no-sudo-guard', desc: '"No sudo" → no-sudo-guard' },
+    { patterns: ['stay in project', 'only this project', 'don\'t modify outside', 'do not edit files outside'], hook: 'scope-guard', desc: '"Stay in project" → scope-guard' },
+    { patterns: ['don\'t modify .bashrc', 'do not edit dotfile', 'protect home'], hook: 'protect-dotfiles', desc: '"Protect dotfiles" → protect-dotfiles' },
+    { patterns: ['do not deploy on friday', 'no friday deploy'], hook: 'no-deploy-friday', desc: '"No Friday deploy" → no-deploy-friday' },
+    { patterns: ['do not install global', 'no npm -g', 'don\'t install globally'], hook: 'no-install-global', desc: '"No global installs" → no-install-global' },
+    { patterns: ['descriptive commit', 'meaningful commit', 'good commit message'], hook: 'commit-quality-gate', desc: '"Good commit messages" → commit-quality-gate' },
+    { patterns: ['one logical change', 'small commit', 'focused commit', 'don\'t commit too many'], hook: 'commit-scope-guard', desc: '"Small commits" → commit-scope-guard' },
+    { patterns: ['feature branch', 'create branch', 'feat/ fix/ chore/'], hook: 'branch-naming-convention', desc: '"Feature branches" → branch-naming-convention' },
+    { patterns: ['do not drop database', 'no migrate:fresh', 'protect database'], hook: 'block-database-wipe', desc: '"Protect database" → block-database-wipe' },
+    { patterns: ['read before edit', 'understand before changing'], hook: 'read-before-edit', desc: '"Read first" → read-before-edit' },
+    { patterns: ['do not overwrite', 'use edit not write'], hook: 'overwrite-guard', desc: '"Use Edit, not Write" → overwrite-guard' },
+  ];
+
+  const matched = [];
+  for (const rule of RULE_MAP) {
+    if (rule.patterns.some(p => content.includes(p))) {
+      matched.push(rule);
+    }
+  }
+
+  if (matched.length === 0) {
+    console.log(c.yellow + '  No enforceable rules detected in CLAUDE.md.' + c.reset);
+    console.log(c.dim + '  CLAUDE.md may contain guidelines that can\'t be converted to hooks.' + c.reset);
+    console.log(c.dim + '  For custom hooks: npx cc-safe-setup --create "your rule"' + c.reset);
+    return;
+  }
+
+  console.log(c.bold + `  Found ${matched.length} rules that can be enforced with hooks:` + c.reset);
+  console.log();
+
+  for (const m of matched) {
+    const hookPath = join(HOOKS_DIR, `${m.hook}.sh`);
+    const installed = existsSync(hookPath);
+    const icon = installed ? c.green + '✓' + c.reset : c.yellow + '○' + c.reset;
+    const status = installed ? c.dim + '(installed)' + c.reset : '';
+    console.log(`  ${icon} ${m.desc} ${status}`);
+    if (!installed) {
+      console.log(c.dim + `    npx cc-safe-setup --install-example ${m.hook}` + c.reset);
+    }
+  }
+
+  const notInstalled = matched.filter(m => !existsSync(join(HOOKS_DIR, `${m.hook}.sh`)));
+  if (notInstalled.length > 0) {
+    console.log();
+    console.log(c.bold + `  Install all ${notInstalled.length} missing hooks:` + c.reset);
+    console.log(c.dim + '  npx cc-safe-setup --shield' + c.reset);
+  } else {
+    console.log();
+    console.log(c.green + '  All detected rules are already enforced by hooks!' + c.reset);
+  }
+  console.log();
+}
+
 async function health() {
   const { readdirSync, statSync } = await import('fs');
   console.log();
@@ -3638,6 +3723,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (FROM_CLAUDEMD) return fromClaudeMd();
   if (HEALTH) return health();
   if (MIGRATE_FROM_IDX !== -1) return migrateFrom(MIGRATE_FROM);
   if (TEAM) return team();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "9.2.0",
+  "version": "9.4.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {