cc-auto adds a local safety gate to Claude Code using a bash hook and Ollama. It intercepts Bash tool calls and judges whether they are safe before execution.
ccaworks exactly likeclaude, but with Ollama safety hook active.
cca [args...]
│
▼
claude --settings hook-settings.json [args...]
│
▼ (every Bash tool call)
safe-hook.sh
├── Layer 1: Hard-block (rm -rf, sudo, etc.) → DENY
├── Layer 2: Ollama (qwen3.5:9b) judges → ALLOW / DENY
└── Ollama unsure → ASK user
- Only gates Bash tool calls — Edit, Write, Read, etc. are auto-allowed
- Does NOT interfere with user choices — plan approval, mode selection, etc. are untouched
- Fail-open — if Ollama is unreachable, falls back to asking the user
- macOS (uses
python3which ships with the system) - Ollama running locally
ollama pull qwen3.5:9b# 1. Clone the repo
git clone https://github.com/LehaoLin/cc-auto.git
cd cc-auto
# 2. Pull the Ollama model
ollama pull qwen3.5:9b
# 3. Install cca command (one-time setup)
# Creates a symlink — no files copied to ~/.local/bin
mkdir -p ~/.local/bin
ln -sf "$(pwd)/cca" ~/.local/bin/cca
# Make sure ~/.local/bin is in your PATH
# (skip if already configured)
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
# 4. Use cca just like claude
cca # interactive mode
cca -c # continue last session
cca --resume ID # resume a specific session
cca -p "fix the bug" # one-shot mode
cca --model sonnet # specify model
cca --worktree feature-auth # isolated git worktree├── cca # Wrapper script (drop-in replacement for claude)
├── safe-hook.sh # PreToolUse hook script (two-layer safety)
├── hook-settings.json # Hook configuration (loaded via --settings)
├── LICENSE
└── README.md
Edit safe-hook.sh, line with "model": "qwen3.5:9b" — replace with any model you have pulled.
Edit the grep -qEi line in Layer 1 of safe-hook.sh.
Change the if [ "$TOOL_NAME" != "Bash" ] check in safe-hook.sh to include other tool names.
Issues and PRs welcome!
MIT