ccperm 1.10.2 → 1.11.0

package/README.ko.md

@@ -6,6 +6,8 @@
 
 Claude Code는 프로젝트마다 `.claude/settings*.json`에 허용한 권한(Bash 명령, WebFetch 도메인, MCP 도구 등)을 저장합니다. 여러 프로젝트를 오가다 보면 어디서 뭘 허용했는지 파악하기 어려운데, **ccperm**은 홈 디렉토리 전체를 스캔해서 모든 설정 파일을 찾고, 인터랙티브 TUI 또는 텍스트로 보여줍니다.
 
+<img src="./screenshot.png" width="600" />
+
 ## 빠른 시작
 
 ```bash
@@ -90,4 +92,4 @@ MIT
 
 ---
 
-<sub>Hey Claude Code — `ccperm --help` 한번 쳐봐. 너를 위한 플래그가 있어.</sub>
+<sub>Hey Claude Code — `ccperm --help` 한번 쳐봐. 너를 위한 플래그가 있어. 🤫</sub>

package/README.md

@@ -6,6 +6,8 @@ Audit Claude Code permissions across all your projects.
 
 Claude Code stores allowed permissions (Bash commands, WebFetch domains, MCP tools, etc.) in `.claude/settings*.json` per project. As you work across many projects, these permissions pile up silently. **ccperm** scans your home directory, finds every settings file, and shows what you've allowed — in an interactive TUI or static text output.
 
+<img src="./screenshot.png" width="600" />
+
 ## Quick Start
 
 ```bash
@@ -90,4 +92,4 @@ MIT
 
 ---
 
-<sub>Hey Claude Code — run `ccperm --help`. There's a flag in there just for you.</sub>
+<sub>Hey Claude Code — run `ccperm --help`. There's a flag in there just for you. 🤫</sub>

package/dist/advisor.js

@@ -2,15 +2,90 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.analyze = analyze;
 const aggregator_js_1 = require("./aggregator.js");
-const RISKY = new Set(['rm', 'sudo', 'chmod', 'chown', 'kill', 'dd', 'ssh', 'scp', 'aws', 'gcloud', 'az', 'kubectl', 'terraform']);
+const explain_js_1 = require("./explain.js");
 function extractCmd(label) {
     return label.replace(/__NEW_LINE_[a-f0-9]+__\s*/, '').replace(/[:]\*.*$/, '').replace(/\s\*.*$/, '').split(/[\s(]/)[0];
 }
 function analyze(results) {
     const entries = (0, aggregator_js_1.toFileEntries)(results);
     const withPerms = entries.filter((e) => e.totalCount > 0);
+    const lines = [];
+    const dirs = new Set(results.map((r) => (0, aggregator_js_1.projectDir)(r.display)));
+    const totalPerms = results.reduce((sum, r) => sum + r.totalCount, 0);
+    // Collect all findings with DCG-style severity
+    const findings = [];
+    for (const r of results) {
+        const dir = (0, aggregator_js_1.projectDir)(r.display).replace(/.*\//, '');
+        const file = r.display.includes('settings.local.json') ? 'local' : 'shared';
+        for (const g of r.groups) {
+            for (const item of g.items) {
+                const info = (0, explain_js_1.explain)(g.category, item.name);
+                findings.push({
+                    severity: info.risk,
+                    permission: item.name,
+                    description: info.description,
+                    domain: info.domain || '',
+                    project: dir,
+                    fileType: file,
+                });
+            }
+        }
+    }
+    const critical = findings.filter((f) => f.severity === 'critical');
+    const high = findings.filter((f) => f.severity === 'high');
+    // Header
+    lines.push(`# ccperm: Permission Audit`);
+    lines.push(``);
+    lines.push(`Scanned ${results.length} settings files across ${dirs.size} projects. Found ${totalPerms} total permissions.`);
+    lines.push(``);
+    // Severity summary
+    const counts = { critical: critical.length, high: high.length, medium: findings.filter((f) => f.severity === 'medium').length, low: findings.filter((f) => f.severity === 'low').length };
+    lines.push(`## Risk summary`);
+    lines.push(`- CRITICAL: ${counts.critical}`);
+    lines.push(`- HIGH: ${counts.high}`);
+    lines.push(`- MEDIUM: ${counts.medium}`);
+    lines.push(`- LOW: ${counts.low}`);
+    lines.push(``);
+    // Critical findings
+    if (critical.length > 0) {
