50 lines
1.5 KiB
Bash
Executable file
50 lines
1.5 KiB
Bash
Executable file
#!/bin/sh
|
|
# Git pre-commit — block Genesis-IP term leaks before they reach the index.
|
|
#
|
|
# INSTALL (public-facing repos only):
|
|
# ln -sf $HOME/.claude/agents/hooks/git-pre-commit-genesis.sh .git/hooks/pre-commit
|
|
#
|
|
# BEHAVIOUR:
|
|
# - Resolves the `genesis-scan` binary under the KeiSeiKit install tree.
|
|
# - Runs `--staged --exit-on-hit` so the hook fails the commit on any hit.
|
|
# - Bypass with GENESIS_GUARD_BYPASS=1 (visible, per-call — logged in transcript).
|
|
#
|
|
# EXIT:
|
|
# 0 clean or bypassed
|
|
# 1 usage / binary missing
|
|
# 2 leak detected (commit blocked)
|
|
|
|
set -eu
|
|
|
|
SCANNER="${GENESIS_SCAN_BIN:-$HOME/.claude/agents/_primitives/_rust/target/release/genesis-scan}"
|
|
|
|
if [ ! -x "$SCANNER" ]; then
|
|
# Absent scanner = silent no-op. Installs without the `core` or `full`
|
|
# profile won't have the binary; we prefer letting the commit through
|
|
# over noisy spam, since the runtime hook still catches new writes.
|
|
exit 0
|
|
fi
|
|
|
|
if "$SCANNER" --staged --format=human --exit-on-hit; then
|
|
exit 0
|
|
fi
|
|
|
|
# Non-zero exit from scanner = hits found.
|
|
if [ "${GENESIS_GUARD_BYPASS:-0}" = "1" ]; then
|
|
echo "" >&2
|
|
echo "[genesis-scan] BYPASSED (GENESIS_GUARD_BYPASS=1). Hit logged above." >&2
|
|
exit 0
|
|
fi
|
|
|
|
cat >&2 <<EOF
|
|
|
|
Commit blocked by genesis-scan.
|
|
|
|
Review the hits above and either:
|
|
- remove the Genesis / patent-IP terms from the staged content, or
|
|
- move the file into an exempt scope (see: $SCANNER --list-patterns), or
|
|
- bypass explicitly (use sparingly):
|
|
GENESIS_GUARD_BYPASS=1 git commit ...
|
|
|
|
EOF
|
|
exit 2
|