36 lines
1.4 KiB
Bash
36 lines
1.4 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
#
|
||
|
|
# PreToolUse guard (Bash): block `git commit` when the rbw vault agent is locked.
|
||
|
|
# The pre-commit ansible-lint hook decrypts vault.yml via rbw, so a commit while
|
||
|
|
# locked fails deep with a confusing error. This catches it early with a clear fix.
|
||
|
|
#
|
||
|
|
# Fails OPEN: only blocks on a definitive "rbw present AND not unlocked" signal.
|
||
|
|
# If rbw is missing, the command isn't a plain `git commit`, or `--no-verify` is
|
||
|
|
# used, the action is allowed.
|
||
|
|
#
|
||
|
|
set -uo pipefail
|
||
|
|
|
||
|
|
input=$(cat 2>/dev/null) || exit 0
|
||
|
|
cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null) || exit 0
|
||
|
|
|
||
|
|
case "$cmd" in
|
||
|
|
*"git commit"*) : ;; # a git commit — check further
|
||
|
|
*) exit 0 ;; # not a commit — allow
|
||
|
|
esac
|
||
|
|
case "$cmd" in
|
||
|
|
*"--no-verify"*) exit 0 ;; # hooks skipped anyway — allow
|
||
|
|
esac
|
||
|
|
|
||
|
|
command -v rbw >/dev/null 2>&1 || exit 0 # rbw not installed — allow
|
||
|
|
|
||
|
|
if rbw unlocked >/dev/null 2>&1; then
|
||
|
|
exit 0 # unlocked — allow
|
||
|
|
fi
|
||
|
|
|
||
|
|
# rbw present but not unlocked (locked or agent not running) — the commit would
|
||
|
|
# fail in the pre-commit hook, so block early with guidance.
|
||
|
|
cat <<'JSON'
|
||
|
|
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rbw is locked — the pre-commit ansible-lint hook needs the vault password to decrypt vault.yml. Run: rbw unlock"}}
|
||
|
|
JSON
|
||
|
|
exit 0
|