feat(hooks): git-pre-commit-genesis — template for repo symlink into .git/hooks/pre-commit

2026-04-22 01:01:56 +08:00 · 2026-04-22 01:01:56 +08:00 · b18727b257
commit b18727b257
parent 10bc799d26
1 changed files with 50 additions and 0 deletions
--- a/hooks/git-pre-commit-genesis.sh
+++ b/hooks/git-pre-commit-genesis.sh
@ -0,0 +1,50 @@
+#!/bin/sh
+# Git pre-commit — block Genesis-IP term leaks before they reach the index.
+#
+# INSTALL (public-facing repos only):
+#   ln -sf $HOME/.claude/agents/hooks/git-pre-commit-genesis.sh .git/hooks/pre-commit
+#
+# BEHAVIOUR:
+#   - Resolves the `genesis-scan` binary under the KeiSeiKit install tree.
+#   - Runs `--staged --exit-on-hit` so the hook fails the commit on any hit.
+#   - Bypass with GENESIS_GUARD_BYPASS=1 (visible, per-call — logged in transcript).
+#
+# EXIT:
+#   0  clean or bypassed
+#   1  usage / binary missing
+#   2  leak detected (commit blocked)
+
+set -eu
+
+SCANNER="${GENESIS_SCAN_BIN:-$HOME/.claude/agents/_primitives/_rust/target/release/genesis-scan}"
+
+if [ ! -x "$SCANNER" ]; then
+    # Absent scanner = silent no-op. Installs without the `core` or `full`
+    # profile won't have the binary; we prefer letting the commit through
+    # over noisy spam, since the runtime hook still catches new writes.
+    exit 0
+fi
+
+if "$SCANNER" --staged --format=human --exit-on-hit; then
+    exit 0
+fi
+
+# Non-zero exit from scanner = hits found.
+if [ "${GENESIS_GUARD_BYPASS:-0}" = "1" ]; then
+    echo "" >&2
+    echo "[genesis-scan] BYPASSED (GENESIS_GUARD_BYPASS=1). Hit logged above." >&2
+    exit 0
+fi
+
+cat >&2 <<EOF
+
+Commit blocked by genesis-scan.
+
+Review the hits above and either:
+  - remove the Genesis / patent-IP terms from the staged content, or
+  - move the file into an exempt scope (see: $SCANNER --list-patterns), or
+  - bypass explicitly (use sparingly):
+        GENESIS_GUARD_BYPASS=1 git commit ...
+
+EOF
+exit 2