github kenryu42/cc-safety-net v1.0.0
on GitHub

7 hours ago

CC Safety Net v1.0.0

This project originally started as a Claude Code plugin and was previously known as "Claude Code Safety Net." With v1.0.0, it has been rebranded to CC Safety Net — where CC stands for Coding (agent) CLI — to reflect its expanded support for multiple coding agent platforms including Codex, Copilot CLI, Gemini CLI, Kimi CLI, Pi and more to come.

Highlights

  • Rulebook-backed configuration — Custom rules now live under .cc-safety-net/rules/ with a declarative config, replacing the legacy verify-config workflow. New CLI subcommands (rule init, rule list, rule migrate, rule remove) manage the full lifecycle.
  • Pi coding agent extension — Added Pi as a supported integration with hook support and doctor detection via runtime probe.
  • Kimi CLI integration — Added as a supported coding agent with doctor detection, system info, and display.
  • Centralized integration registry — Hook integrations are now driven by a shared metadata module with flag-based lookup, replacing per-integration boilerplate.
  • Expanded destructive command detection — Better coverage for git long-option abbreviations, wrapper commands, find -exec nested analysis, awk escape decoding, ANSI-C quotes, time builtin prefixes, and shell variable targets in rm -rf.

Breaking Change: Custom Rules Migration

Warning

The custom rules system has moved from legacy inline config files to a rulebook-based layout. Legacy inline config files (.safety-net.json and ~/.cc-safety-net/config.json) are no longer loaded at runtime. If they contain rules, commands now fail closed (stay blocked) until you migrate. Please read more at here.

Security & Reliability

  • Fail closed on invalid hook input, analysis errors, and config loading failures.
  • Expanded secret redaction (provider tokens, command substitution env assignments).
  • Block git SSH env overrides and shell/awk analyzer bypasses.
  • Resolve rm targets and TMPDIR symlinks before safety checks (TOCTOU hardening).
  • Rollback config and lock on --delete-source failure.

CLI & UX

  • Renamed builtin OpenCode plugin export to cc-safety-net.
  • Migrated env mode reading to CC_SAFETY_NET_* prefixed variables.
  • Removed legacy verify-config command flags.
  • Improved rule command help output and formatting.

Internal

  • Major refactor: modular shell/, analyze/, rules/, and git/ directory layout.
  • Declarative CLI command dispatch with const-asserted command registry.
  • Shared hook adapter, child-analyzer, and deny-output helpers to eliminate duplication.
  • Added jscpd duplicate detection to CI checks.
  • Comprehensive test coverage for all new features and edge cases.
Check out latest releases or
releases around kenryu42/cc-safety-net v1.0.0

Don't miss a new cc-safety-net release

NewReleases is sending notifications on new releases.

Get notifications