Reorganize: Move all skills to skills/ folder

- Created skills/ directory - Moved 272 skills to skills/ subfolder - Kept agents/ at root level - Kept installation scripts and docs at root level Repository structure: - skills/ - All 272 skills from skills.sh - agents/ - Agent definitions - *.sh, *.ps1 - Installation scripts - README.md, etc. - Documentation Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-23 18:05:17 +00:00
parent 2b4e974878
commit b723e2bd7d
4083 changed files with 1056 additions and 1098063 deletions
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze.d.ts
@@ -0,0 +1,21 @@
+import type { AnalyzeOptions, AnalyzeResult } from '../types.ts';
+import { findHasDelete } from './analyze/find.ts';
+import { extractParallelChildCommand } from './analyze/parallel.ts';
+import { hasRecursiveForceFlags } from './analyze/rm-flags.ts';
+import { segmentChangesCwd } from './analyze/segment.ts';
+import { extractXargsChildCommand, extractXargsChildCommandWithInfo } from './analyze/xargs.ts';
+import { loadConfig } from './config.ts';
+export declare function analyzeCommand(command: string, options?: AnalyzeOptions): AnalyzeResult | null;
+export { loadConfig };
+/** @internal Exported for testing */
+export { findHasDelete as _findHasDelete };
+/** @internal Exported for testing */
+export { extractParallelChildCommand as _extractParallelChildCommand };
+/** @internal Exported for testing */
+export { hasRecursiveForceFlags as _hasRecursiveForceFlags };
+/** @internal Exported for testing */
+export { segmentChangesCwd as _segmentChangesCwd };
+/** @internal Exported for testing */
+export { extractXargsChildCommand as _extractXargsChildCommand };
+/** @internal Exported for testing */
+export { extractXargsChildCommandWithInfo as _extractXargsChildCommandWithInfo };
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/analyze-command.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/analyze-command.d.ts
@@ -0,0 +1,5 @@
+import { type AnalyzeOptions, type AnalyzeResult, type Config } from '../../types.ts';
+export type InternalOptions = AnalyzeOptions & {
+    config: Config;
+};
+export declare function analyzeCommandInternal(command: string, depth: number, options: InternalOptions): AnalyzeResult | null;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/constants.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/constants.d.ts
@@ -0,0 +1 @@
+export declare const DISPLAY_COMMANDS: ReadonlySet<string>;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/dangerous-text.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/dangerous-text.d.ts
@@ -0,0 +1 @@
+export declare function dangerousInText(text: string): string | null;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/find.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/find.d.ts
@@ -0,0 +1,6 @@
+export declare function analyzeFind(tokens: readonly string[]): string | null;
+/**
+ * Check if find command has -delete action (not as argument to another option).
+ * Handles cases like "find -name -delete" where -delete is a filename pattern.
+ */
+export declare function findHasDelete(tokens: readonly string[]): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/interpreters.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/interpreters.d.ts
@@ -0,0 +1,2 @@
+export declare function extractInterpreterCodeArg(tokens: readonly string[]): string | null;
+export declare function containsDangerousCode(code: string): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/parallel.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/parallel.d.ts
@@ -0,0 +1,9 @@
+export interface ParallelAnalyzeContext {
+    cwd: string | undefined;
+    originalCwd: string | undefined;
+    paranoidRm: boolean | undefined;
+    allowTmpdirVar: boolean;
+    analyzeNested: (command: string) => string | null;
+}
+export declare function analyzeParallel(tokens: readonly string[], context: ParallelAnalyzeContext): string | null;
+export declare function extractParallelChildCommand(tokens: readonly string[]): string[];
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/rm-flags.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/rm-flags.d.ts
@@ -0,0 +1 @@
+export declare function hasRecursiveForceFlags(tokens: readonly string[]): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/segment.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/segment.d.ts
@@ -0,0 +1,8 @@
+import { type AnalyzeOptions, type Config } from '../../types.ts';
+export type InternalOptions = AnalyzeOptions & {
+    config: Config;
+    effectiveCwd: string | null | undefined;
+    analyzeNested: (command: string) => string | null;
+};
+export declare function analyzeSegment(tokens: string[], depth: number, options: InternalOptions): string | null;
+export declare function segmentChangesCwd(segment: readonly string[]): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/shell-wrappers.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/shell-wrappers.d.ts
@@ -0,0 +1 @@
+export declare function extractDashCArg(tokens: readonly string[]): string | null;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/tmpdir.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/tmpdir.d.ts
@@ -0,0 +1 @@
+export declare function isTmpdirOverriddenToNonTemp(envAssignments: Map<string, string>): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/analyze/xargs.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/analyze/xargs.d.ts
@@ -0,0 +1,14 @@
+export interface XargsAnalyzeContext {
+    cwd: string | undefined;
+    originalCwd: string | undefined;
+    paranoidRm: boolean | undefined;
+    allowTmpdirVar: boolean;
+}
+export declare function analyzeXargs(tokens: readonly string[], context: XargsAnalyzeContext): string | null;
+interface XargsParseResult {
+    childTokens: string[];
+    replacementToken: string | null;
+}
+export declare function extractXargsChildCommandWithInfo(tokens: readonly string[]): XargsParseResult;
+export declare function extractXargsChildCommand(tokens: readonly string[]): string[];
+export {};
--- a/skills/plugins/claude-code-safety-net/dist/core/audit.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/audit.d.ts
@@ -0,0 +1,17 @@
+/**
+ * Sanitize session ID to prevent path traversal attacks.
