mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-16 16:36:53 +08:00
e3f18d2376
* fix: prevent IOC scanner false positives on hook filenames and scan .cursor configs The supply-chain IOC scanner matched CRITICAL_TEXT_INDICATORS with plain substring search, so legitimate hook filenames that merely end with a known payload name (e.g. the stock Cursor hook before-shell-execution.js vs the payload execution.js) were flagged as CRITICAL. Indicator matching now requires a non-filename character before the match. Also add .cursor/ to the special config paths so Cursor hooks.json files (a known persistence vector already listed in PERSISTENCE_FILENAMES) are actually inspected in normal checkouts - previously they were only scanned by accident when the repo path happened to contain /.claude/. * test: cover underscore-prefixed filenames in IOC boundary suppression Make explicit that '_' is treated as a filename word character, so snake_case hook names like post_execution.js are intentionally not flagged by the execution.js indicator (real payload references appear after '/', quotes, or whitespace).