v1.0.6

Changes

• fix: avoid duplicate home rule scope (#62) — When the user config path and the project config path resolve to the same file (e.g. running inside $HOME), the rules config was loaded twice, producing duplicate rule entries. The policy loader now detects this via resolve() and realpathSync() and skips the redundant read.

Tests

• test: isolate home scope regression — Added dedicated tests to verify that rules are not duplicated when the home and project scopes overlap.

---

Thanks to @sQVe for reporting the issue in #61 .

v1.0.5

Changes

• kimi-code: resolve config from correct directory — Config path now resolves from KIMI_CODE_HOME / .kimi-code instead of the legacy KIMI_SHARE_DIR / .kimi.
• kimi-code: match PreToolUse hook to Bash tool — The hook matcher was targeting Shell but Kimi Code exposes the tool as Bash. Updated to match the correct tool name.

Docs

• readme: note optional cc-safety-net skill for Kimi Code — Added a note about the /cc-safety-net skill for configuring custom rules.

v1.0.4

Bug Fixes

• opencode: write audit logs for blocked commands — When a command is blocked and a sessionID is present, the plugin now correctly writes an audit log entry. Previously, blocked commands in OpenCode sessions were not being logged.
• opencode: inject audit log home directory — The plugin now accepts and forwards a homeDir parameter to the audit logger, ensuring logs are written to the correct location.

---

Thanks to @johnatas-henrique for reporting the issue in #58 .

v1.0.3

Security Fix

• Bumped shell-quote to v1.8.4 — addresses a parsing vulnerability in the upstream dependency (#56)

---

Thanks to @joerawr for reporting the shell-quote vulnerability in #55.

v1.0.2

Bug fix: Preserve effective cwd when cd targets the current directory.

Previously, commands like cd . or cd /current/path would reset the effective cwd to unknown, potentially causing false-positive blocks on subsequent segments. The analyzer now resolves cd targets and recognizes when the directory hasn't actually changed, keeping the cwd intact.

Changes

• fix(analyze): Preserve effective cwd when cd targets the current directory
• fix(explain): Align cwd trace with resolved cd-to-same-directory behavior
• test(rm): Assert rm -rf stays allowed after cd to current cwd

v1.0.1

Features

• Expanded Pi shell tool safety analysis — Added support for custom working directories and additional tool adapters, broadening the scope of shell command interception.

Refactors

• Renamed tool_use → tool_call — Aligned internal event handling naming with upstream API terminology.
• Pruned unused exports — Removed dead exports, marked test-only helpers with @internal, and updated AGENTS.md with new knip standards.

Docs

• Added plugin troubleshooting steps to README.

v1.0.0

CC Safety Net v1.0.0

This project originally started as a Claude Code plugin and was previously known as "Claude Code Safety Net." With v1.0.0, it has been rebranded to CC Safety Net — where CC stands for Coding (agent) CLI — to reflect its expanded support for multiple coding agent platforms including Codex, Copilot CLI, Gemini CLI, Kimi CLI, Pi and more to come.

Highlights

• Rulebook-backed configuration — Custom rules now live under .cc-safety-net/rules/ with a declarative config, replacing the legacy verify-config workflow. New CLI subcommands (rule init, rule list, rule migrate, rule remove) manage the full lifecycle.
• Pi coding agent extension — Added Pi as a supported integration with hook support and doctor detection via runtime probe.
• Kimi CLI integration — Added as a supported coding agent with doctor detection, system info, and display.
• Centralized integration registry — Hook integrations are now driven by a shared metadata module with flag-based lookup, replacing per-integration boilerplate.
• Expanded destructive command detection — Better coverage for git long-option abbreviations, wrapper commands, find -exec nested analysis, awk escape decoding, ANSI-C quotes, time builtin prefixes, and shell variable targets in rm -rf.

Breaking Change: Custom Rules Migration

Warning

The custom rules system has moved from legacy inline config files to a rulebook-based layout. Legacy inline config files (.safety-net.json and ~/.cc-safety-net/config.json) are no longer loaded at runtime. If they contain rules, commands now fail closed (stay blocked) until you migrate. Please read more at here.

Security & Reliability

• Fail closed on invalid hook input, analysis errors, and config loading failures.
• Expanded secret redaction (provider tokens, command substitution env assignments).
• Block git SSH env overrides and shell/awk analyzer bypasses.
• Resolve rm targets and TMPDIR symlinks before safety checks (TOCTOU hardening).
• Rollback config and lock on --delete-source failure.

