da0f2cb42b
10 hooks get 21-line guard block: env-var short-circuit, 4 profiles (full/advisory-off/minimal/off), per-hook disable. Safety-critical preserved in 'minimal': no-hand-edit-agents, assemble-validate, git-pre-commit-genesis. Advisory off list: recurrence-suggest, citation-verify, error-spike-detector, milestone-commit-hook. skills/hooks-control/SKILL.md — click-only toggle emitting shell export commands. README +27 LOC 'Runtime hook controls' section with examples.
72 lines
2.1 KiB
Bash
Executable file
72 lines
2.1 KiB
Bash
Executable file
#!/bin/sh
|
|
# Git pre-commit — block Genesis-IP term leaks before they reach the index.
|
|
#
|
|
# INSTALL (public-facing repos only):
|
|
# ln -sf $HOME/.claude/agents/hooks/git-pre-commit-genesis.sh .git/hooks/pre-commit
|
|
#
|
|
# BEHAVIOUR:
|
|
# - Resolves the `genesis-scan` binary under the KeiSeiKit install tree.
|
|
# - Runs `--staged --exit-on-hit` so the hook fails the commit on any hit.
|
|
# - Bypass with GENESIS_GUARD_BYPASS=1 (visible, per-call — logged in transcript).
|
|
#
|
|
# EXIT:
|
|
# 0 clean or bypassed
|
|
# 1 usage / binary missing
|
|
# 2 leak detected (commit blocked)
|
|
|
|
# --- RUNTIME CONTROLS (v0.14.2) ---
|
|
_hook_name="$(basename "$0" .sh)"
|
|
case "${KEI_DISABLED_HOOKS:-}" in
|
|
*"$_hook_name"*|*all*) exit 0 ;;
|
|
esac
|
|
case "${KEI_HOOK_PROFILE:-full}" in
|
|
off) exit 0 ;;
|
|
minimal)
|
|
case "$_hook_name" in
|
|
no-github-push|genesis-leak-guard|no-hand-edit-agents|secrets-guard|assemble-validate|git-pre-commit-genesis) ;;
|
|
*) exit 0 ;;
|
|
esac
|
|
;;
|
|
advisory-off)
|
|
case "$_hook_name" in
|
|
recurrence-suggest|citation-verify|error-spike-detector|milestone-commit-hook) exit 0 ;;
|
|
esac
|
|
;;
|
|
full|*) ;;
|
|
esac
|
|
# --- end runtime controls ---
|
|
|
|
set -eu
|
|
|
|
SCANNER="${GENESIS_SCAN_BIN:-$HOME/.claude/agents/_primitives/_rust/target/release/genesis-scan}"
|
|
|
|
if [ ! -x "$SCANNER" ]; then
|
|
# Absent scanner = silent no-op. Installs without the `core` or `full`
|
|
# profile won't have the binary; we prefer letting the commit through
|
|
# over noisy spam, since the runtime hook still catches new writes.
|
|
exit 0
|
|
fi
|
|
|
|
if "$SCANNER" --staged --format=human --exit-on-hit; then
|
|
exit 0
|
|
fi
|
|
|
|
# Non-zero exit from scanner = hits found.
|
|
if [ "${GENESIS_GUARD_BYPASS:-0}" = "1" ]; then
|
|
echo "" >&2
|
|
echo "[genesis-scan] BYPASSED (GENESIS_GUARD_BYPASS=1). Hit logged above." >&2
|
|
exit 0
|
|
fi
|
|
|
|
cat >&2 <<EOF
|
|
|
|
Commit blocked by genesis-scan.
|
|
|
|
Review the hits above and either:
|
|
- remove the Genesis / patent-IP terms from the staged content, or
|
|
- move the file into an exempt scope (see: $SCANNER --list-patterns), or
|
|
- bypass explicitly (use sparingly):
|
|
GENESIS_GUARD_BYPASS=1 git commit ...
|
|
|
|
EOF
|
|
exit 2
|