+ * Returns null if the session ID is invalid.
+ * @internal Exported for testing
+ */
+export declare function sanitizeSessionIdForFilename(sessionId: string): string | null;
+/**
+ * Write an audit log entry for a denied command.
+ * Logs are written to ~/.cc-safety-net/logs/<session_id>.jsonl
+ */
+export declare function writeAuditLog(sessionId: string, command: string, segment: string, reason: string, cwd: string | null, options?: {
+    homeDir?: string;
+}): void;
+/**
+ * Redact secrets from text to avoid leaking sensitive information in logs.
+ */
+export declare function redactSecrets(text: string): string;
--- a/skills/plugins/claude-code-safety-net/dist/core/config.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/config.d.ts
@@ -0,0 +1,12 @@
+import { type Config, type ValidationResult } from '../types.ts';
+export interface LoadConfigOptions {
+    /** Override user config directory (for testing) */
+    userConfigDir?: string;
+}
+export declare function loadConfig(cwd?: string, options?: LoadConfigOptions): Config;
+/** @internal Exported for testing */
+export declare function validateConfig(config: unknown): ValidationResult;
+export declare function validateConfigFile(path: string): ValidationResult;
+export declare function getUserConfigPath(): string;
+export declare function getProjectConfigPath(cwd?: string): string;
+export type { ValidationResult };
--- a/skills/plugins/claude-code-safety-net/dist/core/custom-rules-doc.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/custom-rules-doc.d.ts
@@ -0,0 +1 @@
+export declare const CUSTOM_RULES_DOC = "# Custom Rules Reference\n\nAgent reference for generating `.safety-net.json` config files.\n\n## Config Locations\n\n| Scope | Path | Priority |\n|-------|------|----------|\n| User | `~/.cc-safety-net/config.json` | Lower |\n| Project | `.safety-net.json` (cwd) | Higher (overrides user) |\n\nDuplicate rule names (case-insensitive) \u2192 project wins.\n\n## Schema\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n  \"version\": 1,\n  \"rules\": [...]\n}\n```\n\n- `$schema`: Optional. Enables IDE autocomplete and inline validation.\n- `version`: Required. Must be `1`.\n- `rules`: Optional. Defaults to `[]`.\n\n**Always include `$schema`** when generating config files for IDE support.\n\n## Rule Fields\n\n| Field | Required | Constraints |\n|-------|----------|-------------|\n| `name` | Yes | `^[a-zA-Z][a-zA-Z0-9_-]{0,63}$` \u2014 unique (case-insensitive) |\n| `command` | Yes | `^[a-zA-Z][a-zA-Z0-9_-]*$` \u2014 basename only, not path |\n| `subcommand` | No | Same pattern as command. Omit to match any. |\n| `block_args` | Yes | Non-empty array of non-empty strings |\n| `reason` | Yes | Non-empty string, max 256 chars |\n\n## Guidelines:\n\n- `name`: kebab-case, descriptive (e.g., `block-git-add-all`)\n- `command`: binary name only, lowercase\n- `subcommand`: omit if rule applies to any subcommand\n- `block_args`: include all variants (e.g., both `-g` and `--global`)\n- `reason`: explain why blocked AND suggest alternative\n\n## Matching Behavior\n\n- **Command**: Normalized to basename (`/usr/bin/git` \u2192 `git`)\n- **Subcommand**: First non-option argument after command\n- **Arguments**: Matched literally. Command blocked if **any** `block_args` item present.\n- **Short options**: Expanded (`-Ap` matches `-A`)\n- **Long options**: Exact match (`--all-files` does NOT match `--all`)\n- **Execution order**: Built-in rules first, then custom rules (additive only)\n\n## Examples\n\n### Block `git add -A`\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n  \"version\": 1,\n  \"rules\": [\n    {\n      \"name\": \"block-git-add-all\",\n      \"command\": \"git\",\n      \"subcommand\": \"add\",\n      \"block_args\": [\"-A\", \"--all\", \".\"],\n      \"reason\": \"Use 'git add <specific-files>' instead.