Release

Changes

• kimi-code: resolve config from correct directory — Config path now resolves from KIMI_CODE_HOME / .kimi-code instead of the legacy KIMI_SHARE_DIR / .kimi.
• kimi-code: match PreToolUse hook to `Bash` tool — The hook matcher was targeting Shell but Kimi Code exposes the tool as Bash. Updated to match the correct tool name.

Docs

• readme: note optional cc-safety-net skill for Kimi Code — Added a note about the /cc-safety-net skill for configuring custom rules.

Bug Fixes

• opencode: write audit logs for blocked commands — When a command is blocked and a sessionID is present, the plugin now correctly writes an audit log entry. Previously, blocked commands in OpenCode sessions were not being logged.
• opencode: inject audit log home directory — The plugin now accepts and forwards a homeDir parameter to the audit logger, ensuring logs are written to the correct location.

Thanks to @johnatas-henrique for reporting the issue in #58 .

Security Fix

• Bumped `shell-quote` to v1.8.4 — addresses a parsing vulnerability in the upstream dependency (#56)

Thanks to @joerawr for reporting the shell-quote vulnerability in #55.

Bug fix: Preserve effective cwd when cd targets the current directory.

Previously, commands like cd . or cd /current/path would reset the effective cwd to unknown, potentially causing false-positive blocks on subsequent segments. The analyzer now resolves cd targets and recognizes when the directory hasn't actually changed, keeping the cwd intact.

Changes

• fix(analyze): Preserve effective cwd when cd targets the current directory
• fix(explain): Align cwd trace with resolved cd-to-same-directory behavior
• test(rm): Assert rm -rf stays allowed after cd to current cwd

Features

• Expanded Pi shell tool safety analysis — Added support for custom working directories and additional tool adapters, broadening the scope of shell command interception.

Refactors

• Renamed `tool_use` → `tool_call` — Aligned internal event handling naming with upstream API terminology.
• Pruned unused exports — Removed dead exports, marked test-only helpers with @internal, and updated AGENTS.md with new knip standards.

Docs

• Added plugin troubleshooting steps to README.

CC Safety Net v1.0.0

This project originally started as a Claude Code plugin and was previously known as "Claude Code Safety Net." With v1.0.0, it has been rebranded to CC Safety Net — where CC stands for Coding (agent) CLI — to reflect its expanded support for multiple coding agent platforms including Codex, Copilot CLI, Gemini CLI, Kimi CLI, Pi and more to come.

Highlights

• Rulebook-backed configuration — Custom rules now live under .cc-safety-net/rules/ with a declarative config, replacing the legacy verify-config workflow. New CLI subcommands (rule init, rule list, rule migrate, rule remove) manage the full lifecycle.
• Pi coding agent extension — Added Pi as a supported integration with hook support and doctor detection via runtime probe.
• Kimi CLI integration — Added as a supported coding agent with doctor detection, system info, and display.
• Centralized integration registry — Hook integrations are now driven by a shared metadata module with flag-based lookup, replacing per-integration boilerplate.
• Expanded destructive command detection — Better coverage for git long-option abbreviations, wrapper commands, find -exec nested analysis, awk escape decoding, ANSI-C quotes, time builtin prefixes, and shell variable targets in rm -rf.

Breaking Change: Custom Rules Migration

The custom rules system has moved from legacy inline config files to a rulebook-based layout. Legacy inline config files (.safety-net.json and ~/.cc-safety-net/config.json) are no longer loaded at runtime. If they contain rules, commands now fail closed (stay blocked) until you migrate. Please read more at here.

Security & Reliability

• Fail closed on invalid hook input, analysis errors, and config loading failures.
• Expanded secret redaction (provider tokens, command substitution env assignments).
• Block git SSH env overrides and shell/awk analyzer bypasses.
• Resolve rm targets and TMPDIR symlinks before safety checks (TOCTOU hardening).
• Rollback config and lock on --delete-source failure.

CLI & UX

• Renamed builtin OpenCode plugin export to cc-safety-net.
• Migrated env mode reading to CC_SAFETY_NET_* prefixed variables.
• Removed legacy verify-config command flags.
• Improved rule command help output and formatting.

Internal

• Major refactor: modular shell/, analyze/, rules/, and git/ directory layout.
• Declarative CLI command dispatch with const-asserted command registry.
• Shared hook adapter, child-analyzer, and deny-output helpers to eliminate duplication.
• Added jscpd duplicate detection to CI checks.
• Comprehensive test coverage for all new features and edge cases.