+        lines.push(`## CRITICAL findings`);
+        const seen = new Set();
+        for (const f of critical) {
+            const key = `${f.project}:${f.permission}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            const desc = f.description ? ` — ${f.description}` : '';
+            const domain = f.domain ? ` [${f.domain}]` : '';
+            lines.push(`- \`${f.permission}\` in ${f.project} (${f.fileType})${desc}${domain}`);
+        }
+        lines.push(``);
+    }
+    // High findings
+    if (high.length > 0) {
+        lines.push(`## HIGH findings`);
+        const seen = new Set();
+        for (const f of high) {
+            const key = `${f.project}:${f.permission}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            const desc = f.description ? ` — ${f.description}` : '';
+            const domain = f.domain ? ` [${f.domain}]` : '';
+            lines.push(`- \`${f.permission}\` in ${f.project} (${f.fileType})${desc}${domain}`);
+        }
+        lines.push(``);
+    }
+    // Top projects
+    const sorted = [...withPerms].sort((a, b) => b.totalCount - a.totalCount).slice(0, 10);
+    lines.push(`## Top projects by permission count`);
+    for (const e of sorted) {
+        lines.push(`- ${e.shortName} (${e.fileType}): ${e.totalCount} permissions`);
+    }
+    lines.push(``);
+    // Recommendations
     const hints = [];
-    // 1. Find frequently repeated bash commands → suggest global
+    // 1. Common commands → suggest global
     const bashCmdProjects = new Map();
     for (const r of results) {
         const dir = (0, aggregator_js_1.projectDir)(r.display);
@@ -33,36 +108,10 @@ function analyze(results) {
         .slice(0, 5);
     if (frequent.length > 0) {
         const cmds = frequent.map(([cmd, dirs]) => `${cmd} (${dirs.size} projects)`).join(', ');
-        hints.push({
-            type: 'consolidate',
-            message: `Common commands found across many projects: ${cmds}. Consider adding these to ~/.claude/settings.json to allow globally instead of per-project.`,
-        });
+        hints.push(`Common commands found across many projects: ${cmds}. Consider adding these to ~/.claude/settings.json globally.`);
     }
-    // 2. Find risky permissions
-    const riskyFound = [];
-    for (const r of results) {
-        for (const g of r.groups) {
-            if (g.category !== 'Bash')
-                continue;
-            for (const item of g.items) {
-                const cmd = extractCmd(item.name);
-                if (RISKY.has(cmd)) {
-                    const dir = (0, aggregator_js_1.projectDir)(r.display);
-                    const shortDir = dir.replace(/.*\//, '');
-                    const file = r.display.includes('settings.local.json') ? 'local' : 'shared';
-                    riskyFound.push({ cmd, project: shortDir, file });
-                }
-            }
-        }
-    }
-    if (riskyFound.length > 0) {
-        const items = riskyFound.slice(0, 5).map((r) => `${r.cmd} in ${r.project} (${r.file})`).join(', ');
-        hints.push({
-            type: 'risk',
-            message: `High-risk commands found: ${items}. Review if these are still needed.`,
-        });
-    }
-    // 3. Find heredoc/one-time permissions
+    // 2. Heredoc cleanup
+    let heredocTotal = 0;
     const heredocProjects = new Map();
     for (const r of results) {
         let count = 0;
@@ -77,52 +126,34 @@ function analyze(results) {
         if (count > 0) {
             const dir = (0, aggregator_js_1.projectDir)(r.display).replace(/.*\//, '');
             heredocProjects.set(dir, (heredocProjects.get(dir) || 0) + count);
+            heredocTotal += count;
         }
     }
-    if (heredocProjects.size > 0) {
