boma/.claude/hooks/guard-vault-preflight.sh

36 lines
1.4 KiB
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
#
# PreToolUse guard (Bash): block `git commit` when the rbw vault agent is locked.
# The pre-commit ansible-lint hook decrypts vault.yml via rbw, so a commit while
# locked fails deep with a confusing error. This catches it early with a clear fix.
#
# Fails OPEN: only blocks on a definitive "rbw present AND not unlocked" signal.
# If rbw is missing, the command isn't a plain `git commit`, or `--no-verify` is
# used, the action is allowed.
#
set -uo pipefail
input=$(cat 2>/dev/null) || exit 0
cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null) || exit 0
case "$cmd" in
*"git commit"*) : ;; # a git commit — check further
*) exit 0 ;; # not a commit — allow
esac
case "$cmd" in
*"--no-verify"*) exit 0 ;; # hooks skipped anyway — allow
esac
command -v rbw >/dev/null 2>&1 || exit 0 # rbw not installed — allow
if rbw unlocked >/dev/null 2>&1; then
exit 0 # unlocked — allow
fi
# rbw present but not unlocked (locked or agent not running) — the commit would
# fail in the pre-commit hook, so block early with guidance.
cat <<'JSON'
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rbw is locked — the pre-commit ansible-lint hook needs the vault password to decrypt vault.yml. Run: rbw unlock"}}
JSON
exit 0