a4e667de10
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
59 lines
2.1 KiB
Bash
Executable file
59 lines
2.1 KiB
Bash
Executable file
#!/bin/sh
|
|
# orchestrator-branch-check — remind orchestrator to own git ops, not agents
|
|
# Event: PreToolUse:Agent
|
|
# Severity: warn (exit 0 + stderr advisory only)
|
|
# Rule: ~/.claude/rules/orchestrator-branch-first.md
|
|
#
|
|
# RULE 0.13 enforcer. Two advisory checks on every code-writing Agent spawn:
|
|
# 1. Prompt contains explicit Bash/git ban phrase?
|
|
# 2. Current branch is NOT main (orchestrator forked BEFORE spawn)?
|
|
# Bypass for legitimate meta-orchestrator via env ORCHESTRATOR_META=1.
|
|
|
|
command -v jq >/dev/null 2>&1 || exit 0
|
|
set -eu
|
|
|
|
# Bypass — /new-project skill and similar meta-agents legitimately create branches
|
|
if [ "${ORCHESTRATOR_META:-0}" = "1" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
INPUT=$(cat)
|
|
SUBAGENT=$(printf '%s' "$INPUT" | jq -r '.tool_input.subagent_type // empty')
|
|
PROMPT=$(printf '%s' "$INPUT" | jq -r '.tool_input.prompt // empty')
|
|
|
|
# Only fire on code-writing agent types. Read-only agents exempt.
|
|
case "$SUBAGENT" in
|
|
code-implementer|infra-implementer|ml-implementer|refactor) ;;
|
|
*) exit 0 ;;
|
|
esac
|
|
|
|
WARNINGS=""
|
|
|
|
# Check 1 — prompt must contain explicit Bash/git ban
|
|
case "$PROMPT" in
|
|
*"MUST NOT invoke git"*|*"write files only"*|*"no git, no bash"*|*"MUST NOT invoke bash"*)
|
|
: # ok, ban phrase present
|
|
;;
|
|
*)
|
|
WARNINGS="${WARNINGS} - prompt lacks explicit Bash/git ban. Add: \"You MUST NOT invoke git, bash, or shell commands. Only Read/Write/Edit/Glob/Grep. Return a file-list in your final report.\"
|
|
"
|
|
;;
|
|
esac
|
|
|
|
# Check 2 — current branch should be feat/* (not main)
|
|
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
|
|
if [ "$BRANCH" = "main" ] || [ "$BRANCH" = "master" ]; then
|
|
WARNINGS="${WARNINGS} - spawning $SUBAGENT from '$BRANCH'. Orchestrator should create a feat/* branch FIRST, then spawn the agent into it.
|
|
"
|
|
fi
|
|
|
|
if [ -n "$WARNINGS" ]; then
|
|
cat >&2 <<EOF
|
|
[orchestrator-branch-check] RULE 0.13 advisory for $SUBAGENT spawn:
|
|
${WARNINGS}Agents get sandbox-denied Bash inside .claude/worktrees/ — they cannot
|
|
commit their own work. Orchestrator must own the branch + commit + push.
|
|
Full rule: ~/.claude/rules/orchestrator-branch-first.md
|
|
EOF
|
|
fi
|
|
|
|
exit 0
|