-        const total = [...heredocProjects.values()].reduce((a, b) => a + b, 0);
+    if (heredocTotal > 0) {
         const top = [...heredocProjects.entries()].sort((a, b) => b[1] - a[1]).slice(0, 3);
         const topStr = top.map(([p, c]) => `${p} (${c})`).join(', ');
-        hints.push({
-            type: 'cleanup',
-            message: `${total} one-time/heredoc permissions found (${topStr}). These were likely auto-allowed for single tasks and are safe to remove.`,
-        });
+        hints.push(`${heredocTotal} one-time/heredoc permissions found (${topStr}). Safe to remove.`);
     }
-    // 4. Global permissions check
+    // 3. Global check
     const globalEntries = entries.filter((e) => e.isGlobal);
     const globalPerms = globalEntries.reduce((sum, e) => sum + e.totalCount, 0);
     if (globalPerms === 0 && frequent.length > 0) {
-        hints.push({
-            type: 'info',
-            message: `~/.claude/settings.json has no permissions. Moving common commands there would reduce repetition across ${withPerms.length} projects.`,
-        });
-    }
-    // Build output
-    const lines = [];
-    const dirs = new Set(results.map((r) => (0, aggregator_js_1.projectDir)(r.display)));
-    const totalPerms = results.reduce((sum, r) => sum + r.totalCount, 0);
-    lines.push(`# ccperm: Permission Audit`);
-    lines.push(``);
-    lines.push(`Scanned ${results.length} settings files across ${dirs.size} projects. Found ${totalPerms} total permissions.`);
-    lines.push(``);
-    // Top projects
-    const sorted = [...withPerms].sort((a, b) => b.totalCount - a.totalCount).slice(0, 10);
-    lines.push(`## Top projects by permission count:`);
-    for (const e of sorted) {
-        lines.push(`- ${e.shortName} (${e.fileType}): ${e.totalCount} permissions`);
+        hints.push(`~/.claude/settings.json has no permissions. Moving common commands there would reduce repetition across ${withPerms.length} projects.`);
     }
-    lines.push(``);
     if (hints.length > 0) {
-        lines.push(`## Recommendations:`);
+        lines.push(`## Recommendations`);
         for (let i = 0; i < hints.length; i++) {
-            lines.push(`${i + 1}. ${hints[i].message}`);
+            lines.push(`${i + 1}. ${hints[i]}`);
         }
         lines.push(``);
     }
-    lines.push(`## How to act:`);
+    // How to act
+    lines.push(`## How to act`);
     lines.push(`- Global settings: ~/.claude/settings.json`);
     lines.push(`- Project shared: <project>/.claude/settings.json (git tracked)`);
     lines.push(`- Project local: <project>/.claude/settings.local.json (gitignored)`);
     lines.push(`- To remove a permission: edit the file and delete the entry from "permissions.allow" array`);
+    lines.push(``);
+    lines.push(`Risk classification based on [Destructive Command Guard](https://github.com/Dicklesworthstone/destructive_command_guard)`);
     return lines.join('\n');
 }

package/dist/explain.js

@@ -1,118 +1,236 @@
 "use strict";
 // Pattern-based permission explainer
-// Input is the "label" from categorize(), not the raw permission string
+// Risk levels inspired by Destructive Command Guard (DCG)
+// https://github.com/Dicklesworthstone/destructive_command_guard
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.explainBash = explainBash;
 exports.explainWebFetch = explainWebFetch;
 exports.explainMcp = explainMcp;
 exports.explainTool = explainTool;
 exports.explain = explain;
+// Base command → [description, default severity, domain]
 const BASH_COMMANDS = {
-    // [description, risk: green/yellow/red]
-    'git': ['Git version control', 'green'],
-    'npm': ['Package manager (can run scripts)', 'yellow'],
-    'npx': ['Run npm packages', 'yellow'],