CLI & UX

• Renamed builtin OpenCode plugin export to cc-safety-net.
• Migrated env mode reading to CC_SAFETY_NET_* prefixed variables.
• Removed legacy verify-config command flags.
• Improved rule command help output and formatting.

Internal

• Major refactor: modular shell/, analyze/, rules/, and git/ directory layout.
• Declarative CLI command dispatch with const-asserted command registry.
• Shared hook adapter, child-analyzer, and deny-output helpers to eliminate duplication.
• Added jscpd duplicate detection to CI checks.
• Comprehensive test coverage for all new features and edge cases.

v0.9.0

New Features

• Add Codex Plugin
• Add WorkTreeMode

Changed

• Add worktreeMode option to AnalyzeOptions and TraceStep
• Add linked worktree detection module
• Relax local git discards in linked worktrees
• Add SAFETY_NET_WORKTREE to CLI surfaces and explain
• Add AnalyzeNestedOverrides type and envAssignments to AnalyzeOptions
• Track cwd changes from env -C/--chdir in wrapper stripping
• Propagate env/cwd/worktree overrides through analyzeNested
• Propagate wrapper env/cwd to nested analysis in segment
• Handle remote parallel execution and wrapper info propagation
• Propagate wrapper env/cwd through xargs child analysis
• Track sudo/env chdir and split-string in wrapper stripping
• Track exported git context env vars across shell segments
• Propagate wrapper env/cwd through interpreters, BusyBox, parallel, and xargs
• Verify linked worktree config matches root before relaxing
• Tighten worktree relaxation for recursive submodules and double-force clean
• Support sudo --chdir and git context append env assignments
• Handle typeset, declare, and shell git context env assignments
• Track GIT_INDEX_FILE as git context override and verify gitdir backlink
• Fail-closed on dynamic git arguments and sudo chdir/login in worktree mode
• Track allexport mode and append assignments for shell git context
• Track keyword export and readonly in shell env context, improve builtin resolution
• Treat dynamic stdin and replacement tokens in parallel and xargs as non-worktree-safe
• Fail-closed on dynamic arguments, recursive submodules, and forced branch resets in worktree mode
• Physical path resolution and symlink hardening
• Track git config envs, keyword exports, readonly, and builtin
• Improve parallel placeholder detection and dynamic args handling
• Worktree hardening with PATH bypass and config env detection
• Seed exported names from process env and git config-affecting env vars
• Read local git config for recursive submodule check before invoking git binary
• Expand trusted git binaries and export for testing
• Add Windows Git binary paths to trusted binaries list
• Add Codex platform hook detection
• Color error messages red in hooks section

Breaking Changes

• Migrate slash commands to skills format

Fixed

• Keep ref-moving resets blocked, relax only local discards
• Use wrapper-resolved cwd in explain segment and disable fallback worktree relaxation
• Propagate env assignments and wrapper cwd into nested analysis
• Use platform-aware path separators for Windows compatibility
• Use wrapper cwd in xargs and parallel rm analysis
• Compare paths by inode identity with normalized realpath fallback
• Handle Windows native realpath prefixes in path comparison
• Handle double-quoted escapes in git config value parsing
• Treat missing trusted git binary as recursive submodule config enabled
• Parse commented JSON in Copilot CLI config files
• Handle Claude Code plugin list without blank separators
• Parse Codex config section headers with inline comments
• Use effective enabled state for Gemini CLI extension detection
• Exclude metadata email lines from Claude Code plugin block detection

Related Issues

• Issue #44: Relax destructive-change rules when running inside a git worktree
• Issue #47: [Feature]: Allow to bypass some rules
• Issue #46: [Feature]: Support for Codex (closed by PR #49)

Related PRs

• PR #48: Worktree mode (closes issue #123)
• PR #49: Codex hooks compatibility (closes issue #46)

v0.8.2

Fixed

• Allow rm -rf for explicit temp-directory targets such as /tmp/..., /var/tmp/...,
  and $TMPDIR/... even when the current working directory is $HOME
• Move home-directory rm classification into the shared rules-rm analyzer so blocking
  decisions and explain output follow the same target-aware path

Related Issues

• Issue #41: False positives block legitimate cleanup operations and string literals in gh commands

Related PRs

• PR #42: fix(rules-rm): allow temp targets when cwd is home directory

v0.8.1

New Features

• Detect copilot-safety-net plugin installs in doctor via copilot plugin list

Fixed

• Populate configPath consistently when Copilot CLI is detected through the plugin flow
• Report copilot-plugin as the config path for plugin-based Copilot CLI detection

Related PRs

• PR #40: feat: add copilot cli plugin detection to doctor command