boma/.claude/hooks/guard-generated-files.sh

26 lines
1,023 B
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
#
# PreToolUse guard (Write|Edit): block edits to generated inventory files.
# `inventories/<env>/hosts.yml` is produced by tf_to_inventory.py — editing it by
# hand is overwritten on the next `make tf-inventory`. The git pre-commit hooks do
# NOT catch this, so we enforce it here.
#
# Fails OPEN: any parsing/other error allows the action (never wedge tool use).
#
set -uo pipefail
input=$(cat 2>/dev/null) || exit 0
file=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null) || exit 0
[ -n "$file" ] || exit 0
case "$file" in
*/inventories/*/hosts.yml | inventories/*/hosts.yml)
cat <<'JSON'
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"inventories/<env>/hosts.yml is GENERATED by tf_to_inventory.py. Edit terraform/environments/<env>/main.tf (local.vms) and run `make tf-inventory`. The control node is the documented manual exception (docs/runbooks/new-host.md)."}}
JSON
exit 0
;;
esac
exit 0