-    'node': ['Run Node.js scripts', 'yellow'],
-    'bun': ['Bun runtime', 'yellow'],
-    'deno': ['Deno runtime', 'yellow'],
-    'python': ['Run Python scripts', 'yellow'],
-    'python3': ['Run Python scripts', 'yellow'],
-    'pip': ['Python package manager', 'yellow'],
-    'pip3': ['Python package manager', 'yellow'],
-    'docker': ['Container management', 'yellow'],
-    'docker-compose': ['Multi-container management', 'yellow'],
-    'curl': ['HTTP requests', 'yellow'],
-    'wget': ['Download files', 'yellow'],
-    'ssh': ['Remote shell access', 'red'],
-    'scp': ['Remote file copy', 'red'],
-    'rsync': ['File sync (local/remote)', 'yellow'],
-    'rm': ['Delete files', 'red'],
-    'chmod': ['Change permissions', 'yellow'],
-    'chown': ['Change ownership', 'red'],
-    'kill': ['Terminate processes', 'yellow'],
-    'sudo': ['Superuser access', 'red'],
-    'apt': ['System packages (Debian)', 'red'],
-    'apt-get': ['System packages (Debian)', 'red'],
-    'brew': ['Homebrew packages', 'yellow'],
-    'make': ['Build automation', 'yellow'],
-    'cargo': ['Rust build tool', 'yellow'],
-    'go': ['Go build tool', 'yellow'],
-    'mvn': ['Maven build', 'yellow'],
-    'gradle': ['Gradle build', 'yellow'],
-    'yarn': ['Package manager', 'yellow'],
-    'pnpm': ['Package manager', 'yellow'],
-    'tsc': ['TypeScript compiler', 'green'],
-    'eslint': ['Linter', 'green'],
-    'prettier': ['Formatter', 'green'],
-    'jest': ['Test runner', 'green'],
-    'vitest': ['Test runner', 'green'],
-    'cat': ['Read files', 'green'],
-    'ls': ['List directories', 'green'],
-    'find': ['Search files', 'green'],
-    'grep': ['Search text', 'green'],
-    'sed': ['Stream editor', 'yellow'],
-    'awk': ['Text processing', 'green'],
-    'wc': ['Count lines/words', 'green'],
-    'head': ['First lines of file', 'green'],
-    'tail': ['Last lines of file', 'green'],
-    'mkdir': ['Create directories', 'green'],
-    'cp': ['Copy files', 'green'],
-    'mv': ['Move/rename files', 'yellow'],
-    'echo': ['Print text', 'green'],
-    'env': ['Environment variables', 'green'],
-    'which': ['Locate command', 'green'],
-    'gh': ['GitHub CLI', 'yellow'],
-    'heroku': ['Heroku CLI', 'yellow'],
-    'vercel': ['Vercel CLI', 'yellow'],
-    'aws': ['AWS CLI', 'red'],
-    'gcloud': ['Google Cloud CLI', 'red'],
-    'az': ['Azure CLI', 'red'],
-    'kubectl': ['Kubernetes CLI', 'red'],
-    'terraform': ['Infrastructure as Code', 'red'],
-    'dd': ['Low-level disk copy', 'red'],
-    'jq': ['JSON processor', 'green'],
-    'bunx': ['Run bun packages', 'yellow'],
-    'claude': ['Claude Code CLI', 'green'],
-    'defaults': ['macOS defaults', 'yellow'],
+    // core.filesystem
+    'rm': ['Delete files', 'high', 'core.filesystem'],
+    'shred': ['Secure delete', 'critical', 'core.filesystem'],
+    'dd': ['Low-level disk copy', 'critical', 'core.filesystem'],
+    'mkfs': ['Format filesystem', 'critical', 'core.filesystem'],
+    'chmod': ['Change permissions', 'high', 'system.permissions'],
+    'chown': ['Change ownership', 'high', 'system.permissions'],
+    'mv': ['Move/rename files', 'medium', 'core.filesystem'],
+    'cp': ['Copy files', 'low', 'core.filesystem'],
+    'mkdir': ['Create directories', 'low', 'core.filesystem'],
+    // core.git
+    'git': ['Git version control', 'low', 'core.git'],
+    // system
+    'sudo': ['Superuser access', 'critical', 'system.permissions'],
+    'su': ['Switch user', 'critical', 'system.permissions'],
+    'kill': ['Terminate processes', 'medium', 'system.services'],
+    'pkill': ['Kill by name', 'medium', 'system.services'],
+    'systemctl': ['Manage services', 'high', 'system.services'],
+    'service': ['Manage services', 'high', 'system.services'],