\"\n    }\n  ]\n}\n```\n\n### Block global npm install\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n  \"version\": 1,\n  \"rules\": [\n    {\n      \"name\": \"block-npm-global\",\n      \"command\": \"npm\",\n      \"subcommand\": \"install\",\n      \"block_args\": [\"-g\", \"--global\"],\n      \"reason\": \"Use npx or local install.\"\n    }\n  ]\n}\n```\n\n### Block docker system prune\n\n```json\n{\n  \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n  \"version\": 1,\n  \"rules\": [\n    {\n      \"name\": \"block-docker-prune\",\n      \"command\": \"docker\",\n      \"subcommand\": \"system\",\n      \"block_args\": [\"prune\"],\n      \"reason\": \"Use targeted cleanup instead.\"\n    }\n  ]\n}\n```\n\n## Error Handling\n\nInvalid config \u2192 silent fallback to built-in rules only. No custom rules applied.\n";
--- a/skills/plugins/claude-code-safety-net/dist/core/env.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/env.d.ts
@@ -0,0 +1 @@
+export declare function envTruthy(name: string): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/format.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/format.d.ts
@@ -0,0 +1,10 @@
+type RedactFn = (text: string) => string;
+export interface FormatBlockedMessageInput {
+    reason: string;
+    command?: string;
+    segment?: string;
+    maxLen?: number;
+    redact?: RedactFn;
+}
+export declare function formatBlockedMessage(input: FormatBlockedMessageInput): string;
+export {};
--- a/skills/plugins/claude-code-safety-net/dist/core/rules-custom.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/rules-custom.d.ts
@@ -0,0 +1,2 @@
+import type { CustomRule } from '../types.ts';
+export declare function checkCustomRules(tokens: string[], rules: CustomRule[]): string | null;
--- a/skills/plugins/claude-code-safety-net/dist/core/rules-git.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/rules-git.d.ts
@@ -0,0 +1,8 @@
+export declare function analyzeGit(tokens: readonly string[]): string | null;
+declare function extractGitSubcommandAndRest(tokens: readonly string[]): {
+    subcommand: string | null;
+    rest: string[];
+};
+declare function getCheckoutPositionalArgs(tokens: readonly string[]): string[];
+/** @internal Exported for testing */
+export { extractGitSubcommandAndRest as _extractGitSubcommandAndRest, getCheckoutPositionalArgs as _getCheckoutPositionalArgs, };
--- a/skills/plugins/claude-code-safety-net/dist/core/rules-rm.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/rules-rm.d.ts
@@ -0,0 +1,9 @@
+export interface AnalyzeRmOptions {
+    cwd?: string;
+    originalCwd?: string;
+    paranoid?: boolean;
+    allowTmpdirVar?: boolean;
+    tmpdirOverridden?: boolean;
+}
+export declare function analyzeRm(tokens: string[], options?: AnalyzeRmOptions): string | null;
+export declare function isHomeDirectory(cwd: string): boolean;
--- a/skills/plugins/claude-code-safety-net/dist/core/shell.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/shell.d.ts
@@ -0,0 +1,15 @@
+export declare function splitShellCommands(command: string): string[][];
+export interface EnvStrippingResult {
+    tokens: string[];
+    envAssignments: Map<string, string>;
+}
+export declare function stripEnvAssignmentsWithInfo(tokens: string[]): EnvStrippingResult;
+export interface WrapperStrippingResult {
+    tokens: string[];
+    envAssignments: Map<string, string>;
+}
+export declare function stripWrappers(tokens: string[]): string[];
+export declare function stripWrappersWithInfo(tokens: string[]): WrapperStrippingResult;
+export declare function extractShortOpts(tokens: string[]): Set<string>;
+export declare function normalizeCommandToken(token: string): string;
+export declare function getBasename(token: string): string;
--- a/skills/plugins/claude-code-safety-net/dist/core/verify-config.d.ts
+++ b/skills/plugins/claude-code-safety-net/dist/core/verify-config.d.ts
@@ -0,0 +1,12 @@
+/**
+ * Verify user and project scope config files for safety-net.
