cc-safety-net 0.8.1 → 0.9.0

package/README.md

@@ -7,6 +7,7 @@
 [![OpenCode](https://img.shields.io/badge/OpenCode-black)](#opencode-installation)
 [![Gemini CLI](https://img.shields.io/badge/Gemini%20CLI-678AE3)](#gemini-cli-installation)
 [![Copilot CLI](https://img.shields.io/badge/Copilot%20CLI-4EA5C9)](#github-copilot-cli-installation)
+[![Codex](https://img.shields.io/badge/Codex-white)](#codex-installation)
 [![License: MIT](https://img.shields.io/badge/License-MIT-red.svg)](https://opensource.org/licenses/MIT)
 
 <div align="center">
@@ -28,6 +29,7 @@ A Claude Code plugin that acts as a safety net, catching destructive git and fil
   - [OpenCode Installation](#opencode-installation)
   - [Gemini CLI Installation](#gemini-cli-installation)
   - [GitHub Copilot CLI Installation](#github-copilot-cli-installation)
+  - [Codex Installation](#codex-installation)
 - [Status Line Integration](#status-line-integration)
   - [Setup via Slash Command](#setup-via-slash-command)
   - [Manual Setup](#manual-setup)
@@ -48,6 +50,7 @@ A Claude Code plugin that acts as a safety net, catching destructive git and fil
 - [Advanced Features](#advanced-features)
   - [Strict Mode](#strict-mode)
   - [Paranoid Mode](#paranoid-mode)
+  - [Worktree Mode](#worktree-mode)
   - [Shell Wrapper Detection](#shell-wrapper-detection)
   - [Interpreter One-Liner Detection](#interpreter-one-liner-detection)
   - [Secret Redaction](#secret-redaction)
@@ -214,25 +217,31 @@ gemini extensions install https://github.com/kenryu42/gemini-safety-net
 
 ---
 
-## Status Line Integration
+### Codex Installation
 
-Safety Net can display its status in Claude Code's status line, showing whether protection is active and which modes are enabled.
+1. Enable Codex plugin hooks in `~/.codex/config.toml`:
 
-### Setup via Slash Command
+  ```toml
+  [features]
+  plugin_hooks = true
+  ```
 
-The easiest way to configure the status line is using the built-in slash command:
+2. Add the marketplace:
 
-```
-/set-statusline
-```
+  ```bash
+  codex plugin marketplace add kenryu42/cc-marketplace
+  ```
+
+3. Start Codex.
+4. In the TUI, run `/plugins`.
+5. Use arrow keys to select `[cc-marketplace]`.
+6. Press Enter to install the plugin.
 
-This interactive command will:
-1. Ask whether you prefer `bunx` or `npx`
-2. Check for existing status line configuration
-3. Offer to replace or pipe with existing commands
-4. Write the configuration to `~/.claude/settings.json`
+---
 
-### Manual Setup
+## Status Line Integration
+
+Safety Net can display its status in Claude Code's status line, showing whether protection is active and which modes are enabled.
 
 Add the following to your `~/.claude/settings.json`:
 
@@ -300,6 +309,7 @@ The status line displays different emojis based on the current configuration:
 | Paranoid mode | `🛡️ Safety Net 👁️` | `SAFETY_NET_PARANOID=1` — all paranoid checks enabled |
 | Paranoid RM only | `🛡️ Safety Net 🗑️` | `SAFETY_NET_PARANOID_RM=1` — blocks `rm -rf` even within cwd |
 | Paranoid interpreters only | `🛡️ Safety Net 🐚` | `SAFETY_NET_PARANOID_INTERPRETERS=1` — blocks interpreter one-liners |
+| Worktree mode | `🛡️ Safety Net 🌳` | `SAFETY_NET_WORKTREE=1` — relax local git discards inside linked worktrees |
 | Strict + Paranoid | `🛡️ Safety Net 🔒👁️` | Both strict and paranoid modes enabled |
 
