#!/usr/bin/env bash # # PreToolUse guard (Bash): block `git commit` when the rbw vault agent is locked. # The pre-commit ansible-lint hook decrypts vault.yml via rbw, so a commit while # locked fails deep with a confusing error. This catches it early with a clear fix. # # Fails OPEN: only blocks on a definitive "rbw present AND not unlocked" signal. # If rbw is missing, the command isn't a plain `git commit`, or `--no-verify` is # used, the action is allowed. # set -uo pipefail input=$(cat 2>/dev/null) || exit 0 cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null) || exit 0 case "$cmd" in *"git commit"*) : ;; # a git commit — check further *) exit 0 ;; # not a commit — allow esac case "$cmd" in *"--no-verify"*) exit 0 ;; # hooks skipped anyway — allow esac command -v rbw >/dev/null 2>&1 || exit 0 # rbw not installed — allow if rbw unlocked >/dev/null 2>&1; then exit 0 # unlocked — allow fi # rbw present but not unlocked (locked or agent not running) — the commit would # fail in the pre-commit hook, so block early with guidance. cat <<'JSON' {"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rbw is locked — the pre-commit ansible-lint hook needs the vault password to decrypt vault.yml. Run: rbw unlock"}} JSON exit 0