+ */
+export interface VerifyConfigOptions {
+    userConfigPath?: string;
+    projectConfigPath?: string;
+}
+/**
+ * Verify config files and print results.
+ * @returns Exit code (0 = success, 1 = errors found)
+ */
+export declare function verifyConfig(options?: VerifyConfigOptions): number;
				`@@ -0,0 +1 @@`
				`export declare const DISPLAY_COMMANDS: ReadonlySet<string>;`
				`@@ -0,0 +1 @@`
				`export declare function dangerousInText(text: string): string \| null;`
				`@@ -0,0 +1 @@`
				`export declare function hasRecursiveForceFlags(tokens: readonly string[]): boolean;`
				`@@ -0,0 +1 @@`
				`export declare function extractDashCArg(tokens: readonly string[]): string \| null;`
				`@@ -0,0 +1 @@`
				`export declare function isTmpdirOverriddenToNonTemp(envAssignments: Map<string, string>): boolean;`
				`@@ -0,0 +1 @@`
				export declare const CUSTOM_RULES_DOC = "# Custom Rules Reference\n\nAgent reference for generating `.safety-net.json` config files.\n\n## Config Locations\n\n\| Scope \| Path \| Priority \|\n\|-------\|------\|----------\|\n\| User \| `~/.cc-safety-net/config.json` \| Lower \|\n\| Project \| `.safety-net.json` (cwd) \| Higher (overrides user) \|\n\nDuplicate rule names (case-insensitive) \u2192 project wins.\n\n## Schema\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n \"version\": 1,\n \"rules\": [...]\n}\n```\n\n- `$schema`: Optional. Enables IDE autocomplete and inline validation.\n- `version`: Required. Must be `1`.\n- `rules`: Optional. Defaults to `[]`.\n\nAlways include `$schema` when generating config files for IDE support.\n\n## Rule Fields\n\n\| Field \| Required \| Constraints \|\n\|-------\|----------\|-------------\|\n\| `name` \| Yes \| `^[a-zA-Z][a-zA-Z0-9_-]{0,63}$` \u2014 unique (case-insensitive) \|\n\| `command` \| Yes \| `^[a-zA-Z][a-zA-Z0-9_-]$` \u2014 basename only, not path \|\n\| `subcommand` \| No \| Same pattern as command. Omit to match any. \|\n\| `block_args` \| Yes \| Non-empty array of non-empty strings \|\n\| `reason` \| Yes \| Non-empty string, max 256 chars \|\n\n## Guidelines:\n\n- `name`: kebab-case, descriptive (e.g., `block-git-add-all`)\n- `command`: binary name only, lowercase\n- `subcommand`: omit if rule applies to any subcommand\n- `block_args`: include all variants (e.g., both `-g` and `--global`)\n- `reason`: explain why blocked AND suggest alternative\n\n## Matching Behavior\n\n- Command: Normalized to basename (`/usr/bin/git` \u2192 `git`)\n- Subcommand: First non-option argument after command\n- Arguments: Matched literally. Command blocked if any* `block_args` item present.\n- Short options: Expanded (`-Ap` matches `-A`)\n- Long options: Exact match (`--all-files` does NOT match `--all`)\n- Execution order: Built-in rules first, then custom rules (additive only)\n\n## Examples\n\n### Block `git add -A`\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n \"version\": 1,\n \"rules\": [\n {\n \"name\": \"block-git-add-all\",\n \"command\": \"git\",\n \"subcommand\": \"add\",\n \"block_args\": [\"-A\", \"--all\", \".\"],\n \"reason\": \"Use 'git add <specific-files>' instead.\"\n }\n ]\n}\n```\n\n### Block global npm install\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n \"version\": 1,\n \"rules\": [\n {\n \"name\": \"block-npm-global\",\n \"command\": \"npm\",\n \"subcommand\": \"install\",\n \"block_args\": [\"-g\", \"--global\"],\n \"reason\": \"Use npx or local install.\"\n }\n ]\n}\n```\n\n### Block docker system prune\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/kenryu42/claude-code-safety-net/main/assets/cc-safety-net.schema.json\",\n \"version\": 1,\n \"rules\": [\n {\n \"name\": \"block-docker-prune\",\n \"command\": \"docker\",\n \"subcommand\": \"system\",\n \"block_args\": [\"prune\"],\n \"reason\": \"Use targeted cleanup instead.\"\n }\n ]\n}\n```\n\n## Error Handling\n\nInvalid config \u2192 silent fallback to built-in rules only. No custom rules applied.\n";
				`@@ -0,0 +1 @@`
				`export declare function envTruthy(name: string): boolean;`