 Multiple mode emojis are combined when multiple environment variables are set.
@@ -398,6 +408,7 @@ npx cc-safety-net explain --cwd /tmp "git status"
 | rm -rf /var/tmp/... | System temp directory |
 | rm -rf $TMPDIR/... | User's temp directory |
 | rm -rf ./... (within cwd) | Limited to current working directory |
+| git restore / checkout -- / reset --hard / clean -f (in linked worktree) | Relaxed only when `SAFETY_NET_WORKTREE=1` and cwd is a linked worktree |
 
 ## What Happens When Blocked
 
@@ -435,9 +446,9 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to contribute to this
 Beyond the built-in protections, you can define your own blocking rules to enforce team conventions or project-specific safety policies.
 
 > [!TIP]
-> Use `/set-custom-rules` to create custom rules interactively with natural language.
+> Use the `set-custom-rules` skill to create custom rules interactively with natural language.
 >
-> **GitHub Copilot CLI users**: Since Copilot CLI doesn't support custom slash commands, prompt your agent with:
+> If your agent does not support skills, prompt it with:
 > ```text
 > run npx cc-safety-net --custom-rules-doc and help me set up custom rules
 > ```
@@ -585,7 +596,7 @@ Custom rules use **silent fallback** error handling. If your config file is inva
 
 
 > [!IMPORTANT]  
-> If you add or modify custom rules manually, always validate them with `npx -y cc-safety-net --verify-config` or `/verify-custom-rules` slash command in your coding agent.
+> If you add or modify custom rules manually, always validate them with `npx -y cc-safety-net --verify-config` or the `verify-custom-rules` skill in your coding agent.
 
 ### Block Output Format
 
@@ -631,6 +642,48 @@ Paranoid behavior:
 - **interpreters**: blocks interpreter one-liners like `python -c`, `node -e`, `ruby -e`,
   and `perl -e` (these can hide destructive commands).
 
+### Worktree Mode
+
+Linked git worktrees are designed as disposable, isolated workspaces — discarding
+changes inside one doesn't risk the main working tree. Worktree mode relaxes
+local-discard rules when (and only when) the command is proven to run inside a
+linked worktree:
+
+```bash
+export SAFETY_NET_WORKTREE=1
+```
+
+When enabled, these commands are allowed inside a linked worktree:
+
+- `git restore <file>` and `git restore --worktree <file>`
+- `git checkout -- <file>`, `git checkout <ref> -- <file>`, `git checkout --force`,
+  and ambiguous multi-positional checkout forms
+- `git switch --discard-changes` and `git switch -f / --force`
+- `git reset --hard` and `git reset --merge`
+- `git clean -f` (and combined short flags like `-fd`)
+
+These remain blocked even in linked worktrees because they reach beyond the
+local working tree:
+
+- `git push --force` (affects remote)
+- `git branch -D` (affects shared refs)
+- `git stash drop` / `git stash clear` (stash is shared across worktrees)
+- `git worktree remove --force` (could delete another worktree)
+
+Detection is fail-closed and mostly filesystem-based:
+
+- A linked worktree is identified by a `.git` *file* containing `gitdir:` whose
+  resolved git directory contains a `commondir` file. Main worktrees and
+  submodules don't satisfy this and are not relaxed.
+- The cwd walk uses `realpath` so symlinked paths resolve correctly.
+- `git -C <path>` (including chained `-C` and attached `-Cpath`) is honored;
+  unresolved targets keep the command blocked.
+- Relaxation is disabled if cwd becomes unknown (e.g., after `cd`/`pushd`),
+  if `--git-dir` / `--work-tree` is passed, or if `GIT_DIR` / `GIT_WORK_TREE`
+  / `GIT_COMMON_DIR` is set in the environment.
+- Git may be invoked from a trusted system path to inspect effective config that
+  could make submodule operations recursive.
+
 ### Shell Wrapper Detection
 
 The guard recursively analyzes commands wrapped in shells: