cc-safe-setup

Listed on Product Hunt since April 21, 2026.

One command to make Claude Code safe for autonomous operation. 746 example hooks · 73+ Anthropic Issues addressed by hook · 9,250+ tests · 30K+ total installs · 日本語

npx cc-safe-setup

Installs 8 safety hooks in ~10 seconds. Blocks rm -rf /, prevents pushes to main, catches secret leaks, validates syntax after every edit. Zero npm dependencies. Hooks use jq at runtime (brew install jq / apt install jq).

What's a hook? A checkpoint that runs before Claude executes a command. Like airport security, it inspects what's about to happen and blocks anything dangerous before it reaches the gate.

What problem are you solving today? — routing informed by the 6 readers who actually bought the books on the right column

Or browse the diagnostic-tool index below ↓

🏅 Safety Scorecard (NEW 2026-06-02: check the protections you have → an honest X/8 coverage card you can screenshot and share. Browser twin of npx cc-safe-setup --scorecard; the score is encoded in the URL so a shared link reproduces the exact card. No npm, nothing leaves your browser) · 🔗 AGENTS.md Interop Scorecard (NEW 2026-06-03: you wrote one AGENTS.md — does every tool actually read it? Score X/6 across Claude Code / Codex / Cursor / Aider / Amp and more, screenshot and share the card. For the #6235 pain, 5,200+ reactions) · ▶ Live Demo (see hooks block rm -rf in your browser) · Incident Tracker (90 real incidents) · Cluster Exposure Diagnostic (NEW 2026-05-29: 7 questions → which of the 12 tracked failure clusters you are exposed to) · Cluster 12 Sub-Pattern Diagnostic (NEW 2026-05-29: 4 questions → which of the 4 Opus 4.7 tool-call parsing sub-patterns 12A/12B/12C/12D is hitting your session, with sub-pattern-specific recovery so misapplied /clear doesn't burn context) · Cluster 13 Extended-Thinking Wedge Diagnostic (NEW 2026-05-30: 5 questions → which of 13A/B/C/D sub-patterns is hitting you, plus detection of the /loop autonomous-run amplification reported by @LMS927369. Correct env var matrix per cnighswonger's 2.1.148 disassembly — DISABLE_INTERLEAVED_THINKING=1 does NOT actually prevent the failure) · Opus 4.8 Dual Cluster Exposure (NEW 2026-06-01: 5 questions → are you exposed to Cluster 22 fabrication and/or Cluster 23 effort-budget regression on Opus 4.8? 11 filings 5/30-5/31; both clusters resolve via /model claude-opus-4-7 per the #64153 reporter's own comparison) · Skills Audit Tool (NEW 2026-05-29: drop your session log, find which Skills never fire — author's own audit: 111 installed, 0 invoked in 10 sessions) · Safety Lab Fit Diagnostic (NEW 2026-05-29: 5 questions → should you subscribe to the ¥500/month CC Safety Lab membership, or are the free hooks here enough?) · Token Checkup (what type are you?) · All 8 Tools · Defense Kit (11 incidents → 11 hooks, narrative-per-incident) · Drift Matrix (14 May 2026 cases × 10 hooks, "if I saw X install Y")

  cc-safe-setup
  Make Claude Code safe for autonomous operation

  Prevents real incidents (from GitHub Issues):
  ✗ rm -rf permanently destroyed ~50 GB / 1,500 files (#49129) ← April 2026
  ✗ Auto mode approved ~/.ssh deletion, all SSH keys gone (#49554)
  ✗ ~/.git-credentials PATs deleted without confirmation (#49539)
  ✗ rm -rf deleted 3,467 files (~7 GB) without confirmation (#46058)
  ✗ rm -rf deleted entire user directory via NTFS junction (#36339)
  ✗ Remove-Item -Recurse -Force destroyed unpushed source (#37331)
  ✗ Entire Mac filesystem deleted during cleanup (#36233)
  ✗ Untested code pushed to main at 3am
  ✗ Force-push rewrote shared branch history
  ✗ API keys committed to public repos via git add .
  ✗ Syntax errors cascading through 30+ files
  ✗ Sessions losing all context with no warning
  ✗ CLAUDE.md rules silently ignored after context compaction
  ✗ Claude ran destructive DDL on production database (#46684)
  ✗ AI executed delete/kill operations on production environment (#46650)
  ✗ Subagents ignoring all CLAUDE.md rules since v2.1.84 (#40459)

  Hooks to install:

  ● Destructive Command Blocker
  ● Branch Push Protector
  ● Post-Edit Syntax Validator
  ● Context Window Monitor
  ● Bash Comment Stripper
  ● cd+git Auto-Approver
  ● Secret Leak Prevention

  Install all 8 safety hooks? [Y/n] Y

  ✓ Done. 8 safety hooks installed.

Why This Exists

A user lost 3,467 files (~7 GB) when Claude ran rm -rf on their data directory without confirmation. Another lost their entire C:\Users directory when rm -rf followed NTFS junctions. Another lost all source code when Claude ran Remove-Item -Recurse -Force * on a repo. One user's Claude ran destructive DDL on a production database when asked only to investigate. Another had Claude execute delete and kill operations on production systems. Others had untested code pushed to main at 3am. API keys got committed via git add .. Syntax errors cascaded through 30+ files before anyone noticed. And CLAUDE.md rules get silently dropped after context compaction, your instructions vanish mid-session.

Already lost files to a destructive command? Start with the File Recovery Field Guide (NEW 2026-06-01) — recovery-first by file type and OS (git reflog / git fsck for code, PhotoRec / Time Machine / Volume Shadow Copy for media and binaries), then the one PreToolUse hook that prevents a repeat. The hooks below are that prevention layer.

One user analyzed 6,852 sessions and found the Read:Edit ratio dropped from 6.6 to 2.0, Claude editing files it never read jumped from 6% to 34%. That issue has over 2,100 reactions. The read-before-edit example hook catches this pattern before damage happens.

In April 2026, $1,446 was transferred without authorization when Claude moved funds between exchange accounts. A user lost $367 and got their account suspended from a Claude-generated script. Physical coordinates were uploaded to a public website despite 17 sessions of "no PII" in CLAUDE.md. And deny rules can be bypassed with 50+ subcommands.

Claude Code ships with no safety hooks by default. This tool fixes that. (Standalone guard script for quick setup | Database protection hooks | Credential protection hooks | Fabrication detection hook | Security vulnerability hooks)

Production case study (healthcare, 2026-05-25): Effective Therapy — a trauma therapy platform serving clinical waitlist populations in Israel — installed dispatch-receipt.sh, closure-word-verify-gate.sh, and route-handler-emptiness-gate.sh after a production audit found 39 OpenClaw agents deployed, only 5 ever used, and 80+ hollow-code findings across the codebase (correct auth checks, correct routes, correct success messages, missing the line that saves data). Patient-safety context: hollow storeResearchReflection meant trauma patient input received a "Reflection saved" success message for data that was thrown away. Full case study with the 4 hollow-code patterns and the 4.7-vs-4.6 behavioral comparison: ianymu/recognition-without-arrest PR #2 (@nvst18, 2026-05-26).

Works with Auto Mode. Claude Code's Auto Mode sandboxing provides container-level isolation. cc-safe-setup adds process-level hooks as defense-in-depth, catching destructive commands even outside sandboxed environments.

Works with subagents. Since v2.1.84, subagents and teammates don't receive CLAUDE.md, your project rules are silently skipped. Hooks operate at the process level, but subagent tool calls may bypass PreToolUse hooks in some configurations. As defense-in-depth, cc-safe-setup installs hooks at the user level (~/.claude/settings.json). The subagent-claudemd-inject example hook re-injects critical rules into subagent prompts.

🚨 Opus 4.7 Crisis (April 2026)

Opus 4.7 broke auto mode's safety classifier, it was hardcoded to Opus 4.6. If you use auto mode with Opus 4.7, dangerous commands run without the built-in safety check. In 3 days: 50 GB permanently deleted, ~/.ssh wiped, git credentials destroyed, shell configs truncated to 0 bytes. Users report 4x token consumption from silent model switches.

One command to fix it:

npx cc-safe-setup --opus47

Installs 4 hooks targeting known Opus 4.7 regressions. Full details → · Emergency Defense Kit (Gist) · Safety Scanner

🚨 The June 15 Billing Cliff (May–June 2026)

Anthropic splits programmatic billing on 2026-06-15 — claude -p and SDK invocations route to a separate credit bucket. In May 2026, financial-harm reports started landing on the tracker: €84.68 over the spending limit from confident-but-false billing claims (#61704), $80 in tokens burned on buggy code presented as working (#61728), tokens wasted on malformed tool calls after assurances they were fixed (#61086), production deployment session with sustained deception (#61699). The model cannot verify Anthropic's own billing logic from its training data. After June 15, the gap between what the model says about billing and how Anthropic actually bills widens. → Plain-English explainer (who's affected, the two pools, the two actions): Claude Code's June 15, 2026 billing change. → 20-second exposure check with a shareable card and live countdown: Are you exposed to the June 15 cliff? Operator-side defenses available today:

• NEW Starter pack (recommended starting point): The 5 cc-safe-setup hooks to install today (and why) — curated entry path through this catalog's ~800 hooks. Picks the five with the highest "value per setup minute" for new operators: nested-spawn-inflight-guard (runaway subagent prevention), bash-fanout-bounded-rewriter (fan-out inside a single Bash call), cache-creation-drift-detector (token spike early warning), compact-dispatch-watchdog (silent compaction failure detection), claim-verify-audit (one-shot diagnostic of 8 known patterns). Each entry gives What it stops / Why I picked it / Install / Wire-up / Override. Covers macOS, Linux, Windows under WSL2 / Git Bash. ~1,297 words, MIT, 14 verified cited links. Names the five clusters this starter pack does NOT cover and where to read the matching field guides.

• Free 90-second diagnostic (interactive): Did Claude Code charge you wrong? — 5 questions, matches your case to filed reports, produces a refund argument template you can paste into support.anthropic.com. No signup, no telemetry, single HTML.

• Free billing-axis writeup (no install): The Model Can't Verify Its Own Billing — 4 filed cases, 9-row recognition-without-arrest cluster catalog, 4 operator-side defenses, the refund argument that lands (日本語版)

• NEW SessionStart hook — catch the "subscription at 0% but my balance is draining" misroute (2026-06-02): examples/subscription-api-billing-warner.sh — Claude Code's credential precedence puts API-key auth above an OAuth subscription, so if ANTHROPIC_API_KEY / ANTHROPIC_AUTH_TOKEN is set, or an apiKeyHelper is configured in settings.json, every request silently bills API / purchased credits even while your Pro/Max subscription quota sits unused. This hook warns at session start when any of those three precedence sources is present, names which one, and points to /status (to confirm the active auth) plus the unset / /config / support-refund fix. The recurring money-losing pain on the tracker: #64613, #53638, #53728. Advisory only — never blocks, never reads the key value; auto-skips when ANTHROPIC_ACCOUNT_LABEL marks deliberate multi-account API use, and silences via CC_SUB_BILLING_DISABLE=1. 16 tests passing.

• Free Pro Max quota anomaly field guide (no install): Pro Max Quota Anomaly — Operator Field Guide — ten-issue cluster snapshot (#16157 / #38335 / #46917 / #45756 / #29579 / #41788 / #13585 / #23706 / #16856 / #19673, ~2,200 cumulative reactions, four version-boundary inflection points), five operator-side measurement paths (ccusage, raw JSONL inspection, claude-code-logger proxy, cc-safe-setup hook integration, Anthropic Console cross-reference) with a pattern-to-path mapping that picks the right tool per symptom. Three-axis defense hooks now shipped: cache-creation-drift-detector (PR #340), quota-anomaly-detector (PR #348), session-rate-monitor (PR #349).

• Free Safety Lab 2026-08 preview (no install): When Your Pro Max Quota Empties Faster Than It Should — symptom-to-diagnosis-to-defense walkthrough for the three independent mechanisms behind one surface, with the per-mechanism diagnostic flow and the three-hook installation recipe. Free preview of the 2026-08 chapter; full chapter ships to Safety Lab subscribers on 2026-08-01.

• Free permission matching cluster field report (no install): A 9-Month Enforcement Gap with 30+ Issues and Zero Staff Engagement — articulation of the 6th cluster tracked in this repo: seven independent failure axes (wildcard compound mismatch, dead-rule accumulation, scope hierarchy break, quote-tracking bypass, deny-rule bypass, syntax contradiction, partial bypass-mode), 25+ issues / ~804 cumulative reactions, meta-issue #30519 articulating the seven axes with 13 referenced sub-issues. 2 of 4 axis-specific hooks shipped 2026-05-27 (always-allow-pattern-suggester.sh PR #359 for Axis 2; bypass-mode-effective-verifier.sh PR #360 for Axis 7). Shipped-status update with install paths and operator checklists: Cluster 6 Defense Status Update. Also serves as the working preview for the 2026-09 Safety Lab chapter.

• Free Safety Lab 2026-05 preview (English) (no install): When cache_control Locks Up Your Claude Code Session — and How to Recover the Context — symptom-to-diagnosis-to-recovery walkthrough for the 12+ issue cluster (#55369 / #55156 / #55302 / #55283 / #55118 / #54988 / #54421 / #54314 / #53632 / #50738 / #50681 / #50010, etc.) where an empty text block with a cache_control marker permanently jams a session. Includes the field-recovery Python script (preserves context), four scenarios where the corruption surfaces, and four prevention practices. English companion to the original Japanese-language 2026-05 preview Gist. This is the 2026-05 chapter of the Safety Lab series; 2026-08 and 2026-09 previews above complete the English-side preview set.

• Free 2026-05 cluster field report (no install, comprehensive): Six Architectural Failure Modes in One Month — original (May 2026) single-Gist entry point articulating six of the seven clusters tracked here (SOH, multi-account, AGENTS.md, Pro Max quota, TUI/Terminal UX, permission matching). The narrative companion to the Cluster Tracker HTML page. Updated synthesis below covers the 7th cluster (Skills metadata).

• Free 9-Cluster Framework synthesis (no install, comprehensive): The 9-Cluster Framework: Mapping the Structural Failure Surface of Claude Code Operator Defense — updated (2026-05-28) synthesis covering all nine clusters with the ~11,590 cumulative reactions / 145+ issues snapshot, the mechanism / symptom family / defense path per cluster, three deep structural patterns (documentation-runtime divergence, validation absence, observability absence at the runtime boundary), and how-to-use guidance for four operator scenarios (incident debugging, June 15 billing-split audit, team/production setting, Opus sensitive-workload AUP cluster). 3,300 words. 2026-05-28 update: Cluster 9 (Usage Policy classifier over-trigger, 25+ open issues filed 2026-05-18 to 2026-05-27, Opus-specific, multilingual false positives) added with corresponding hook shipped same-day.

• NEW Free Cluster 8 (v2.1.150 server-side prompt injection) defense triple (no install / three shipped hooks, 2026-05-29): The v2.1.150 release added a function (named nAA in the minified source) that reads strings from the bootstrap API client_data field and the tengu_heron_brook GrowthBook feature flag and registers them as peer-level system prompt sections alongside the documented anti_verbosity / thinking_guidance / action_caution sections. Anthropic confirms this is intentional ("we run experiments on our system prompt"); the documented opt-out is CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and DISABLE_GROWTHBOOK=1. Reference: #62061 (46+ reactions, bytecode-level evidence by @vladkens) and the v2.1.150 server-side prompt injection audit paths writeup (1,133 words, four audit paths). Defense triple shipped (3 of 4): server-side-prompt-injection-detector.sh (PR #383) — SessionStart advisory when either opt-out env var is missing; cache-residue-detector.sh (PR #453, 28 tests) — closes the gap that opt-out alone does not perform by detecting cached injection values that persist after opt-out env vars are set; and proxy-capture-suggester.sh (2026-05-29, 19 tests) — opt-in SessionStart advisory that surfaces the HTTPS proxy capture path for operators in regulated industries (SOX, HIPAA, FedRAMP, PCI-DSS, EU AI Act Article 12) who need a reconstructible audit trail of the exact system prompt sent at the time of any logged action. When enabled via CC_PROXY_CAPTURE_SUGGESTER_ENABLE=1, names four audit tools (mitmproxy with --save-stream-file, Burp Suite Community, Charles Proxy, Anthropic SDK ANTHROPIC_LOG=debug) with concrete HTTPS_PROXY bridge and SSL_CERT_FILE setup, or — when a proxy is active but ANTHROPIC_LOG_DIR is unset — a shorter audit-sink advisory. Privacy: reads only the env var names, never their values. One more audit hook in design: system-prompt-baseline-checker.sh (diffs baseline against runtime, requires proxy capture). Also serves as the working preview for the 2026-11 Safety Lab chapter.

• Free Cluster 9 (Usage Policy classifier over-trigger) field guide (no install): Claude Code's AUP False-Positive Cluster: 4 Operator-Side Paths Through It — 1,462-word writeup of the 25+ open-issue cluster (filed 2026-05-18 to 2026-05-27), with the Opus-specific signature, the multilingual / domain-independent evidence, and the four operator-side mitigation paths (Sonnet swap, session warmup, CVP application, retry-on-identical-input). First defense hook shipped 2026-05-28: aup-false-positive-helper.sh (PRs #388 and #389, 16 tests, opt-in SessionStart advisory only — never blocks). Second defense hook shipped 2026-05-29: aup-block-pattern-logger.sh — PostToolUse advisory-only hook that pairs with the helper by closing the evidence-and-trend gap. Detects five distinct AUP block patterns (cyber-safeguards, safety-guardrails, rephrase-rewind, usage-policy, usage-policy-api fallback) in tool output and appends a five-field pipe-delimited line to ~/.claude/aup-block-history.log (timestamp / model / tool / pattern kind / 120-char excerpt). Default mode shows the cumulative count for the current model on stderr so operators can build CVP evidence and notice classifier-shift over time. 23 tests covering all five patterns, pattern priority, log rotation, schema preservation, jq fallback, and never-blocks invariant. Environment toggles: CC_AUP_BLOCK_LOGGER_DISABLE, CC_AUP_BLOCK_LOGGER_QUIET, CC_AUP_BLOCK_LOG_PATH, CC_AUP_BLOCK_LOGGER_MAX_LINES. Third defense hook shipped 2026-05-30: model-swap-suggester.sh — evidence-driven SessionStart advisory that closes the loop between the helper (generic awareness) and the logger (evidence collection) by reading ~/.claude/aup-block-history.log on session start, counting Opus blocks in a configurable lookback window (default 60 minutes, threshold 3), and emitting a concrete export ANTHROPIC_MODEL=claude-sonnet-4-7 swap recommendation only when the threshold is crossed. Silent in every other path (model unset, non-Opus pinned, log missing/empty, below threshold, outside window) so it never adds noise to users who have not actually been blocked. Counts all Opus variants in the log (opus-4-7, opus-4-6, opus-4-7[1m]) toward the threshold because the cluster signature is Opus-family-wide. 25 tests covering: env toggle paths (DISABLE / QUIET), model gating (unset / Sonnet / Haiku / Opus), log states (missing / empty / Sonnet-only / mixed), threshold and window semantics (below / at / above / outside), custom env vars (THRESHOLD / WINDOW_MIN / TARGET / garbage fallback), schema robustness (unparseable timestamps skipped without crash), and never-blocks invariant across 8 paths. Environment toggles: CC_MODEL_SWAP_SUGGESTER_DISABLE, CC_MODEL_SWAP_SUGGESTER_QUIET, CC_MODEL_SWAP_SUGGESTER_THRESHOLD, CC_MODEL_SWAP_SUGGESTER_WINDOW_MIN, CC_MODEL_SWAP_SUGGESTER_TARGET, shares CC_AUP_BLOCK_LOG_PATH with the logger. Cluster 9 primary-symptom defense complete (3 of 3 hooks for the block-and-swap path). Fourth defense hook shipped 2026-05-30 (secondary-pain coverage): aup-retry-loop-guard.sh — PostToolUse hook that addresses the retry-loop context-burn pain documented in #61664 (Japanese paid user, 2026-05-23: "ブロック発生時も context/credit は消費される", "ブロック→巻き戻し→同じ処理の再実行 で context を浪費"). The first three hooks address awareness / evidence / session-start swap but do not break a retry cycle in progress within a single session. The retry-loop-guard reads ~/.claude/aup-block-history.log after each tool call, checks whether 3+ blocks (configurable) within a 5-minute window (configurable) all targeted the same tool — the single-tool restriction is the diagnostic signature distinguishing a retry loop from a general session sensitivity. When the pattern fires, emits a one-shot per-session advisory recommending either Option A (/exit + restart fresh with Sonnet pinned, safest for quota) or Option B (in-place swap, continues current session). The one-shot lock uses a session identifier resolved in order: CC_AUP_RETRY_LOOP_GUARD_SESSION_ID (explicit override), CLAUDECODE_SESSION_ID, controlling tty, PPID fallback. 26 tests covering env toggle paths, log states, threshold and window semantics, multi-tool burst rejection, custom target model, one-shot per session with different sessions firing independently, garbage env var fallback, unparseable timestamp skipping, and never-blocks invariant across 7 paths. Environment toggles: CC_AUP_RETRY_LOOP_GUARD_DISABLE, CC_AUP_RETRY_LOOP_GUARD_QUIET, CC_AUP_RETRY_LOOP_GUARD_THRESHOLD, CC_AUP_RETRY_LOOP_GUARD_WINDOW_MIN, CC_AUP_RETRY_LOOP_GUARD_TARGET, CC_AUP_RETRY_LOOP_GUARD_STATE_DIR, CC_AUP_RETRY_LOOP_GUARD_SESSION_ID, shares CC_AUP_BLOCK_LOG_PATH with the logger. Internal customer-pain research at ~/ops/customer-pain-cluster-9-secondary-pains-2026-05-30.md (7 secondary pains beyond the primary block symptom; this hook addresses axis 1). Fifth defense hook shipped 2026-05-30 (secondary-pain coverage continued): aup-large-tool-output-warner.sh — PreToolUse hook that addresses the large-security-output trigger surface documented in #61185 (filipghoulin, 2026-05-23: "A lab-review skill dispatched a sub-agent that ran cat /etc/banip/banip.blocklist on an OpenWRT router. The blocklist has ~17,000 entries. That volume of content in a single tool result, combined with the security shape of the content, appears to have flipped the classifier into a permanent block state for the whole session"). The first four hooks act on the block aftermath (awareness, evidence, swap, retry-loop break); none of them act before the offending tool call. Once the classifier fires on a large security-shaped output, the session is already wedged and /compact//clear may themselves block — so the only place to address this trigger surface is the PreToolUse boundary. Detects five command shapes that commonly produce large outputs (cat on security-shaped system paths, find recursing under security paths, journalctl/dmesg without size caps, grep -r on security paths) plus a sentinel wordlist (blocklist, denylist, banlist, iplist, iptables-save, ipset save, /etc/banip/, /etc/fail2ban/, /var/log/auth*, /var/log/secure*, firewall.conf) for content that would look security-shaped to the classifier regardless of how it is read. Emits a one-shot per-(session, pattern_hash) stderr advisory recommending narrower variants (head -N, tail -N, wc -l, grep -c, journalctl --since, find ... | head). Skips automatically when the command already has a size cap (head/tail/wc/-n/-quit/--since). 32 tests covering env toggle paths, non-Bash tool skip, empty/malformed input, every category and sentinel, every size-cap skip path, one-shot per-(session, pattern) semantics with different patterns and different sessions firing independently, sentinel-only path (e.g. iptables-save > /tmp/rules.txt), advisory content references (#61185, #60366, head -200 recommendation), state directory auto-create, and never-blocks invariant. Environment toggles: CC_AUP_LARGE_OUTPUT_WARNER_DISABLE, CC_AUP_LARGE_OUTPUT_WARNER_QUIET, CC_AUP_LARGE_OUTPUT_WARNER_STATE_DIR, CC_AUP_LARGE_OUTPUT_WARNER_SESSION_ID. Internal customer-pain research at ~/ops/customer-pain-cluster-9-secondary-pains-2026-05-30.md (axis 4: single tool call returning large sensitive-content volume). Cluster 9 five-hook defense surface now covers: helper (axis 0 awareness) + logger (axis 0 evidence) + suggester (axis 0 session-start swap) + retry-loop-guard (axis 1 intra-session retry cycle break) + large-tool-output-warner (axis 4 pre-call large-output prevention). Companion interactive 4-question diagnostic at cluster-9-aup-diagnostic.html outputs the highest-leverage path tailored to your model / frequency / domain / CVP status. Also serves as the working preview for the 2026-12 Safety Lab chapter.

• NEW Free 13 cost-spike patterns reference (no install, 2026-05-28): 13 Claude Code Cost-Spike Patterns: 8 from the English market + 5 from 800 hours of operations — 2,077-word integration of the 8 cost-spike patterns documented in the English-language guides (Finout's 8-pattern enumeration, ClaudeFast usage optimization, EasyClaw tokens guide) with 5 additional patterns I have not seen written up elsewhere as of 2026-05-28: CLAUDE.md hooks stderr re-injection (5K–15K tokens/turn), AGENTS.md duplicate context overlap (2K–4K/turn), Pool 2 cliff (12×–175× ratio shift on 2026-06-15), Cowork FUSE-mount context pollution (Cluster 11, Issue #62932 P1), GrowthBook A/B flag override (Cluster 10, Issue #62205). Each of the 13 patterns has symptom / mechanism / defense / citation, with the defense pinned to a specific cc-safe-setup hook where one exists. Three-tier integration (Tier 1: prevention for $8K+ single events; Tier 2: automation for 100K+ sessions; Tier 3: observation for background bloat). Free field reference; the 800-hour operational dataset and per-pattern before/after numbers are in the Japanese Token Book (¥2,500). Companion interactive 5-question diagnostic at cost-spike-pattern-diagnostic.html maps you to the 3 most-relevant patterns from the 13 with the cc-safe-setup hook install command for each. No signup, no telemetry, single HTML.

• NEW Cluster 18 candidate (/ultrareview crash burns credit on large PRs — 6-filing accumulation, hook shipped) (advisory hook shipped, 2026-05-29): Six independent filings within a 72-hour window where /ultrareview (cloud-side review feature, 3 free credits / day on Pro) crashes server-side with zero findings returned, yet the operator's daily credit counter is still decremented. Shared error: Review crashed before producing findings. See session logs for details. The six filings: #62696 (3rd crash burns credit, v2.1.150, anchor), #62709 (PR #7 review crashed, 0 findings), #62787 (2 consecutive crashes, 2/3 credits burned, 21 files / 84KB diff), #62876 (Find phase crash, Setup phase complete), #63117 (1 crash decrements credit, 6 files / 2,185 insertions), #63522 (same-branch 2 consecutive crashes, 2/3 credits burned). Three common structural traits: (1) Large PRs crash at a noticeably higher rate (16+ files or 1,500+ insertions over-represented); (2) Find phase is the failure point — Setup phase completes; (3) Retrying on the same branch burns a second credit for the same crash. Three operator-side defenses (the crash is server-side, no hook can prevent it): split the PR before invoking /ultrareview; do not retry on the same branch; fall back to /code-review (local, no cloud crash exposure). SessionStart advisory shipped (this PR): examples/ultrareview-large-diff-advisor.sh (22/22 tests passing) — measures current branch diff vs base and surfaces caution / elevated advisories above 6 files or 500 insertions (caution) and 16 files or 1,500 insertions (elevated). All thresholds env-overridable; opt-in QUIET/DISABLE. Token consumption impact quantified in the Token Book Ch18 — /ultrareview の停止で使用枠が消費される集積の候補と利用者の側のトークンへの影響の整理 (¥2,500, freshly added 2026-05-29): the failed cloud run plus the local re-review doubles token consumption; the June 15 traffic-pool split routes the failed cloud run through Pool 2 quietly, then double-charges across Pool 1 and Pool 2 when the operator falls back to local. English field guide (1,481 words, MIT): The /ultrareview crash that burns credit: six issues in three days and three user-side defenses. Filings count crossed the 4-filing promotion threshold; reactions count (0) has not crossed the 15-reaction threshold yet — tracked as candidate at cluster-tracker.html. Internal research document: ~/ops/customer-pain-research-ultrareview-crash-credit-2026-05-29.md. 2027-06 Safety Lab issue targeted as lead chapter once promotion criteria fully met.

• NEW Cluster 17 candidate (documented setting fields silently ignored — 4-filing accumulation, sister pattern to Cluster 7) (no install, 2026-05-29): Four independent filings within a 48-hour window where documented settings.json paths or environment variables are silently ignored at runtime — no validation error, no warning, the operator continues believing the setting is applied. Pair to Cluster 7 which articulates the same validation-pipeline-absence root cause from the opposite direction (fabricated fields silently accepted). The four filings: #63178 --model flag silently ignored in interactive mode (works in --print, v2.1.153), #63186 CLAUDE_AUTOCOMPACT_PCT_OVERRIDE in settings.json env block silently ignored at app level (propagates to subprocess only), #63479 CLAUDE_CODE_DISABLE_1M_CONTEXT=1 env var ignored, #63560 ~/.claude/settings.json top-level model field silently ignored for interactive sessions (--model flag and ANTHROPIC_MODEL env var both work). The common workaround for all four: switch to env var path via ~/.bashrc / ~/.zshrc export — the env-var path is honored where the settings.json path silently fails. Token consumption impact quantified in the Token Book Ch17 — 設定の沈黙の無視の集積と利用者の側の token への影響の整理 (¥2,500, freshly added 2026-05-29, 14,267 chars): autocompact misfire produces context bloat (+15-30% cache_creation rate), 1M-context continuation produces 1.8-2.4× token consumption vs intended 200K mode, model-misroute produces 8-15% retry rate. June 15 cliff impact: with Pool 2 overage pricing post-2026-06-15, the same silently-ignored settings produce 1.5-5.5× cost amplification vs the pre-cliff baseline (Token Book Ch17 §17.8). Filings count crossed the 4-filing promotion threshold; reactions count (0) has not crossed the 15-reaction threshold yet — tracked as candidate at cluster-tracker.html. Internal research document: ~/ops/customer-pain-research-settings-silently-ignored-2026-05-29.md (four product hypotheses including the cc-safe-setup settings-effective-state-checker.sh hook in design for June 2026). 2027-05 Safety Lab issue targeted as lead chapter once promotion criteria fully met.

• NEW Free Cluster 16 (v2.1.154+ system role serialized into messages array — promoted same-day) field guide (no install, 2026-05-29): v2.1.154+ Serializes system Role into messages[] — A Field Guide to Cluster 16 with Operator Workaround — ~2,786-word English-language writeup. Promoted from candidate to full cluster status at 17:30 JST after the filing count crossed the threshold within 48 hours of v2.1.154 release. Claude Code v2.1.154 onward serializes system-role entries (from SessionStart hook context, plugin context, Skill metadata, or compaction summaries) as peer entries inside the messages[] array instead of the top-level system field, producing API Error: 400 messages[1].role must be either 'user' or 'assistant', but got 'system'. Four sub-patterns: 16A custom agents via /agents (#63457, 2026-05-29, clean rollback to v2.1.153 fully resolves), 16B strict Anthropic-compatible providers (#63366 + #63469 5 reactions, has-repro, raw API body captured via OTEL_LOG_RAW_API_BODIES), 16C VS Code extension (#63473 + #63510, same defect propagates through the shared request-assembly path), 16D long-lived session context operations (#63396 Variant 1, compact/clear/model-switch produces invalid messages[0] with role system). Cross-language confirmation via #63395 (Chinese-language macOS VS Code report). Operator-side workaround (the only path until upstream fix): pin to v2.1.153 — npm install -g @anthropic-ai/claude-code@2.1.153 plus export CLAUDE_CODE_DISABLE_AUTO_UPDATE=1 to prevent auto-update from overwriting the pin. No cc-safe-setup hook can prevent the 400 at request-assembly time — the defect lives in code paths the hook layer cannot reach. A version-pin advisory hook is in design (SessionStart hook detecting v2.1.154+ and emitting the pin command). Sub-pattern 16B is structurally similar to #52893's class of provider-side schema-strictness regressions — operators routing through ANTHROPIC_BASE_URL to non-Anthropic providers experience a sharper failure mode (request never lands) than operators on the official API endpoint. Tracking #63469 as the anchor case for upstream resolution signal; expected fix in v2.1.157 or later. 2027-04 Safety Lab issue may be re-scoped to dual-feature Cluster 14 and Cluster 16 given recency and operator urgency.

• NEW Free Cluster 15 (Non-English Language Quality Regression) field guide (no install, 2026-05-29): Non-English Language Quality Regression in Claude Code (Opus 4.7 / 2.1.121+) — A Field Guide to Cluster 15 — ~3,126-word English-language writeup articulating the four sub-patterns, the rigorous Kiwi-based methodology that anchors #62961, the structural reason hooks cannot reach this failure mode (the defect lives in the model's training-data distribution, upstream of every client-side surface), the three operator-side mitigations (model downgrade, system-prompt register enforcement, post-hoc frequency analysis via Kiwi or equivalent per language), the comparison to other recovery-surface-narrow clusters (especially Cluster 13's session-killing analog), and the practical sequence for English-speaking operators managing teams with non-English-speaking members. Also tracked at cluster-tracker.html#cluster-nonenglish-quality — four sub-patterns across two languages on Opus 4.7 / Claude Code 2.1.121+: 15A Korean register drift (#62961, 7 reactions, has-repro, area:model — Kiwi morpheme analysis across 4,666 sessions / 114.9M output tokens documents the verb 박다 (informal "hammer in" used where formal verbs 명시하다 / 기록하다 / 삽입하다 would be expected) at 18× baseline frequency after v2.1.132, persisting through v2.1.143), 15B Korean lexical fixation (영역 repeatedly inserted into unrelated output, #54339, v2.1.121 + Opus 4.7), 15C Korean in-vivo self-diagnosis limit (#57748, the model cannot reliably self-diagnose the regression from inside the affected mode), 15D Turkish English-templated structure (#57233, six error categories — calque, word order, register, grammatical particles, idiom literalism, context-inappropriate vocabulary — traced to "English-templated reasoning lexically translated rather than native Turkish generation"). The unifying root cause, articulated by reporters in both languages from the model's own self-explanation: "training data is heavily English-weighted; internal patterns follow English structures; non-English output is generated by lexically substituting target-language words onto English skeletons." 1 shipped advisory hook (updated 2026-05-30): non-english-quality-warner.sh (PR #487, 20 tests passing). SessionStart advisory, fully opt-in via CC_NON_ENGLISH_QUALITY_WARNER_REMIND=1 (silent by default to avoid noise for English-language operators). When opted in, emits a non-blocking stderr advisory naming the three operator-side workarounds (model downgrade with concrete export ANTHROPIC_MODEL=claude-sonnet-4-7 command, system-prompt register enforcement with Korean and Japanese rule-shape examples, post-hoc Kiwi-equivalent frequency analysis). Acknowledges the server-side nature of the defect (no client fix), cites #62961 and the 18× signal, references the field guide gist, and explains how to disable once the operator has chosen a workaround or verified the regression is patched for their workflow. The hook does not invent a new mitigation — it surfaces the existing operator-side paths at session start so the operator notices the situation before shipping documents containing slang verbs in formal contexts. The cluster is upstream-only and the defect remains in the model's training-data distribution; the hook's value is detection latency reduction, not defect repair. Recovery surface is still the narrowest of all 15 clusters. Two more hooks remain in design (model-downgrade advisory for sessions detected as non-English-heavy, Stop-time per-language frequency analysis runner). 2027-03 Safety Lab issue targeted as lead chapter.

• NEW Free Cluster 11 (Cowork) field guide (no install, 2026-05-30): Cluster 11: Cowork (Desktop Sandbox + Remote Control) — Claude Code field guide — 1,902-word English writeup articulating the seven sub-cluster axes of the largest aggregate cluster in May 2026 (237 open Cowork-related issues in 17 days, intake at 14/day with 21% of those filed in the last 48 hours). The four original sub-clusters (11A filesystem/mount, 11B platform/binary, 11C subscription/access, 11D infrastructure incident) plus three new axes that emerged in the 48-hour expansion since the 2026-05-28 articulation: 11E hooks do not run in Cowork (#63360, #63047) — the operator's CLI-side hook defenses do not protect them inside the Cowork sandbox, 11F handoff silent failure (#63307, #63809) — long-running spawned sessions and inter-session handoffs lose their results (the SOH pattern at the Cowork boundary), 11G silent authentication expiry (#63185) — 3P Bedrock SSO credentials silently expire without triggering re-auth on day 2+. Three shipped CLI-side defense hooks (cowork-claude-md-load-checker PR #409, cowork-fuse-staleness-watcher PR #410, cowork-model-picker-advisor PR #411). The fundamental limit: CLI-side hooks run outside the Cowork sandbox while the failures happen inside it, so the hooks can warn before the operator switches into Cowork but cannot intercept failures originating entirely inside the sandbox. Three operator-side filters for the adoption decision: (1) if you rely on CLI hooks for cost/safety control, defer Cowork until #63360 ships; (2) if your sessions span multiple days with SSO auth, build a daily re-auth checkpoint; (3) if you depend on the FUSE mount for git ops, install cowork-fuse-staleness-watcher before you start and prefer ref-walking ops over working-tree ops.

• NEW Free Cluster 14 (Silent Data Loss) field guide (no install, 2026-05-29): Silent Data Loss in Claude Code — A May 2026 Cluster Across Three Axes — ~1,617-word writeup of 18+ open-issue cluster filed 2026-05-23 through 2026-05-28, all labeled data-loss or matching the failure shape, splitting cleanly into three structural sub-axes: 14A silent transcript garbage collection (#62041, #62272, #62959, #61852, #61952 — "~20 sessions lost, 2 months of paid work gone", #62997, #63082, #63187); 14B consent-boundary collapse on destructive commands (rm -rf / git clean -fd / git reset --hard against paths the user did not explicitly allowlist); 14C Edit/Write file corruption (silent truncation, encoding corruption — the CJK U+FFFD case #43746 is the closed canonical example). Shipped defense for sub-axis 14B: consent-boundary-defender.sh (PR #344) — PreToolUse hook on Bash rm / git clean / git reset --hard / git checkout -- . commands that refuses the call when the target path is outside the explicitly allowlisted CC_CONSENT_PATHS environment variable. Two more advisory hooks in design (14A sidecar copy Stop hook, 14C size-mismatch advisory). Sub-axis 14A is structurally hook-difficult because the deletion is performed by client-internal scheduling, not via a tool call any hook can see — backup hygiene (Time Machine, rsync.net, periodic tar to a separate disk) is the durable operator-side mitigation for that sub-axis. 2027-04 Safety Lab issue targeted as lead chapter.

• NEW 2026-05-31 Cluster 22 + 23 candidates — Opus 4.8 dual cluster (correctness + cost) (5 hooks shipped across both clusters, both English field guides + Japanese book chapters published): Same model (claude-opus-4-8), same version window (v2.1.156–v2.1.158), two structurally distinct surface failures emerging on the same day. Cluster 22 candidate (Pre-execution tool-output fabrication, 6 independent filings in 48 hours: #64048 / #64055 / #64065 (anchor) / #64076 / #64095 / #64103) — the model confidently asserts specific tool-output values (prices, URLs, file contents, SHAs) BEFORE the tool calls that would produce those values have returned, then self-corrects 1–2 messages later. The self-recognition-without-prevention mechanic is load-bearing: the model explicitly tells the user "I just did the exact thing I promised not to do" — degeneration mode below the prompt layer, model-side prompting cannot fix it. Two operator-side hooks shipped: tool-result-correlation-checker.sh (PR #519, PostToolUse, Axis 22B parallel-batch fabrication compounding via tool_use_id ↔ tool_result pairing mismatch detection) and pre-execution-claim-detector.sh (PR #537, PreToolUse on Bash, 21 tests, opt-in via CC_OPUS48_PRE_CLAIM_DETECT=1, scans the last assistant text block for 5 claim signatures with 3 hedge-suppression rules — addresses Axis 22A sequential pre-execution claim via the #64065 anchor signature). Cluster 23 candidate (Effort-budget regression, 5 independent filings: #64153 (anchor) / #64152 / #64143 / #64102 / #63455) — effort=medium produces 40-50k output tokens on routine coding turns where the same prompt on Opus 4.6/4.7 produces 2-3k. Anchor case: 46,433 output tokens / 22m 43s thinking on a routine rename-impact scan, stop_reason: end_turn. Three operator-side hooks shipped: output-token-spike-detector.sh (PR #529, 21 tests, rolling-window comparison, Axis 23A absolute magnitude vs personal baseline), opus48-routine-task-warning.sh (PR #529, SessionStart opt-in advisory), thinking-budget-effort-mismatch-detector.sh (PR #535, 21 tests, per-tier threshold — low>10k, medium>30k, high>80k, addresses Axis 23B effort-tier perception mismatch without needing baseline accumulation). Both clusters resolve via Path 1: /model claude-opus-4-7 — the reporter's own comparison (#64153) shows Opus 4.6/4.7 do not exhibit either surge. Five hooks total watch the Opus 4.8 surface end-to-end; three are opt-in so non-Opus-4.8 operators pay zero noise cost. Japanese long-form articulation in Token Book Ch24 (¥2,500, technical depth) and 事故防止本 Ch12 + Ch13 (¥800, operator-experience framing). Tracked at cluster-tracker.html. The June 15 billing cliff context makes Cluster 23 candidate's Opus 4.7 switch the highest-leverage pre-cliff action — the 5-10× quota burn becomes a 5-10× dollar burn after June 15.

• NEW 2026-05-31 Cluster 21 candidate — Plugin lifecycle integrity gap (2 hooks shipped, 4 axes upstream-only): Five independent filings on 2026-05-30 across v2.1.156 / v2.1.157 / v2.1.158 articulating six sub-axes of one structural cluster — the plugin extension surface has missing lifecycle events, gaps in cleanup paths, and silent state corruption that compounds across multi-agent sessions. 21A additive hook-registration growth (#64022, observed 1× → 122× per hook in multi-agent sessions, plugin's own scripts audited — no additive writer, the harness re-runs the plugin-hook load/merge and appends instead of replacing); 21B variable expansion gap (#64074, ${CLAUDE_PLUGIN_ROOT} expands in hooks but not in the statusLine execution context); 21C cleanup gap (#64074, /plugin uninstall leaves the statusLine entry in settings.json — zombie bar after uninstall); 21D signal gap (#64017, SIGTERM termination including timeout wrapper kills the CLI without firing the Stop hook, external supervisor reads prior-run hook output as if it were current); 21E environment gap (#64064, Stop hooks fail with node: command not found and missing plugin directories — hook execution shell does not inherit interactive PATH); 21F startup gap (#64018, no Startup / SessionInit hook event fires before a conversation exists — statusLine plugins cannot pre-initialize, visible empty status bar at initial prompt). Two operator-side hooks shipped 2026-05-31: plugin-hooks-json-bloat-detector.sh (PR #511, SessionStart, 15 tests including the exact 122× growth case from #64022) covers 21A — walks every ~/.claude/plugins/cache/**/hooks/hooks.json at session start, counts duplicate command strings per event bucket (PreToolUse / PostToolUse / Stop / etc are counted separately so legitimate cross-event registrations don't trip the detector), warns when any single command exceeds CC_PLUGIN_HOOKS_BLOAT_THRESHOLD (default 5) per event, with plugin path / event / command / count in the warning. Fail-soft on JSON errors, hourly debounce, advisory only. stop-hook-sigterm-wrapper.sh (PR #513, 16 tests) covers 21D — wraps the claude invocation, traps SIGTERM/SIGINT, writes a JSON state file at every transition (running / completed / killed-sigterm / killed-sigint / killed-timeout / killed-sigkill / error) with atomic-write semantics so an external supervisor can decisively distinguish "completed cleanly" from "killed mid-work" — addresses the case where a timeout wrapper's exit 124 left the Stop hook's marker file stale, surfacing a prior run's completion summary on what was actually a killed run. Configurable via CC_STOP_SIGTERM_MARKER_DIR, CC_STOP_SIGTERM_WRAPPER_CMD, CC_STOP_SIGTERM_DISABLE. Hooks 21B / 21C / 21E / 21F remain upstream-only — the harness needs to provide the missing lifecycle events, variable expansion, cleanup cascade, and PATH-restored environment for hook execution. Recommended complementary tool: cozempic (319 stars, 50k+ downloads, Python guard daemon by junaidtitan) — context cleaning across 18 pruning strategies, addresses the cumulative-bloat side that detection-only hooks cannot intervene in. Surfaces in the #63015 discussion thread as the intervention layer paired with cc-safe-setup's detection layer. Tracked at cluster-tracker.html. Same structural-cluster shape as Cluster 7 / Cluster 17: validation pipeline and lifecycle pipeline both have unmonitored silent-divergence paths.

• NEW 2026-05-31 Cluster 13 extension (no install): Cluster 13 — 2026-05-31 Extension: Two New Trigger Surfaces, One Candidate Sub-Pattern, and the Fleet-Onset Confirmation — ~2,700-word delta document folding in three new data points from the past 72 hours: (a) Benjamin-Sterrett's confirmation of sub-pattern 13C on Opus 4.8 with two new trigger surfaces (mixed-tool-type cancellation Bash + TaskCreate, blocking-poll cancellation Bash(sleep 120; …)) — the mixed-tool result places the corruption on the parallel-batch cancellation path itself, killing the "Bash-streaming-specific" hypothesis; (b) MMoMM-org's post-/clear 400 that doesn't fit cleanly into 13A–13D, tracked as candidate sub-pattern 13H pending disambiguation; (c) fleet-onset 2026-05-28 confirmation on claude-opus-4-8 tying the cluster surge directly to the 4.8 rollout (consistent with #63412). Updates the operator-side mitigation framework to six tiers, articulates three token-consumption cost surfaces, revises the operator-advisory-hook coverage matrix. Companion to the original Cluster 13 field guide below.

• NEW Free Cluster 13 (Extended-Thinking Session Wedging) field guide (no install, 2026-05-29): Extended-Thinking Session Wedging — A 36-Hour Surge with 4 Sub-Patterns and Operator-Side Recovery Paths — ~2,800-word writeup of the 15+ open-issue cluster filed 2026-05-28 onward, ~140 combined reactions on the central cases, reproduced across Claude Code v2.1.143, v2.1.150, v2.1.153, v2.1.154 — version-independent. Four sub-patterns sharing one root failure mode (thinking-block serialization not surviving the round-trip): 13A resume serialization corruption (#63147, 33 reactions, canonical root-cause analysis by @jdrolls), 13B cancel-during-AskUserQuestion poisoning (#63143), 13C parallel-tool-batch cancellation corruption (#63192), 13D intermittent signed-thinking-block replay (#63335 + 10+ duplicate-flagged reports). Once triggered, the corrupted assistant message lands in transcript history; every subsequent turn re-sends and re-fails identically. /exit or /clear are the only escapes — both at the cost of the session's working context. Two defense hooks shipped (2026-05-29 and 2026-05-30): extended-thinking-resume-warning.sh (PR #445, 54 tests) — SessionStart hook that detects the 13A precursor shape (thinking blocks with empty text but non-empty signature) in the transcript and emits a non-blocking advisory before resume actually fires the 400. Plus extended-thinking-loop-guard.sh (49 tests, shipped 2026-05-30) — opt-in BLOCKING SessionStart complement that addresses the LMS927369 amplification reported in the #63147 thread on 2026-05-29: under /loop or other autonomous-resume harnesses, the one-time 13A failure becomes an unrecoverable infinite loop because nobody is watching stderr in the moment and the non-blocking advisory cannot break the retry cycle. The loop-guard hook is a silent no-op by default (safe to drop into broadly-applied settings.json); it arms only when the operator declares autonomous-run intent via CC_LOOP_GUARD_ENABLED=1, then exits 2 with a decision block when the precursor is detected so the blocking exit propagates into the loop layer. Three more advisory hooks in design for 13B/13C/13D, targeting June 2026. The cluster's recovery surface is structurally narrower than earlier clusters because the serialization (13A) and cancellation paths (13B, 13C) happen inside Claude Code's transcript writer and streaming-response handler, where hooks cannot reach. Complementary post-hoc transcript repair tool: miteshashar/claude-code-thinking-blocks-fix — for operators currently in a wedged session, this is the recommended entry point. Also serves as the working preview for the 2027-02 Safety Lab chapter.

• NEW 2026-05-30 morning: Cluster 13 extension — three new sub-patterns and 13G defense hook shipped: 48 hours after the original Cluster 13 field guide above, the open-issue count crossed 180+ with 50+ new filings in the 5/28–5/29 window. Three new sub-patterns emerged that don't fit cleanly under 13A–13D: 13E Dynamic tool loading (ToolSearch) re-modifies signed thinking blocks every turn (#63792) — not a session wedge but a per-turn strip-and-retry cascade burning latency and tokens. 13F v2.1.154 context-ops (/compact, /clear, model-switch) emit system role at messages[0] plus modified signed thinking blocks (#63396) — overlaps with Cluster 16 but distinct via the simultaneous thinking-block corruption. 13G Opus 4.7→4.8 mid-conversation model-swap incompatibility (#63607, #63606, #63612, #63412) — error text differs (must remain as original response, not cannot be modified), strip-on-retry does NOT recover, stay-on-4.7 + pin-2.1.152 is the only known full fix. Third defense hook shipped 2026-05-30: opus48-thinking-wedge-advisor.sh (PR #471, 34 tests) — Notification hook that detects the 13G transition shape (Opus 4.7 → Opus 4.8 model swap with prior signed thinking blocks in the transcript) and emits a stay-on-4.7 advisory with the four central issues referenced. Complements model-version-change-alert.sh (which fires on any model change) by articulating the 13G-specific failure mode and workaround. The deep synthesis comment on #63147 consolidates all seven sub-patterns (13A–13G) with the three escalating operator-side workaround tiers. Three more advisory hooks remain in design for 13B/13C/13E, targeting June 2026.

• UPDATED 2026-05-29: Free Cluster 12 (Tool Call Parsing failures in Opus 4.7) field guide with four shipped defensive hooks: Tool Call Parsing Failures in Opus 4.7 — A Five-Issue Cluster with Four Shipped Defenses — 2,860-word writeup of a five-issue cluster filed 2026-04-17 to 2026-05-27 where Opus 4.7 emits tool calls the harness cannot parse, and the failure recurs deterministically across retries. Central case #62123 (21 reactions). Four independent root-cause hypotheses pinned by separate filings, each now with a shipped advisory hook in this repo: in-context few-shot poisoning (#62344, defense PR #406: long-session-malformed-tool-call-detector.sh, 40 tests), extended-thinking serialization defect (#62467, defense PR #419: extended-thinking-tool-use-mismatch-detector.sh, 43 tests), spurious malformed notice (#62700, defense PR #423: spurious-malformed-notice-detector.sh, 53 tests), and the legacy XML format mix precursor (#49747, defense PR #424: xml-format-leak-detector.sh, 58 tests). The four hooks together cover all four sub-patterns at the advisory level — the recovery surface is structurally narrow because hooks cannot reach the model attention / harness parser / serialization layers where failures originate, but the hooks tell operators which sub-pattern they are seeing so the right recovery is applied (misapplied /clear on 12B or 12C burns context for no benefit). The gist's section 5 documents copy-paste install for all four hooks. Also serves as the working preview for the 2027-01 Safety Lab chapter.

• Free design philosophy articulation (no install, comprehensive): Operator-Side Defense as a Wrapper Layer: A Pattern for Cooperating With Broken Upstream Subsystems Without Replacing Them — articulates the principle behind all 790+ hooks in this repo: wrap broken upstream subsystems rather than replace them in user-space. Three wrapper sub-patterns (advisory-only / receipt-emitting / validation-gating), two case studies (Cluster 6 axis-defense suite — 5 of 5 axis-specific hooks now shipped as of 2026-05-29 — vs Cluster 1 receipt-emitting hooks), three failure shapes where wrapping is not enough, and a four-check evaluation framework for third-party hooks before installing. Especially useful when choosing between installing a hook from this repo and writing your own. 2,791 words.

• NEW Free Claude Code book selector (5-question interactive, browser-only, 2026-05-29): Five Zenn books ship under similar-sounding titles (incident prevention, token savings, AGENTS.md interop, Skills, June 15 cliff survival). This 5-question tool maps your specific pain × usage stage × monthly cost × incident history × budget to one specific book recommendation (or a bundle, or "no purchase, free preview is enough"), with the per-book score shown so you can override the recommendation if you disagree. JP-language, no signup, no telemetry, single HTML → Which Book Is For Me?. Background: the five Zenn books (¥500–¥2,500) collectively accumulated ¥11,373 in sales over 3 months (March–May 2026); the highest-volume seller is the Incident Prevention book (¥800, 6 copies sold, 21 chapters including 4 cluster additions in the last week of May). The tool surfaces which book actually fits your situation rather than leaving readers to guess from titles. Includes optional Safety Lab (¥500/month) cross-sell logic for high-monthly-cost or June-15-affected operators.

• NEW Free Hook Recommender (5-question interactive, browser-only): narrow the 790+ hooks in this repo to a 3-5 hook starter pack matched to your cluster (1-7 + session-loss + general hardening) × operator setup (solo / consultant / production) × risk concern × existing install × defense style. Each recommendation includes the install command, the settings.json wire-up location, and a wrapper-layer pattern badge (advisory / receipt / validation / enforcement) so you know what shape each hook is before installing. Output never installs anything → cc-safe-setup Hook Recommender.

• NEW Free Cluster 10 field report (no install, 2026-05-29): Server-Pushed Feature Flags Are Rewriting Your Claude Code State — A field guide to Cluster 10: GrowthBook A/B overrides — 2,487-word articulation of the 58-issue 2-week surge. Three converging axes (periodic ~9-minute re-sync, no release boundary, five documented override paths). Two anchor cases: #62205 traces tengu_quill_harbor + tengu_permission_friction silently overriding defaultMode: bypassPermissions; #63015 traces tengu_compact_cache_prefix gating a compaction dispatch path that fails silently while the statusline reports 100% context used. Three shipped operator-side hooks: growthbook-flag-monitor.sh (PR #402), compact-dispatch-watchdog.sh (PR #413), permission-mode-drift-guard.sh. Names the structural limit: the server-pushed dispatch path itself is unreachable from any operator hook surface. Monthly operator checklist. Also serves as the working preview for the 2026-10 Safety Lab chapter.

• Free Skills metadata cluster field report (no install): The Claude Code Skills Cluster: Operator's Field Guide (May 2026) — articulation of the 7th cluster: four failure modes (settings fabrication including the canonical disabledSkills no-op #62421, frontmatter not honored, discovery mismatch, partial loading and hook integration gaps), nine representative issues from the 14-day window, three detection paths, and four operator-side defenses. Also serves as the working preview for the 2026-10 Safety Lab chapter. First defense hook shipped: skills-settings-validator.sh (PR #357) detects fabricated Skills-related settings fields at SessionStart.

• Free TUI / Terminal UX cluster field guide (no install): Cluster 5: TUI / Terminal UX — Operator's Field Guide (May 2026) — survey of the four sub-clusters within Claude Code's terminal UI failure surface (terminal rendering, input handling, display/visibility, missing TUI features), drawn from the 1,229+ open area:tui issues. Documents why this cluster has no hook-level intervention (the surface belongs to Anthropic's React-for-CLI implementation) and the workflow-level workarounds operators can apply today.

• Free June 15 calculator (browser-only, no signup): paste your last 30 days of usage, get your projected post-June-15 spend → Pool 2 estimator

• Free June 15 readiness audit (10-question): get a readiness score (0-100) with each gap mapped to a Migration Playbook chapter → June 15 Readiness Audit

• NEW Free June 15 cost-of-inaction calculator (5-question, browser-only): quantify what doing nothing about the June 15 billing split will cost over 14, 30, and 90 days, versus the cost of preparing → Cost-of-Inaction Calculator. Uses industry-analyzed workload multipliers (12× light → 18× autonomous-Sonnet point estimates within the 12-175× public range) plus an overage-frequency adjustment to project doing-nothing cost, then maps the result to the appropriate next-step companion tool (Pool 2 Estimator if not yet quantified / Readiness Audit if quantified but no plan / Migration Plan Generator if ready to pick a path). Direct API users are flagged as exempt with no action required.

• NEW 2026-05-30 afternoon: Free Cliff Audit Comparison tool (5-input, browser-only, no telemetry, MIT): Cliff Audit Comparison — paste your past 7-day ccusage numbers (notional cost, cache read tokens, total tokens, output tokens) plus your plan and claude -p mix, get per-axis verdicts vs my published benchmark ($3,128/week notional, 99.06% cache read ratio, ~0% Pool 2 exposure). Outputs: cost-ratio classification, cache-ratio band (excellent/good/moderate/low), subscription leverage ratio (with break-even threshold), Pool 1 vs Pool 2 split with cliff-impact verdict, and personalized recommendations linking to cc-safe-setup hooks, Migration Playbook chapters, and the pre-cliff baseline logging checklist. Companion to the audit Gist below — use the Gist for context, the tool for your own number.

• NEW 2026-05-30: Free Public Operator Audit — what 4 weeks of 24/7 autonomous Claude Code actually looks like in numbers (no install, 2,126 words): 16 Days to the June 15 Cliff: My Own Claude Code Audit — actual ccusage numbers from my own Pro Max account on 2026-05-30 (16 days before the cliff). Past 7 days: $3,128 notional cost (covered by $200 Pro Max subscription = 15.6× leverage ratio), 99.06% cache read ratio across 4 weeks, ~0% Pool 2 exposure (almost all interactive sessions, no claude -p automation). Documents the four hooks I activated specifically for cliff prep (cache-creation-drift-detector, quota-anomaly-detector, session-rate-monitor, claim-verify-audit) with the rationale for each. Includes a 5-command audit you can run on your own account in 5 minutes to compare. Public benchmark / sanity check / "what does heavy autonomous use actually cost" reference. MIT, no telemetry.

• NEW 2026-05-31: Free Cliff Prep for Hobby Claude Code Users — for the readers whose spend isn't producing revenue (no install, 2,093 words, MIT): Cliff Prep for Hobby Claude Code Users — honest counterpart to the public operator audit above. Most cliff guides (mine included) assume the reader is a working operator optimizing setup before June 15. This one is for the camp who pays for Claude Code as a hobby and hasn't tied it to revenue. Three concrete cases (Pro Max + interactive only / Pro Max + a few cron jobs / elaborate automation that doesn't make money) with a minimal cliff-prep checklist per case. Explicit "don't buy my paid products" framing for hobby users — the Migration Playbook ($19) and Safety Lab (¥500/mo) are operator-fit, not hobby-fit. Companion read for the r/ClaudeAI cost/billing pain survey Gist which identified the hobby-vs-operator split in this week's community discussion.

• NEW Free post-cliff operator's calendar (no install, comprehensive): week-by-week navigation guide for the 30 days AFTER June 15 lands — Week 1 (immediate verification of pre-cliff projection vs actual), Week 2 (plan validation with real post-cliff data), Week 3 (execute Plan B/C/D migration if validation says so), Week 4 (measure trend, verify correction held), Week 5 (lock in steady state, document the cycle) → Post-Cliff Operator's Calendar. Each week names the specific data to collect, the cluster signals to watch on the tracker, and which hooks become more valuable post-cliff. 2,390 words. Companion to the pre-cliff Pool 2 Estimator and Cost-of-Inaction Calculator above.

• Free May 22-24 cost catastrophe analysis (no install): Three Cost Catastrophes from May 22-24 — structural analysis of $47K/3-day subagent runaway, 887K-tokens/min parallel-49 burn, and $6K-overnight cache-TTL surprise, mapped to three operator-side preventions (cc-safe-setup PR #298, #286, #283)

• Free deep-dive on the 887K-tokens/min event: How Parallel Sub-Agents Multiply Context Beyond Linear Scaling — the structural reason 49 agents cost 4x linear estimate, and three stacked defense patterns (velocity guard, parallel cap, wall-clock bound)

• Decision framework: Claude Code Migration Playbook ($19, Edition 2 included) — 14 dated triggers, 3 migration paths, decision tree from your daily burn rate to one of stay/switch/hybridize

• Operator-side defense for sub-agent silent failures (DSSC framework): Sub-Agent Observability Handbook — free chapter previews (paid PDF release date TBD) — Dispatch fabrication, Silent stall, Scope expansion drift, Claim-verify gap. Four sub-patterns articulated from a 7-issue 72-hour cluster filed 2026-05-20 to 05-22 (#60987, #61102, #61107, #61167, #61315, #61405, #61547), with one follow-on report on 05-25 (#62161). Each sub-pattern maps to a cc-safe-setup defense hook (PR #283, #286, #298, #282). Average fleet savings $40-150/month per the Sub-Agent Failure Cost Calculator. Free diagnostics: 5-question persona-based self-audit (5 min — classifies your operator persona as Solo Casual / Solo Pro / Consultant / Production Fleet, estimates monthly cost of inaction, recommends chapter + hook combination), NEW 5-question chapter selector (3 min — recommends which of the 7 chapters to read first based on the symptom you're seeing, your operator setup, experience, and what you want from the read; links directly to the relevant free preview Gist), 12-symptom comprehensive checklist (slower, every symptom in the cluster), field report (~2,750 words), hook map (this repo)

• Operator-side defense for multi-account workflows (work + personal, consultants, enterprise multi-org): Multi-Account Operator Field Guide (日本語版) — five patterns for the 1,178-cumulative-reaction GitHub cluster (#18435 + #27302 + #36151). Free 7-question interactive self-audit classifies your persona (work+personal / consultant / enterprise multi-org) and recommends the pattern combination in five minutes. Two new hooks shipping in this repo: account-routing-preflight.sh (SessionStart preflight refusal on mismatch) and account-billing-log.sh (Stop hook per-session billing log for consultants invoicing clients)

• AGENTS.md interop for multi-tool teams (Claude Code + Codex/Cursor/Amp/Aider): AGENTS.md Operator Field Guide (日本語版) — five operator-side patterns for the 5,185-reaction interop gap (#6235, the single largest open feature request on the tracker). Symlink, pre-commit sync, SessionStart hook merge, direnv-based routing, CI drift detection. Free 6-question interactive self-audit classifies your persona (solo / mixed-tool team / OSS maintainer) and recommends the pattern combination factoring in drift severity, scale, platform constraints, and tooling appetite. No new tooling beyond Bash, git, and optionally direnv. NEW (2026-06-02): scripts/agents-md-sync-setup.sh does the symlink setup in one safe command — dry-run by default, backs up any file before replacing it, and refuses to touch the files when their contents differ, so no instructions are ever lost. This complements the two detection hooks (agents-md-sync-checker, agents-md-edit-drift-warner) which only warn about drift; this script fixes it at the source. NEW (2026-06-02): AGENTS.md Setup Generator — goes one step past the self-audit. Tick the exact tools you run (Claude Code, Codex, Cursor, Windsurf, Cline, Amp, Aider) plus your platform and solo/team, and it prints the precise copy-paste setup: the @AGENTS.md import or a symlink for Claude Code (whichever fits your case — import when you need Claude-only lines or you're on Windows), a one-line symlink for each tool that reads its own file, "no setup" for the ones that read AGENTS.md natively, and a pre-commit drift guard for teams. Browser-only, no upload, no telemetry, MIT. The self-audit tells you which pattern; this gives you the exact commands.

• Operator-side defense for running several AI CLIs at once (Claude Code + Codex / Gemini / Cursor / Aider / Amp pointed at the same repo): Multi-Vendor Fleet Field Guide (日本語版) — written as a direct response to #64080, where an operator running four tools in parallel asked someone to flag the pattern. 10+ independent operators run this workflow (Qiita's nogataka, note's ゆうや, the 693-star parallel-code). Two failure modes neither tool can see on its own: conflicting edits to the same file, and combined cost that no single vendor's meter shows (parallel runs multiply it 3-5x). NEW (2026-06-02): examples/multi-vendor-concurrent-warner.sh — a SessionStart advisory that checks the process table for other AI CLIs and, if one is live, prints a one-time note to coordinate scope and watch combined cost. Advisory only: it never blocks and never inspects the other tool. All process names env-overridable via CC_MULTI_VENDOR_PROCS. Free 5-question fleet-fit diagnostic (English · 日本語) (browser-only, no upload) scores whether you are running a multi-vendor fleet and which cost shape (write-amplification / claim-race / reasoning cost) is hitting you hardest, then points to the matching resource.

• Stay ahead of failure clusters before they hit your sessions: CC Safety Lab Founder Membership (¥500/month, Founder pricing locked) — monthly delivery of 4-8 new clusters with fixes + 1-2 copy-paste defense hooks within 14 days of each cluster's emergence. One avoided Max-plan incident covers a year of membership. June 2026 centers on the 17-day cliff playbook; July centers on the AGENTS.md interop cluster.

What Gets Installed

Each hook exists because a real incident happened without it.

Free diagnostic tools

Free guides

Companion log-analysis tools (third-party)

These are unaffiliated projects that pair well with the cc-safe-setup hooks, they read your ~/.claude/projects/ JSONL logs from a post-hoc analysis angle, where the hooks here intervene at pre-execution time. Use them together if you want both prevention (hooks) and observation (viewers).

Go deeper

Why pay? A Max plan costs $200/month. One token waste incident burns 50–80% of your weekly quota in hours (#46727). One rm -rf incident costs days of recovery. The Token Book costs less than 2 hours of Max subscription time, and the CLAUDE.md templates alone can reduce consumption by 40%. For the recurring track, one Safety Lab month covers what would otherwise mean reading 50–100 GitHub Issues yourself; one avoided Max-plan incident pays for a year of membership.

Pick one path. Cost out of control? → Token Book. Considering a switch (Cursor / Codex / Cline)? → Migration Playbook. Tools say "verified" but didn't run? → Claim-Verify Handbook. Subagent silent failure? → Sub-Agent Observability Handbook. Need to know what's already broken in production? → Incident Postmortems. Need to keep up with what's breaking now? → Safety Lab. Not sure which fits your specific pain? → Free 5-question selector (browser-only, no signup).

v2.1.85: if Field Support

Hooks now support an if field for conditional execution. The hook process only spawns when the command matches the pattern, ls won't trigger a git-only hook.

{
  "type": "command",
  "if": "Bash(git push *)",
  "command": "~/.claude/hooks/test-before-push.sh"
}

All example hooks include if field documentation in their headers.

PermissionRequest Hooks (NEW)

Override Claude Code's built-in confirmation prompts. These run after the built-in safety checks, so they can auto-approve prompts that permissions.allow cannot suppress.

Install any of these: npx cc-safe-setup --install-example <name>

Session Protection Hooks

Guards against issues that corrupt sessions or waste tokens silently.

All 49 Commands

Quick Start by Scenario

Plugin Marketplace

Install safety hooks as Claude Code plugins, no npm required:

/plugin marketplace add yurukusa/cc-safe-setup
/plugin install safety-essentials@cc-safe-setup

Also listed on claudemarketplaces.com.

Common Pain Points (from GitHub Issues)

How It Works

1. Writes hook scripts to ~/.claude/hooks/
2. Updates ~/.claude/settings.json to register the hooks
3. Restart Claude Code, hooks are active

Safe to run multiple times. Existing settings are preserved. A backup is created if settings.json can't be parsed.

Maximum safety: npx cc-safe-setup --shield, one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.

Instant rule: npx cc-safe-setup --guard "never touch the database", generates, installs, activates a hook instantly from plain English.

Team setup: npx cc-safe-setup --team, copy hooks to .claude/hooks/ with relative paths, commit to repo for team sharing.

Preview first: npx cc-safe-setup --dry-run

Check status: npx cc-safe-setup --status, see which hooks are installed (exit code 1 if missing).

Verify hooks work: npx cc-safe-setup --verify, sends test inputs to each hook and confirms they block/allow correctly.

Troubleshoot: npx cc-safe-setup --doctor, diagnoses why hooks aren't working (jq, permissions, paths, shebang).

Live monitor: npx cc-safe-setup --watch, real-time dashboard of blocked commands during autonomous sessions.

Uninstall: npx cc-safe-setup --uninstall, removes all hooks and cleans settings.json.

Requires: jq for JSON parsing (brew install jq / apt install jq).

Note: Hooks are skipped when Claude Code runs with --bare or --dangerously-skip-permissions. These modes bypass all safety hooks by design.

Known limitations:

• In headless mode (-p / --print), hook exit code 2 may not block tool execution (#36071). For CI pipelines, use interactive mode with hooks rather than -p mode.
• FileChanged notifications inject file contents into model context before hooks can intervene. If a sensitive file (.env, credentials.json) is modified externally during a session, its contents may appear in the conversation transcript regardless of hooks (#44909). Mitigation: use dotenv-watch to get alerted, and avoid editing sensitive files while Claude Code is running.

Before / After

Run npx cc-health-check to see the difference:

Configuration

After Installing

Verify your setup:

npx cc-health-check

Keep up with what's breaking next

The hooks in this repo defend against failure patterns that have already been articulated. New ones surface every week. As of 2026-05-29, the cluster tracker tracks 12 structural failure clusters across 11,820+ cumulative GitHub Issue reactions on anthropics/claude-code. Most-recent example: Cluster 12 (Tool Call Parsing failures in Opus 4.7) was articulated 2026-05-28 from five filings, and the four sub-pattern advisory hooks shipped within 24 hours (PRs #406 / #419 / #423 / #424, 194 tests). The free Cluster 12 field guide (2,860 words) walks the install path for all four hooks.

