-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathpre-commit
More file actions
executable file
·90 lines (81 loc) · 2.77 KB
/
pre-commit
File metadata and controls
executable file
·90 lines (81 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash
# Baudbot pre-commit hook — protects security-critical files from agent modification.
#
# Install (root-owned so agent cannot modify or delete):
# sudo cp ~/baudbot/hooks/pre-commit ~/baudbot/.git/hooks/pre-commit
# sudo chown root:root ~/baudbot/.git/hooks/pre-commit
# sudo chmod 755 ~/baudbot/.git/hooks/pre-commit
#
# The agent can freely modify:
# - pi/skills/ (operational knowledge)
# - pi/extensions/ (non-security extensions like zen-provider.ts, auto-name.ts, etc.)
# - gateway-bridge/bridge.mjs (non-security bridge code)
# - README.md, .gitignore, etc.
#
# The agent CANNOT modify (blocked by this hook):
# - bin/ (security scripts: tool deny lists, firewall, audit, hardening)
# - pi/extensions/tool-guard.ts (and its tests)
# - gateway-bridge/security.mjs (and its tests)
# - SECURITY.md
# - setup.sh
# - start.sh
# - hooks/ (this hook's source)
set -euo pipefail
PROTECTED_PREFIXES=(
"bin/"
"hooks/"
"setup.sh"
"start.sh"
"SECURITY.md"
)
PROTECTED_FILES=(
"pi/extensions/tool-guard.ts"
"pi/extensions/tool-guard.test.mjs"
"gateway-bridge/security.mjs"
"gateway-bridge/security.test.mjs"
# Legacy compat path (symlink)
"slack-bridge/security.mjs"
"slack-bridge/security.test.mjs"
)
STAGED=$(git diff --cached --name-only --diff-filter=ACDMR)
blocked=()
for file in $STAGED; do
for prefix in "${PROTECTED_PREFIXES[@]}"; do
if [[ "$file" == "$prefix"* ]]; then
blocked+=("$file")
break
fi
done
for protected in "${PROTECTED_FILES[@]}"; do
if [[ "$file" == "$protected" ]]; then
blocked+=("$file")
break
fi
done
done
if [ ${#blocked[@]} -gt 0 ]; then
echo ""
echo "🛡️ COMMIT BLOCKED — protected security files modified:"
echo ""
for f in "${blocked[@]}"; do
echo " ✗ $f"
done
echo ""
echo "These files are admin-managed. To modify them:"
echo " 1. Ask the admin to make the change"
echo " 2. Or use: git commit --no-verify (admin only)"
echo ""
exit 1
fi
# ── Lint & format staged JS/TS files ────────────────────────────────────────
# Auto-fix lint/format issues on staged files and re-stage them.
# Skips if biome is not available (e.g., agent runtime without devDependencies).
JS_FILES=$(echo "$STAGED" | grep -E '\.(ts|js|mjs|mts|cjs|cts|jsx|tsx)$' || true)
if [ -n "$JS_FILES" ] && command -v npx &>/dev/null; then
# Check if biome is installed
if npx biome --version &>/dev/null 2>&1; then
# shellcheck disable=SC2086
echo "$JS_FILES" | xargs npx biome check --write --no-errors-on-unmatched 2>/dev/null || true
echo "$JS_FILES" | xargs git diff --name-only 2>/dev/null | xargs git add 2>/dev/null || true
fi
fi