#!/usr/bin/env bash # # PreToolUse guard (Write|Edit): block edits to generated inventory files. # `inventories//hosts.yml` is produced by tf_to_inventory.py — editing it by # hand is overwritten on the next `make tf-inventory`. The git pre-commit hooks do # NOT catch this, so we enforce it here. # # Fails OPEN: any parsing/other error allows the action (never wedge tool use). # set -uo pipefail input=$(cat 2>/dev/null) || exit 0 file=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null) || exit 0 [ -n "$file" ] || exit 0 case "$file" in */inventories/*/hosts.yml | inventories/*/hosts.yml) cat <<'JSON' {"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"inventories//hosts.yml is GENERATED by tf_to_inventory.py. Edit terraform/environments//main.tf (local.vms) and run `make tf-inventory`. The control node is the documented manual exception (docs/runbooks/new-host.md)."}} JSON exit 0 ;; esac exit 0