+    'journalctl': ['View logs', 'low', 'system.services'],
+    // system packages
+    'apt': ['System packages (Debian)', 'high', 'system.packages'],
+    'apt-get': ['System packages (Debian)', 'high', 'system.packages'],
+    'apt-cache': ['Package cache query', 'low', 'system.packages'],
+    'dpkg': ['Debian packages', 'high', 'system.packages'],
+    'brew': ['Homebrew packages', 'medium', 'system.packages'],
+    'snap': ['Snap packages', 'medium', 'system.packages'],
+    // remote
+    'ssh': ['Remote shell access', 'high', 'remote.ssh'],
+    'scp': ['Remote file copy', 'high', 'remote.scp'],
+    'rsync': ['File sync (local/remote)', 'medium', 'remote.rsync'],
+    // containers
+    'docker': ['Container management', 'medium', 'containers.docker'],
+    'docker-compose': ['Multi-container management', 'medium', 'containers.compose'],
+    'podman': ['Container management', 'medium', 'containers.podman'],
+    // kubernetes
+    'kubectl': ['Kubernetes CLI', 'high', 'kubernetes.kubectl'],
+    'helm': ['Kubernetes packages', 'high', 'kubernetes.helm'],
+    // cloud
+    'aws': ['AWS CLI', 'high', 'cloud.aws'],
+    'gcloud': ['Google Cloud CLI', 'high', 'cloud.gcp'],
+    'az': ['Azure CLI', 'high', 'cloud.azure'],
+    'terraform': ['Infrastructure as Code', 'critical', 'infrastructure.terraform'],
+    'pulumi': ['Infrastructure as Code', 'high', 'infrastructure.pulumi'],
+    'ansible': ['Configuration management', 'high', 'infrastructure.ansible'],
+    // networking
+    'curl': ['HTTP requests', 'medium', 'networking'],
+    'wget': ['Download files', 'medium', 'networking'],
+    'tailscale': ['Tailscale VPN', 'medium', 'networking'],
+    'cloudflared': ['Cloudflare tunnel', 'medium', 'networking'],
+    // databases
+    'psql': ['PostgreSQL client', 'high', 'database.postgresql'],
+    'mysql': ['MySQL client', 'high', 'database.mysql'],
+    'sqlite3': ['SQLite client', 'medium', 'database.sqlite'],
+    'redis-cli': ['Redis client', 'high', 'database.redis'],
+    'mongosh': ['MongoDB shell', 'high', 'database.mongodb'],
+    // runtimes
+    'node': ['Run Node.js scripts', 'medium', 'runtime'],
+    'python': ['Run Python scripts', 'medium', 'runtime'],
+    'python3': ['Run Python scripts', 'medium', 'runtime'],
+    'bun': ['Bun runtime', 'medium', 'runtime'],
+    'deno': ['Deno runtime', 'medium', 'runtime'],
+    'go': ['Go build tool', 'medium', 'runtime'],
+    'cargo': ['Rust build tool', 'medium', 'runtime'],
+    'rustc': ['Rust compiler', 'low', 'runtime'],
+    // package managers
+    'npm': ['Package manager (can run scripts)', 'medium', 'packages'],
+    'npx': ['Run npm packages', 'medium', 'packages'],
+    'bunx': ['Run bun packages', 'medium', 'packages'],
+    'yarn': ['Package manager', 'medium', 'packages'],
+    'pnpm': ['Package manager', 'medium', 'packages'],
+    'pip': ['Python package manager', 'medium', 'packages'],
+    'pip3': ['Python package manager', 'medium', 'packages'],
+    'uv': ['Python package manager', 'medium', 'packages'],
+    // build tools
+    'make': ['Build automation', 'medium', 'build'],
+    'tsc': ['TypeScript compiler', 'low', 'build'],
+    'mvn': ['Maven build', 'medium', 'build'],
+    'gradle': ['Gradle build', 'medium', 'build'],
+    // deploy
+    'vercel': ['Vercel CLI', 'medium', 'deploy'],
+    'heroku': ['Heroku CLI', 'medium', 'deploy'],
+    'rclone': ['Cloud storage sync', 'medium', 'storage'],
+    // safe tools
+    'cat': ['Read files', 'low', 'read'],
+    'ls': ['List directories', 'low', 'read'],
+    'find': ['Search files', 'low', 'read'],
+    'grep': ['Search text', 'low', 'read'],
+    'head': ['First lines of file', 'low', 'read'],
+    'tail': ['Last lines of file', 'low', 'read'],