If you want this kind of cluster-to-defense walkthrough delivered monthly — 4-8 newly-found incidents with fixes, one deep-dive failure case, 1-2 copy-paste safety hooks, an updated safety checklist, all archived month-by-month — that's the CC Safety Lab Founder Membership (¥500/month, Founder pricing locked). One avoided Max-plan incident covers a year of membership. Three full Part 1 previews are free to read so you can judge writing depth before subscribing: May 2026 — 9 incident clusters from the 2026-04-25 → 2026-05-02 window with issue numbers and remediation steps (~6,000 words), June 2026 — June 15 billing cliff preparation with 7 ordered steps and 3 warnings (~6,500 words), and July 2026 — overengineering complexity trap from thecatfix's 16-month corpus (62 issues, 968M tokens, 19% implementation rate) with 3 self-checks and 3 warnings (~6,500 words). Parts 2–6 of each issue (cache_control deep-dive with Python recovery script, monthly safety checklist, two copy-paste hooks, related-product updates) ship to subscribers.

Full Kit

cc-safe-setup gives you 8 essential hooks. Want to know what else your setup needs?

Run npx cc-health-check (free, 20 checks) to see your current score. If it's below 80, the Claude Code Ops Kit fills the gaps, 6 hooks + 5 templates + 9 scripts + install.sh. Pay What You Want ($0+).

Starter Kit: Want hooks + settings + templates in one download? The Claude Code Safety Kit bundles 5 safety hooks, a pre-configured settings.json, CLAUDE.md templates, and 800-hour operation tips. Name your price ($0+).

Or browse the free hooks: claude-code-hooks

Examples

Safety Audit

Try it in your browser: paste your settings.json, get a score instantly. Nothing leaves your browser.

Or from the CLI:

npx cc-safe-setup --audit

Analyzes 9 safety dimensions and gives you a score (0-100) with one-command fixes for each risk.

CI Integration (GitHub Action)

# .github/workflows/safety.yml
- uses: yurukusa/cc-safe-setup@main
  with:
    threshold: 70  # CI fails if score drops below this

Project Scanner

npx cc-safe-setup --scan         # detect tech stack, recommend hooks
npx cc-safe-setup --scan --apply # auto-create CLAUDE.md with project rules

Create Hooks from Plain English

npx cc-safe-setup --create "block npm publish without tests"
npx cc-safe-setup --create "auto approve test commands"
npx cc-safe-setup --create "block curl pipe to bash"
npx cc-safe-setup --create "block DROP TABLE and TRUNCATE"

9 built-in templates + generic fallback. Creates the script, registers it, and runs a smoke test.

Self-Learning Safety

npx cc-safe-setup --learn        # analyze your block history for patterns
npx cc-safe-setup --learn --apply # auto-generate custom hooks from patterns

Examples

Need custom hooks beyond the 8 built-in ones? Install any example with one command:

npx cc-safe-setup --install-example block-database-wipe

Or browse all available examples in examples/:

• claude-update-smart.sh: Skip the 226 MB tarball download when already up-to-date (workaround for #51243). Turns 30 s checks into 0.3 s. Falls through to the real claude update when a new release exists or the registry is unreachable.
• auto-approve-git-read.sh: Auto-approve git status, git log, even with -C flags
• auto-approve-ssh.sh: Auto-approve safe SSH commands (uptime, whoami, etc.)
• enforce-tests.sh: Warn when source files change without corresponding test files
• notify-waiting.sh: Desktop notification when Claude Code waits for input (macOS/Linux/WSL2)
• edit-guard.sh: Block Edit/Write to protected files (defense-in-depth for #37210)
• auto-approve-build.sh: Auto-approve npm/yarn/cargo/go/python build, test, and lint commands
• auto-approve-docker.sh: Auto-approve docker build, compose, ps, logs, and other safe commands
• block-database-wipe.sh: Block destructive database commands: Laravel migrate:fresh, Django flush, Rails db:drop, raw DROP DATABASE (#46684 #46650 #37405 #37439)
• sql-bulk-delete-warn.sh: Warn when DELETE/UPDATE/TRUNCATE runs via psql/mysql/sqlite3/sqlcmd without a row-count safeguard. Catches the Issue #56738 pattern (DELETE WHERE col IS NULL after a regex/UPDATE that silently NULLed nearly every row, wiping 24,472 of 24,475 rows in 5 minutes before autovacuum cleaned the dead tuples). Also flags DELETE/UPDATE without WHERE, TRUNCATE TABLE, and psql -c invocations missing an explicit transaction. Strict mode via CC_SQL_BULK_DELETE_BLOCK=1 (#56738)
• auto-approve-python.sh: Auto-approve pytest, mypy, ruff, black, isort, flake8, pylint commands
• auto-snapshot.sh: Auto-save file snapshots before edits for rollback protection (#37386 #37457)
• allowlist.sh: Block everything not explicitly approved, inverse permission model (#37471)
• protect-dotfiles.sh: Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/ and chezmoi without diff (#37478)
• scope-guard.sh: Block file operations outside project directory, absolute paths, home, parent escapes (#36233)
• auto-checkpoint.sh: Auto-commit after every edit for rollback protection (#34674)
• git-config-guard.sh: Block git config --global modifications without consent (#37201)
• deploy-guard.sh: Block deploy commands when uncommitted changes exist (#37314)
• network-guard.sh: Warn on suspicious network commands sending file contents (#37420)
• test-before-push.sh: Block git push when tests haven't been run (#36970)
• large-file-guard.sh: Warn when Write tool creates files over 500KB
• commit-message-check.sh: Warn on non-conventional commit messages (feat:, fix:, docs:, etc.)
• env-var-check.sh: Block hardcoded API keys (sk-, ghp_, glpat-) in export commands
• timeout-guard.sh: Warn before long-running commands (npm start, rails s, docker-compose up)
• branch-name-check.sh: Warn on non-conventional branch names (feature/, fix/, etc.)
• todo-check.sh: Warn when committing files with TODO/FIXME/HACK markers
• path-traversal-guard.sh: Block Edit/Write with ../../ path traversal and system directories
• case-sensitive-guard.sh: Detect case-insensitive filesystems (exFAT, NTFS, HFS+) and block rm/mkdir that would collide due to case folding (#37875)
• compound-command-approver.sh: Auto-approve safe compound commands (cd && git log, cd && npm test) that the permission system can't match (#30519 #16561)
• tmp-cleanup.sh: Clean up accumulated /tmp/claude-*-cwd files on session end (#8856)
• session-checkpoint.sh: Save session state to mission file before context compaction (#37866)
• verify-before-commit.sh: Block git commit when lint/test commands haven't been run (#37818)
• hook-debug-wrapper.sh: Wrap any hook to log input/output/exit code/timing to ~/.claude/hook-debug.log
• loop-detector.sh: Detect and break command repetition loops (warn at 3, block at 5 repeats)
• same-correction-arrest.sh: Detect the user repeating the same correction N=3 times in a session, then require a written plan before further Write/Edit. Operationalizes the model's own self-diagnosis in #60506 ("I have no drift detector"), grounded in the recognition-without-arrest framework from #60226.
• closure-word-verify-gate.sh: Stop hook that scans the assistant's outgoing turn for closure words ("done", "shipped", "complete", "bitti", "finished") and refuses Stop unless a verification command (test runner, Playwright, curl) ran in the same turn. Implements customer recommendation #4 from #60506: "two hours after the rule I said 'bitti' again, without opening the browser".
• authorized-reconfirmation-detector.sh: Stop hook that measures how often AskUserQuestion fires on an action the operator's prior turn already authorized (case 3 in the three-way split articulated in #61929). Detects: AUQ called this turn + an option marked (Recommended) / 推奨 + the operator's last message contains a content word that also appears in the AUQ question text. Emits a structured JSON log line per match to ~/.claude/audit/authorized-reconfirmation.log — never blocks. The log file becomes the empirical foundation for the eventual UserPromptSubmit-side intent classifier (related: mhernz's #61337 /goal-authorization-equivalence, and #61983 preamble visibility for case 2).
• redundant-read-blocker.sh: PreToolUse hook on Read that detects when the model is about to re-read a file already read in the same session (with the same mtime). Operationalizes #60283 ("excessive token consumption — task halted mid-execution with zero output") and the broader quota-leakage cluster (analysis, audit tool). Default mode warns; strict mode refuses the call.
• commit-quality-gate.sh: Warn on vague commit messages ("update code"), long subjects, mega-commits
• session-handoff.sh: Auto-save git state and session info to ~/.claude/session-handoff.md on session end
• diff-size-guard.sh: Warn/block when committing too many files at once (default: warn at 10, block at 50)
• dependency-audit.sh: Warn when installing packages not in manifest (npm/pip/cargo supply chain awareness)
• env-source-guard.sh: Block sourcing .env files into shell environment (#401)
• symlink-guard.sh: Detect symlink/junction traversal in rm targets (#36339 #764)
• no-sudo-guard.sh: Block all sudo commands
• no-install-global.sh: Block npm -g and system-wide pip
• no-curl-upload.sh: Warn on curl POST/upload (data exfiltration)
• no-port-bind.sh: Warn on network port binding
• git-tag-guard.sh: Block pushing all tags at once
• npm-publish-guard.sh: Version check before npm publish
• max-file-count-guard.sh: Warn when 20+ new files created per session
• protect-claudemd.sh: Block edits to CLAUDE.md and settings files
• reinject-claudemd.sh: Re-inject CLAUDE.md rules after compaction (#6354)
• binary-file-guard.sh: Warn when Write targets binary file types (images, archives)
• stale-branch-guard.sh: Warn when working branch is far behind default
• cost-tracker.sh: Estimate session token cost and warn at thresholds ($1, $5)
• read-before-edit.sh: Warn when editing files not recently read (prevents old_string mismatches)
• windows-python-stub-detector.sh: SessionStart probe that surfaces the Microsoft Store python3 stub on Windows Git Bash — which python3 succeeds but subprocess exits 49 with no output, silently no-op-ing every Python-based hook. Matches four failure modes (exit 49 / Store-redirect stderr / exit 127 / silent stub) and warns via hookSpecificOutput (#57946)

Safety Checklist

SAFETY_CHECKLIST.md: Copy-paste checklist for before/during/after autonomous sessions.

Windows Support

Works on Windows via WSL or Git Bash. Native PowerShell is not supported (hooks are bash scripts).

Common issue: If you see Permission denied or No such file errors after install, run:

npx cc-safe-setup --doctor

This detects Windows backslash paths (C:\Users\... → C:/Users/...) and missing execute permissions.

See Issue #1 for details.

Free Windows safety guide: Claude Code on Windows — Safety Guide for the Issues That Don't Exist on macOS/Linux (~1,735 words, MIT) — five Windows-specific failure modes from the May 2026 tracker (BSOD with HVCI, runaway PowerShell spawn cascade, empty Bash output, PowerShell unavailable under MINGW64, OAuth paste freeze) with operator-side mitigations and a "WSL2 vs native Windows" decision tree. Written in response to the volume of Windows-specific issues that surfaced during May 2026, including #62193 (nested PowerShell spawn → cross-window crash on Windows 11).

Troubleshooting

TROUBLESHOOTING.md: "Hook doesn't work" → step-by-step diagnosis. Covers every common failure pattern.

settings.json Reference

SETTINGS_REFERENCE.md: Complete reference for permissions, hooks, modes, and common configurations. Includes known limitations and workarounds.

Migration Guide

MIGRATION.md: Step-by-step guide for moving from permissions-only to permissions + hooks. Keep your existing config, add safety layers on top.