New Features

• Add Codex Plugin
• Add WorkTreeMode

Changed

• Add worktreeMode option to AnalyzeOptions and TraceStep
• Add linked worktree detection module
• Relax local git discards in linked worktrees
• Add SAFETY_NET_WORKTREE to CLI surfaces and explain
• Add AnalyzeNestedOverrides type and envAssignments to AnalyzeOptions
• Track cwd changes from env -C/--chdir in wrapper stripping
• Propagate env/cwd/worktree overrides through analyzeNested
• Propagate wrapper env/cwd to nested analysis in segment
• Handle remote parallel execution and wrapper info propagation
• Propagate wrapper env/cwd through xargs child analysis
• Track sudo/env chdir and split-string in wrapper stripping
• Track exported git context env vars across shell segments
• Propagate wrapper env/cwd through interpreters, BusyBox, parallel, and xargs
• Verify linked worktree config matches root before relaxing
• Tighten worktree relaxation for recursive submodules and double-force clean
• Support sudo --chdir and git context append env assignments
• Handle typeset, declare, and shell git context env assignments
• Track GIT_INDEX_FILE as git context override and verify gitdir backlink
• Fail-closed on dynamic git arguments and sudo chdir/login in worktree mode
• Track allexport mode and append assignments for shell git context
• Track keyword export and readonly in shell env context, improve builtin resolution
• Treat dynamic stdin and replacement tokens in parallel and xargs as non-worktree-safe
• Fail-closed on dynamic arguments, recursive submodules, and forced branch resets in worktree mode
• Physical path resolution and symlink hardening
• Track git config envs, keyword exports, readonly, and builtin
• Improve parallel placeholder detection and dynamic args handling
• Worktree hardening with PATH bypass and config env detection
• Seed exported names from process env and git config-affecting env vars
• Read local git config for recursive submodule check before invoking git binary
• Expand trusted git binaries and export for testing
• Add Windows Git binary paths to trusted binaries list
• Add Codex platform hook detection
• Color error messages red in hooks section

Breaking Changes

• Migrate slash commands to skills format

Fixed

• Keep ref-moving resets blocked, relax only local discards
• Use wrapper-resolved cwd in explain segment and disable fallback worktree relaxation
• Propagate env assignments and wrapper cwd into nested analysis
• Use platform-aware path separators for Windows compatibility
• Use wrapper cwd in xargs and parallel rm analysis
• Compare paths by inode identity with normalized realpath fallback
• Handle Windows native realpath prefixes in path comparison
• Handle double-quoted escapes in git config value parsing
• Treat missing trusted git binary as recursive submodule config enabled
• Parse commented JSON in Copilot CLI config files
• Handle Claude Code plugin list without blank separators
• Parse Codex config section headers with inline comments
• Use effective enabled state for Gemini CLI extension detection
• Exclude metadata email lines from Claude Code plugin block detection

Related Issues

• Issue #44: Relax destructive-change rules when running inside a git worktree
• Issue #47: [Feature]: Allow to bypass some rules
• Issue #46: [Feature]: Support for Codex (closed by PR #49)

Related PRs

• PR #48: Worktree mode (closes issue #123)
• PR #49: Codex hooks compatibility (closes issue #46)

Fixed

- Allow rm -rf for explicit temp-directory targets such as /tmp/..., /var/tmp/..., and $TMPDIR/... even when the current working directory is $HOME - Move home-directory rm classification into the shared rules-rm analyzer so blocking decisions and explain output follow the same target-aware path

Related Issues

• Issue #41: False positives block legitimate cleanup operations and string literals in gh commands

Related PRs

• PR #42: fix(rules-rm): allow temp targets when cwd is home directory

New Features

• Detect copilot-safety-net plugin installs in doctor via copilot plugin list

Fixed

• Populate configPath consistently when Copilot CLI is detected through the plugin flow
• Report copilot-plugin as the config path for plugin-based Copilot CLI detection

Related PRs

• PR #40: feat: add copilot cli plugin detection to doctor command

New Features

• Add doctor support for GitHub Copilot CLI, including detection of Safety Net hooks in repository hook files, user hook files, and inline Copilot settings with version-aware diagnostics.
• Block git switch --force, git switch --discard-changes, and git checkout --force / -f.

Changed

• Show the detected Copilot CLI version in doctor output and probe Copilot version commands more quickly and reliably.
• Expand Copilot CLI setup documentation to cover hook-file and inline config variants, config precedence, disableAllHooks, and COPILOT_HOME.

Fixed

• Close a TMPDIR path traversal bypass so non-temp overrides cannot escape /tmp, /var/tmp, or the system temp directory.
• Harden shell parsing so destructive commands are still detected inside redirects, nested command substitutions, arithmetic expansions, grouped subshells, process substitutions, and attached backticks.
• Fix git checkout argument parsing for ambiguous ref/pathspec cases and documented option variants without misclassifying value-taking flags such as git switch -cfeature.

Thanks to @jacoballen4534 for identifying and suggesting the fix for Windows support in #21.

Thanks to @lgandecki for identifying the npx performance overhead.

v0.3.2 (2026-01-03)

Fix

• add AskUserQuestion tool to improve UX

v0.3.1 (2026-01-02)

Fix

• Add cross-platform script execution compatibility

v0.3.0 (2026-01-01)

Feat

• add short option expansion to custom rule matching
• add commands for custom rules management
• detect find -exec rm -rf as destructive pattern
• add verify_config script for config validation
• integrate custom rules into hook analysis
• add custom rule matching logic
• add config loading module for user-configurable rules

Fix

• stop _short_opts parsing at non-alpha chars and -- marker
• Block rm -rf of cwd itself even when under /tmp/

Refactor

• improve verify_config output formatting
• return ValidationResult from validate_config_file

v0.2.0 (2025-12-29)

Feat

• add audit logging for denied commands
• add paranoid mode environment variable checks
• detect dangerous commands via xargs and parallel
• block git worktree remove --force
• block git checkout <ref> <pathspec> without --
• block find -delete destructive command

Fix

• Add cross-platform script execution compatibility
• recognize rm -R (uppercase) as recursive and respect -- delimiter
• preserve case sensitivity for git branch -D detection

Refactor

• rename strict to paranoid for rm rule parameter

v0.1.0 (2025-12-26)

Feat

• initial implementation