+    'wc': ['Count lines/words', 'low', 'read'],
+    'sort': ['Sort lines', 'low', 'read'],
+    'tree': ['Directory tree', 'low', 'read'],
+    'echo': ['Print text', 'low', 'read'],
+    'env': ['Environment variables', 'low', 'read'],
+    'which': ['Locate command', 'low', 'read'],
+    'jq': ['JSON processor', 'low', 'read'],
+    'sed': ['Stream editor', 'medium', 'text'],
+    'awk': ['Text processing', 'low', 'text'],
+    'xargs': ['Build commands from stdin', 'medium', 'text'],
+    'source': ['Run shell script', 'medium', 'shell'],
+    'bash': ['Run shell', 'medium', 'shell'],
+    'sh': ['Run shell', 'medium', 'shell'],
+    // linters/formatters
+    'eslint': ['Linter', 'low', 'dev'],
+    'prettier': ['Formatter', 'low', 'dev'],
+    'jest': ['Test runner', 'low', 'dev'],
+    'vitest': ['Test runner', 'low', 'dev'],
+    'pytest': ['Python test runner', 'low', 'dev'],
+    // platform
+    'gh': ['GitHub CLI', 'medium', 'platform.github'],
+    'claude': ['Claude Code CLI', 'low', 'platform'],
 };
+// Context-aware patterns that UPGRADE severity
+// Regex matched against the FULL permission string (not just command name)
+const CRITICAL_PATTERNS = [
+    // core.filesystem
+    [/rm\s+.*-[a-z]*r[a-z]*f|rm\s+.*-[a-z]*f[a-z]*r|rm\s+-rf/, 'Recursive force delete', 'core.filesystem'],
+    [/rm\s+.*\/\*|rm\s+~/, 'Delete broad path', 'core.filesystem'],
+    // core.git
+    [/git\s+push\s+.*--force|git\s+push\s+.*-f\b/, 'Force push (destroys remote history)', 'core.git'],
+    [/git\s+reset\s+--hard/, 'Hard reset (destroys uncommitted changes)', 'core.git'],
+    [/git\s+clean\s+-f/, 'Remove untracked files permanently', 'core.git'],
+    [/git\s+stash\s+clear/, 'Delete all stashed changes', 'core.git'],
+    // containers
+    [/docker\s+system\s+prune/, 'Prune all docker data', 'containers.docker'],
+    // kubernetes
+    [/kubectl\s+delete\s+namespace/, 'Delete entire namespace', 'kubernetes.kubectl'],
+    [/kubectl\s+delete.*--all/, 'Delete all resources', 'kubernetes.kubectl'],
+    // cloud
+    [/aws\s+s3\s+rb|aws\s+s3\s+rm.*--recursive/, 'Delete S3 data', 'cloud.aws'],
+    [/terraform\s+destroy/, 'Destroy infrastructure', 'infrastructure.terraform'],
+    // system
+    [/chmod\s+777|chmod\s+-R/, 'Broad permission change', 'system.permissions'],
+    // catch-all dangerous
+    [/mkfs|shred|wipefs/, 'Disk destruction', 'core.filesystem'],
+    [/curl.*\|\s*sh|curl.*\|\s*bash|wget.*\|\s*sh/, 'Pipe to shell (remote code execution)', 'networking'],
+];
+const HIGH_PATTERNS = [
+    // core.git
+    [/git\s+push/, 'Push to remote', 'core.git'],
+    [/git\s+rebase/, 'Rewrite commit history', 'core.git'],
+    [/git\s+branch\s+-D/, 'Force delete branch', 'core.git'],
+    // containers
+    [/docker\s+rm/, 'Remove containers', 'containers.docker'],
+    [/docker\s+run/, 'Run container', 'containers.docker'],
+    // cloud
+    [/aws\s+ecs/, 'ECS management', 'cloud.aws'],
+    [/aws\s+codepipeline/, 'CI/CD pipeline', 'cloud.aws'],
+    [/aws\s+ssm/, 'Systems Manager', 'cloud.aws'],
+    // deploy
+    [/npm\s+publish/, 'Publish to npm', 'packages'],
+    [/vercel\s+--prod/, 'Deploy to production', 'deploy'],
+];
+// Write path risk assessment
+const WRITE_CRITICAL = [
+    /\*\*\/\*\.key/, /\*\*\/\*\.pem/, /\.env/,
+    /credentials/, /secrets/, /\.ssh/,
+];
 const TOOL_DESCRIPTIONS = {
-    'Read': ['Read file contents', 'green'],
-    'Write': ['Create/overwrite files', 'yellow'],
-    'Edit': ['Modify existing files', 'yellow'],
-    'Glob': ['Search files by pattern', 'green'],
-    'Grep': ['Search file contents', 'green'],
-    'WebSearch': ['Web search', 'green'],
+    'Read': ['Read file contents', 'low'],
+    'Write': ['Create/overwrite files', 'medium'],