Learn More

• Opus 4.7 Survival Guide: 61 known issues (76+ GitHub Issues + CVEs) with fixes: data loss, recursive spawn DoS, billing mismatch, subagent OOM, cache_read anomaly, allowedTools bypass, 1.7x token inflation, classifier failure, thinking summary bugs, 30-min stalls, enterprise hooks bypass, and more. npx cc-safe-setup --opus47
• Token Book (¥2,500): Cut token consumption in half. CLAUDE.md optimization, hook-based guards, context management, workflow design. 44,000 words with copy-paste templates. Intro + Ch.1 free. Details
• Safety Guide (¥800): Token consumption diagnosis, file loss prevention, autonomous operation safety. From 800+ hours of real incidents. Chapter 3 free
• 800 Hours Operation Record (¥800): Non-engineer running Claude Code autonomously for 800 hours. Failures, recovery, revenue reality. Chapter 2 free
• AGENTS.md × Claude Code Interop Handbook (¥1,500): The 5,196-reaction feature-request cluster (Issue #6235, 1+ year unaddressed). Five operator-side workarounds (symlink, pre-commit, SessionStart hook, direnv, CI detection), three user-mode articulations, three sub-cluster analysis, migration playbook, and config templates. ~67,000 chars, 8 chapters. Intro + Ch.1 + Ch.2 + Ch.3 free.
• Claude Code Skills Practical Recipes (¥500): Progressive Disclosure with the 3-layer SKILL.md structure for 40% token reduction. 10 practical recipes (automation, MCP, documentation, testing, team sharing, advanced patterns) from the 20,000-view Qiita Skills deep-dive. Intro + Ch.1 free.
• CC Safety Lab Founder (¥500/月, Ko-fi Membership): Monthly digest delivered via Ko-fi member-only post. Each issue: 4–8 incidents (with fixes), 1 deep-dive failure case, 1–2 copy-paste safety hooks, updated safety checklist, and product update notes. The recurring companion to the one-time books, one avoided Max-plan incident covers a year of membership. Founder price locked for charter members. Three free Part 1 previews available: May 2026 — 9 incident clusters from 2026-04-25→05-02, ~6,000 words, June 2026 — June 15 billing cliff prep (7 steps + 3 warnings), ~6,500 words, and July 2026 — overengineering complexity trap with the 16-month 62-issue corpus and 3 self-checks, ~6,500 words. Each preview ships the full Part 1 (not a teaser excerpt) so you can judge writing depth before subscribing; Parts 2–6 ship to subscribers.
• Wiki Guides: Token FAQ · CLAUDE.md Best Practices · Token Optimization
• Cookbook, 26 practical recipes (block, approve, protect, monitor, diagnose)
• Official Hooks Reference, Claude Code hooks documentation
• Hooks Cookbook, 25 recipes from real GitHub Issues (interactive version)
• Skills Guide deep-dive (Qiita, 19K+ views), Anthropic's official Skills PDF analyzed with 40% token reduction
• Japanese guide (Qiita), この記事の日本語解説
• Opus 4.7 breaking changes deep-dive (Hashnode), Anthropic's 9 breaking changes, 5 workarounds, and the task_budget beta nobody mentions. Covers why thinking-stall-detector and claude-md-reinjector hooks exist
• v2.1.85 if field guide (Qiita), Reduce hook overhead with conditional execution
• Deny rules bypass vulnerability (Qiita), 50+ subcommands disable all deny rules; hook-based defense
• Hook Test Runner, npx cc-hook-test <hook.sh> to auto-test any hook
• Hook Registry, npx cc-hook-registry search database (browse online)
• Hooks Cheat Sheet, printable A4 quick reference
• Ecosystem Comparison, all Claude Code hook projects compared
• The incident that inspired this tool, NTFS junction rm -rf
• How to prevent rm -rf disasters, real incidents and the hook that stops them
• How to prevent force-push to main, branch protection via hooks
• How to prevent secret leaks, stop git add . from committing .env

Free Gists

• settings.json Complete Template, copy-paste ready safety configuration
• First 3 Safety Steps, 5-minute safety setup from scratch
• CLAUDE.md Before/After, 40% token reduction through better writing patterns
• Token Savings Cheat Card, 5 techniques to cut consumption in half
• Token Consumption Checklist, 10-item diagnostic
• Outage Survival Kit, what to do when Claude Code is down
• CLAUDE.md Token Optimizer, 35-line template, 40% token reduction (800h tested)
• Worktree Safety Hooks, 3 hooks to protect against worktree deletion and cross-tree destruction
• Opus 4.7 Emergency Checklist, token burn diagnosis + immediate fixes
• Cache TTL Mitigation Guide, #46829 cache TTL change (1h→5m) impact and 4 mitigations
• Security Checkup Hooks, 4 hooks for financial, PII, deny bypass, and background task protection
• Cache Breakage Fix, 2 root causes of prompt cache invalidation (#47107 git status, #47098 session restart)
• CLAUDE.md Token Optimization Cheat Sheet, 5 CLAUDE.md patterns that reduce token consumption with before/after examples
• Token Troubleshooting Guide, fix quota drain, cache bugs, 1M context trap. Symptom-based diagnosis with latest issue references
• Token Optimization Guide (English), 3 biggest token levers with hook code, practical walkthrough
• Token Book Sampler: 5 Techniques, free preview of the Token Book, 5 immediate techniques to reduce consumption
• Token Optimization Checklist, 10-step checklist to cut token consumption in half, with hook configs
• 3 Things That Actually Work, CLAUDE.md sizing, cache TTL, subagent control, based on 800h data
• Cache TTL Diagnostic, 3 patterns that break prompt cache + fixes
• Token Book Ch.1 Free Preview, Where are your Claude Code tokens going? The 4 layers of token consumption explained
• Deny Rules Break After 50 Subcommands, the hook that fixes Claude Code's deny rule bypass vulnerability
• Opus 4.7 Emergency Kit, 5 commands to protect your data from Opus 4.7 regressions (auto mode broken, 23+ data loss incidents)
• cache_read Billing Bug Guide, Opus 4.7 cache_read billed at full rate. Anthropic confirmed. Max plan users losing quota 3-6x faster
• Opus 4.7 Survival Guide Summary, 50 known issues with quick reference table, free diagnostic tools, and one-command fix
• Opus 4.7 Known Issues Quick Reference, 26 issues / 43+ GitHub bugs in one table. Severity ratings and direct issue links
• 4 New Critical Issues (April 18), DoS via recursive spawn, subagent OOM, billing mismatch, UI/CLI model mismatch
• トークン消費を半分にする方法, 800時間の実測データ＋設定テンプレート（日本語）
• How to Cut Token Usage in Half, 800h real data + config templates (English)
• Compaction Triple Threat, 3 compaction bugs active simultaneously (#50402 + #50467 + #50492)
• Sandbox Relative Path Bug (CRITICAL), denyWrite/denyRead silently ignores relative paths (#50454)
• 27 Token Symptoms Quick Reference, all 27 known token failure modes with top 5 killers table and April 2026 new symptoms
• Token Saving Checklist (15 Items), ordered by impact: critical (30-50%), important (10-20%), good practice (5-10%)
• Opus 4.7 Survival Cheatsheet, 46 known problems, quick fixes under 60 seconds, full reference table
• Token-Usage Leaderboard Anti-Pattern, why internal token leaderboards fail (Goodhart's law), 5 better metrics, and the Uber case study (Fortune 2026-05-26: AI budget burnt in 4 months after leaderboard rollout)

Professional Services

Need help configuring Claude Code safely? Safety Setup Service, audit, token optimization, and custom hooks by the cc-safe-setup team.

FAQ

Q: I installed hooks but Claude says "Unknown skill: claude-code-hooks:setup"

cc-safe-setup installs hooks, not skills or plugins. Hooks run automatically in the background, you don't invoke them manually. After install + restart, try running a dangerous command; the hook will block it silently.

Q: cc-health-check says to run cc-safe-setup but I already did

cc-safe-setup covers Safety Guards (75-100%) and Monitoring (context-monitor). The other health check dimensions (Code Quality, Recovery, Coordination) require additional CLAUDE.md configuration or manual hook installation from claude-code-hooks.

Q: Will hooks slow down Claude Code?

No. Each hook runs in ~10ms. They only fire on specific events (before tool use, after edits, on stop). No polling, no background processes.

Q: My permission patterns don't match compound commands like cd /path && git status

This is a known limitation of Claude Code's permission system (#16561, #28240). Permission matching evaluates only the first token (cd), not the actual command (git status). Use a PreToolUse hook instead, hooks see the full command string and can parse compound commands. See compound-command-allow.sh in examples.

Q: --dangerously-skip-permissions still prompts for .claude/ and .git/ writes

Since v2.1.78, protected directories always prompt regardless of permission mode (#35668). Use a PermissionRequest hook to auto-approve specific protected directory operations. See allow-protected-dirs.sh in examples.

Q: allow: ["Bash(*)"] overrides my ask rules

allow takes precedence over ask. If you allow all Bash, ask rules are ignored (#6527). Use PreToolUse hooks to block dangerous commands instead of relying on the ask/allow priority system.

Q: Hooks silently fail on macOS (Homebrew jq not found)

Claude Code runs hooks with a restricted PATH that excludes /opt/homebrew/bin (#46954). If jq is installed via Homebrew, hooks silently exit 0. Fix: add export PATH="/opt/homebrew/bin:$PATH" at the top of your hook script, or use absolute paths like /opt/homebrew/bin/jq. Inline hooks in settings.json may also be affected, add a PATH export prefix: export PATH="/opt/homebrew/bin:$PATH"; INPUT=$(cat); ...

Q: How is this different from claude-token-efficient?

Different goals. claude-token-efficient optimizes CLAUDE.md to make Claude's responses shorter and cheaper. cc-safe-setup prevents dangerous operations (file deletion, credential leaks, force-push). They work well together: use claude-token-efficient for cost reduction, cc-safe-setup for safety. For comprehensive token optimization beyond CLAUDE.md (hooks, context management, workflow design), see the Token Book.

Still stuck? See the full Permission Troubleshooting Flowchart for step-by-step diagnosis.

Contributing

Report a problem: Found a false positive or a bypass? Open an issue. Include the command that was incorrectly blocked/allowed and your OS.

Request a hook: Describe the problem you're trying to prevent (not the solution). We'll figure out the hook together.

Write a hook: Fork, add your .sh file to examples/, add tests to test.sh, and open a PR. Every hook needs:

• A comment header explaining what it blocks and why
• At least 7 test cases (block, allow, empty input, edge cases)
• bash -n syntax validation passing

Share your experience: Used cc-safe-setup and have feedback? Open a discussion or comment on any issue. We read everything.

If cc-safe-setup saved you from a disaster (or just saved you time), a ⭐ helps others find it too.

Why I keep giving these away

I'm a non-engineer running Claude Code autonomously for 800+ hours. In that span I lost files twice, watched a session burn through 887K tokens per minute, and ate a $569 surprise charge from a misread setting.

Every time, I built a small defensive hook for myself and put it here — free, MIT, no signup. That's roughly 800 hooks across three months.

I expected giving away the hooks would cannibalize my paid books. The opposite happened: a steady trickle of users who tried the hooks ended up buying one of the 5 Zenn books (¥11,373 total over 3 months across 12 purchases, including two readers from outside Japan).

The hooks stay free because the same failure happening to a stranger is the same failure happening to me — just on a different machine. The paid books exist for the parts hooks can't solve: the judgment calls, the timing questions, the trade-offs that no shell script can answer.

— yurukusa, full story (2026-05-30)

Affiliate Program

If you write or teach about Claude Code, you can earn 30% commission promoting our paid books and kits. Apply with any Gumroad account, no application form, 30-day cookie window, automatic Gumroad payouts:

• yurukusa.gumroad.com/affiliates

Eligible products include the Migration Playbook, Incident Postmortems (live since 2026-05-05), Token Book EN (pay what you want), Complete Survival Kit, CLAUDE.md Templates, and other Claude Code titles. See each product page for the current price.

Also by yurukusa

• quiet life, Touch the dark. Something alive appears
• deep breath, Breathe with the light
• star moss, Drag to grow

License

MIT