sjat
80bf9afea9
Two project hooks (deny-only, fail open): block Write/Edit of generated inventories/<env>/hosts.yml, and block git commit when the rbw vault agent is locked. Both pipe-tested across all paths. Activate with a Claude Code restart (the watcher only tracks settings.json present at session start). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
25 lines
1,023 B
Bash
Executable file
25 lines
1,023 B
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# PreToolUse guard (Write|Edit): block edits to generated inventory files.
|
|
# `inventories/<env>/hosts.yml` is produced by tf_to_inventory.py — editing it by
|
|
# hand is overwritten on the next `make tf-inventory`. The git pre-commit hooks do
|
|
# NOT catch this, so we enforce it here.
|
|
#
|
|
# Fails OPEN: any parsing/other error allows the action (never wedge tool use).
|
|
#
|
|
set -uo pipefail
|
|
|
|
input=$(cat 2>/dev/null) || exit 0
|
|
file=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null) || exit 0
|
|
[ -n "$file" ] || exit 0
|
|
|
|
case "$file" in
|
|
*/inventories/*/hosts.yml | inventories/*/hosts.yml)
|
|
cat <<'JSON'
|
|
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"inventories/<env>/hosts.yml is GENERATED by tf_to_inventory.py. Edit terraform/environments/<env>/main.tf (local.vms) and run `make tf-inventory`. The control node is the documented manual exception (docs/runbooks/new-host.md)."}}
|
|
JSON
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
exit 0
|