Two project hooks (deny-only, fail open): block Write/Edit of generated inventories/<env>/hosts.yml, and block git commit when the rbw vault agent is locked. Both pipe-tested across all paths. Activate with a Claude Code restart (the watcher only tracks settings.json present at session start). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
35 lines
1.4 KiB
Bash
Executable file
35 lines
1.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# PreToolUse guard (Bash): block `git commit` when the rbw vault agent is locked.
|
|
# The pre-commit ansible-lint hook decrypts vault.yml via rbw, so a commit while
|
|
# locked fails deep with a confusing error. This catches it early with a clear fix.
|
|
#
|
|
# Fails OPEN: only blocks on a definitive "rbw present AND not unlocked" signal.
|
|
# If rbw is missing, the command isn't a plain `git commit`, or `--no-verify` is
|
|
# used, the action is allowed.
|
|
#
|
|
set -uo pipefail
|
|
|
|
input=$(cat 2>/dev/null) || exit 0
|
|
cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null) || exit 0
|
|
|
|
case "$cmd" in
|
|
*"git commit"*) : ;; # a git commit — check further
|
|
*) exit 0 ;; # not a commit — allow
|
|
esac
|
|
case "$cmd" in
|
|
*"--no-verify"*) exit 0 ;; # hooks skipped anyway — allow
|
|
esac
|
|
|
|
command -v rbw >/dev/null 2>&1 || exit 0 # rbw not installed — allow
|
|
|
|
if rbw unlocked >/dev/null 2>&1; then
|
|
exit 0 # unlocked — allow
|
|
fi
|
|
|
|
# rbw present but not unlocked (locked or agent not running) — the commit would
|
|
# fail in the pre-commit hook, so block early with guidance.
|
|
cat <<'JSON'
|
|
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rbw is locked — the pre-commit ansible-lint hook needs the vault password to decrypt vault.yml. Run: rbw unlock"}}
|
|
JSON
|
|
exit 0
|