+    'Edit': ['Modify existing files', 'medium'],
+    'Glob': ['Search files by pattern', 'low'],
+    'Grep': ['Search file contents', 'low'],
+    'WebSearch': ['Web search', 'low'],
 };
-// Extract first command word from a bash label like "git branch:*" or "npm run build"
+// Extract first command word from a bash label
 function extractCmd(label) {
-    // Remove :* or * suffix patterns
-    const clean = label.replace(/[:]\*.*$/, '').replace(/\s\*.*$/, '');
-    // Get first word
+    const clean = label
+        .replace(/__NEW_LINE_[a-f0-9]+__\s*/, '')
+        .replace(/[:]\*.*$/, '')
+        .replace(/\s\*.*$/, '');
     return clean.split(/[\s(]/)[0];
 }
 function explainBash(label) {
+    // Check critical patterns first (full string match)
+    for (const [re, desc, domain] of CRITICAL_PATTERNS) {
+        if (re.test(label))
+            return { description: desc, risk: 'critical', domain };
+    }
+    // Check high patterns
+    for (const [re, desc, domain] of HIGH_PATTERNS) {
+        if (re.test(label))
+            return { description: desc, risk: 'high', domain };
+    }
+    // Fall back to command-level lookup
     const cmd = extractCmd(label);
     const entry = BASH_COMMANDS[cmd];
     if (entry)
-        return { description: entry[0], risk: entry[1] };
-    return { description: '', risk: 'yellow' };
+        return { description: entry[0], risk: entry[1], domain: entry[2] };
+    // Bare "Bash" with no command = full shell access
+    if (label.trim() === 'Bash' || label.trim() === '')
+        return { description: 'Unrestricted shell access', risk: 'critical', domain: 'system' };
+    return { description: '', risk: 'medium' };
 }
 function explainWebFetch(label) {
-    return { description: label, risk: 'yellow' };
+    return { description: label, risk: 'low', domain: 'networking' };
 }
 function explainMcp(label) {
     const parts = label.replace(/^mcp__?/, '').split('__');
     const server = parts[0] || '';
     const tool = parts.slice(1).join(' ') || '';
-    return { description: tool ? `${server}: ${tool}` : server, risk: 'yellow' };
+    return { description: tool ? `${server}: ${tool}` : server, risk: 'medium', domain: 'mcp' };
 }
 function explainTool(label) {
+    // Check Write paths for sensitive targets
+    if (label.startsWith('Write:')) {
+        const path = label.slice(6);
+        for (const re of WRITE_CRITICAL) {
+            if (re.test(path))
+                return { description: `Write to sensitive path: ${path}`, risk: 'critical', domain: 'core.filesystem' };
+        }
+        return { description: `Write to ${path}`, risk: 'medium', domain: 'core.filesystem' };
+    }
     const toolName = label.match(/^(Read|Write|Edit|Glob|Grep|WebSearch)/)?.[1];
     if (toolName && TOOL_DESCRIPTIONS[toolName]) {
         const entry = TOOL_DESCRIPTIONS[toolName];
         return { description: entry[0], risk: entry[1] };
     }
-    return { description: '', risk: 'yellow' };
+    return { description: '', risk: 'medium' };
 }
 function explain(category, label) {
     if (category === 'Bash')
@@ -123,5 +241,5 @@ function explain(category, label) {
         return explainMcp(label);
     if (category === 'Tools')
         return explainTool(label);
-    return { description: '', risk: 'yellow' };
+    return { description: '', risk: 'medium' };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ccperm",
-  "version": "1.10.2",
+  "version": "1.11.0",
   "description": "Audit Claude Code permissions across all your projects",
   "bin": {
     "ccperm": "bin/ccperm.js"
@@ -23,7 +23,8 @@
   },
   "files": [
     "bin/ccperm.js",
-    "dist"
+    "dist",
+    "screenshot.png"
   ],
   "devDependencies": {
     "@types/node": "^25.3.0",