feat(rules): block inline gcloud sql import / export

lapc506 · lapc506 · commit 94fa041958c5 · 2026-05-21T16:54:16.000-06:00
Adds gcloud Cloud SQL CLI to the inline-db-mutation family. Both
directions are blocked:

- `gcloud sql import sql|csv|bak ...` — the obvious mutation surface,
  overwrites target DB state from a GCS-hosted dump.
- `gcloud sql export sql|csv|bak ...` — included because production
  exports cost IOPS and (when carrying PII) require data-handling
  approval; the discipline (versioned script with documented purpose)
  applies equally to both directions.

Versioned-script wrappers under scripts/ or bin/ remain allowed.
Bypass via `# hook-bypass: db-mutation-rule` or the per-repo sentinel
`.no-make-no-mistakes-db-mutation`.

Tests: 7 (4 block + 2 allow + 1 bypass).

Brings the inline-db-mutation family to 6 rules (mysql, psql, sqlite,
mongo, redis, gcloud-sql) and 38 rules total. 262 / 262 tests pass.
diff --git a/hooks/rules/rules.json b/hooks/rules/rules.json
@@ -3314,5 +3314,96 @@
         "expected_exit": 0
       }
     ]
+  },
+  {
+    "id": "inline-db-mutation-gcloud-sql",
+    "description": "Block inline `gcloud sql import` / `gcloud sql export` (use a versioned script in scripts/ or bin/ that documents the source/destination)",
+    "applies_to": [
+      "Bash"
+    ],
+    "match": [
+      {
+        "field": "command",
+        "pattern": "\\bgcloud[[:space:]]+sql[[:space:]]+(import|export)[[:space:]]+(sql|csv|bak)\\b",
+        "flags": "i"
+      },
+      {
+        "field": "command",
+        "not_pattern": "^[[:space:]]*(\\./scripts/|bash[[:space:]]+scripts/|\\./bin/|bash[[:space:]]+bin/|sh[[:space:]]+scripts/|sh[[:space:]]+bin/)"
+      }
+    ],
+    "action": "block",
+    "bypass_marker": "db-mutation-rule",
+    "disable_if_repo_file": ".no-make-no-mistakes-db-mutation",
+    "memory_ref": "feedback_scripts_not_db.md",
+    "references": [
+      "feedback_never_touch_prod_without_approval.md (production guardrail)"
+    ],
+    "message": "BLOCKED: inline `gcloud sql import` / `gcloud sql export` detected.\n\nImports overwrite target DB state. Exports against production cost\nIOPS and (when carrying PII) violate the data-handling guidelines.\nBoth belong in a versioned script that documents:\n  - source / destination instance IDs (PROD vs STAGING)\n  - dump version (timestamped GCS URI)\n  - PII-handling approval if any\n  - rollback procedure\n\nBypass marker: `db-mutation-rule`. Per-repo opt-out:\n`touch .no-make-no-mistakes-db-mutation` at the root.\n",
+    "tests": [
+      {
+        "name": "blocks-gcloud-sql-import-sql",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql import sql my-instance gs://backups/dump.sql --database=mydb"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-gcloud-sql-export-sql",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql export sql my-instance gs://backups/dump.sql --database=mydb"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-gcloud-sql-import-csv",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql import csv my-instance gs://backups/users.csv --database=mydb --table=users"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "blocks-gcloud-sql-export-bak",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql export bak my-instance gs://backups/dump.bak --database=mydb"
+          }
+        },
+        "expected_exit": 2
+      },
+      {
+        "name": "allows-gcloud-sql-instances-list",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql instances list --project=myproject"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-gcloud-sql-via-versioned-script",
+        "input": {
+          "tool_input": {
+            "command": "./scripts/sql-import.sh my-instance gs://backups/dump.sql"
+          }
+        },
+        "expected_exit": 0
+      },
+      {
+        "name": "allows-bypass-marker",
+        "input": {
+          "tool_input": {
+            "command": "gcloud sql import sql my-instance gs://backups/dump.sql --database=mydb # hook-bypass: db-mutation-rule"
+          }
+        },
+        "expected_exit": 0
+      }
+    ]
   }
 ]
diff --git a/hooks/rules/rules.yaml b/hooks/rules/rules.yaml
@@ -2680,3 +2680,72 @@
           command: 'redis-cli FLUSHALL # hook-bypass: db-mutation-rule'
       expected_exit: 0
 
+- id: inline-db-mutation-gcloud-sql
+  description: Block inline `gcloud sql import` / `gcloud sql export` (use a versioned script in scripts/ or bin/ that documents the source/destination)
+  applies_to: [Bash]
+  match:
+    # Positive: import/export of SQL or CSV dumps via the gcloud SQL CLI.
+    # Both directions are blocked: import is the obvious mutation surface;
+    # export is included because exports against PRODUCTION leak PII and
+    # consume IOPS, so the discipline (versioned script with documented
+    # purpose) applies equally.
+    - field: command
+      pattern: '\bgcloud[[:space:]]+sql[[:space:]]+(import|export)[[:space:]]+(sql|csv|bak)\b'
+      flags: i
+    - field: command
+      not_pattern: '^[[:space:]]*(\./scripts/|bash[[:space:]]+scripts/|\./bin/|bash[[:space:]]+bin/|sh[[:space:]]+scripts/|sh[[:space:]]+bin/)'
+  action: block
+  bypass_marker: db-mutation-rule
+  disable_if_repo_file: .no-make-no-mistakes-db-mutation
+  memory_ref: feedback_scripts_not_db.md
+  references:
+    - "feedback_never_touch_prod_without_approval.md (production guardrail)"
+  message: |
+    BLOCKED: inline `gcloud sql import` / `gcloud sql export` detected.
+
+    Imports overwrite target DB state. Exports against production cost
+    IOPS and (when carrying PII) violate the data-handling guidelines.
+    Both belong in a versioned script that documents:
+      - source / destination instance IDs (PROD vs STAGING)
+      - dump version (timestamped GCS URI)
+      - PII-handling approval if any
+      - rollback procedure
+
+    Bypass marker: `db-mutation-rule`. Per-repo opt-out:
+    `touch .no-make-no-mistakes-db-mutation` at the root.
+  tests:
+    - name: blocks-gcloud-sql-import-sql
+      input:
+        tool_input:
+          command: 'gcloud sql import sql my-instance gs://backups/dump.sql --database=mydb'
+      expected_exit: 2
+    - name: blocks-gcloud-sql-export-sql
+      input:
+        tool_input:
+          command: 'gcloud sql export sql my-instance gs://backups/dump.sql --database=mydb'
+      expected_exit: 2
+    - name: blocks-gcloud-sql-import-csv
+      input:
+        tool_input:
+          command: 'gcloud sql import csv my-instance gs://backups/users.csv --database=mydb --table=users'
+      expected_exit: 2
+    - name: blocks-gcloud-sql-export-bak
+      input:
+        tool_input:
+          command: 'gcloud sql export bak my-instance gs://backups/dump.bak --database=mydb'
+      expected_exit: 2
+    - name: allows-gcloud-sql-instances-list
+      input:
+        tool_input:
+          command: 'gcloud sql instances list --project=myproject'
+      expected_exit: 0
+    - name: allows-gcloud-sql-via-versioned-script
+      input:
+        tool_input:
+          command: './scripts/sql-import.sh my-instance gs://backups/dump.sql'
+      expected_exit: 0
+    - name: allows-bypass-marker
+      input:
+        tool_input:
+          command: 'gcloud sql import sql my-instance gs://backups/dump.sql --database=mydb # hook-bypass: db-mutation-rule'
+      expected_exit: 0
