diff --git a/lib/git-crypt.sh b/lib/git-crypt.sh index ce64ad1..874d35e 100644 --- a/lib/git-crypt.sh +++ b/lib/git-crypt.sh @@ -16,7 +16,7 @@ gcrypt_export_key() { mkdir -p "${KEYS_DIR}" git-crypt export-key "$key_path" success "Symmetric key exported to: $key_path" - warn "Action required: Store this key in Vaultwarden and remove it from local disk." + warn "Action required: store this key in Vaultwarden and delete it from disk." } gcrypt_verify() { @@ -162,9 +162,16 @@ gcrypt_print_key_instructions() { echo " Name: \"${genome_name} key\"" echo " Note: " echo "" - echo " 3. For AI Server / Runtime Injection:" - echo " export BW_SESSION=\$(bw unlock --raw)" + echo " 3. Delete from disk:" + echo " rm ${KEYS_DIR}/${genome_name}.key" + echo "" + echo " 4. Runtime injection on AI server (no key on disk):" + echo " bw config server ${v_url}" + echo " export BW_SESSION=\$(bw unlock --passwordenv BW_MASTER_PASSWORD --raw)" echo " git-crypt unlock <(bw get notes \"${genome_name} key\" --session \"\$BW_SESSION\" | base64 -d)" + echo "" + echo " NOTE: use 'bw' (standard Bitwarden CLI), NOT 'bws'." + echo " 'bws' is the Secrets Manager CLI and does not work with Vaultwarden." } gcrypt_print_runtime_model() { @@ -181,13 +188,13 @@ gcrypt_print_runtime_model() { echo " smudge filter. Obsidian reads them as normal Markdown." echo "" echo " On the AI VM:" - echo " Same as laptop when unlocked. Use runtime injection (step 5" - echo " above) so the key is never written to disk." + echo " Same as laptop when unlocked. Use runtime injection so the" + echo " key is never written to disk." echo "" echo " Limitation:" echo " Encryption does NOT protect against a full server compromise" - echo " where an attacker has root access to a machine where the repo" - echo " is already unlocked. Runtime injection mitigates this." + echo " where an attacker has root access to an already-unlocked repo." + echo " Runtime injection mitigates this risk." echo " ─────────────────────────────────────────────────────────────" echo "" } diff --git a/templates/agents-genome.md b/templates/agents-genome.md index 863e305..95df73b 100644 --- a/templates/agents-genome.md +++ b/templates/agents-genome.md @@ -38,6 +38,9 @@ current prompt, you MUST operate in `disabled` mode. Never infer or assume the v - **Never leak private synthesis into public `wiki/concepts/` or `wiki/sources/`.** - Prefix every response that draws on private data with: `[PRIVATE DATA INCLUDED]` +### Pre-commit failures: +If a commit is rejected by the pre-commit hook with a **"PLAINTEXT LEAK DETECTED"** warning, **DO NOT** attempt to bypass it with `--no-verify`. Stop the session and ask the operator to verify the encryption state and `.gitattributes`. + ### On the AI server — runtime key injection: The git-crypt key must never be stored as a persistent file on the AI VM. ```bash diff --git a/templates/pre-commit.sh b/templates/pre-commit.sh index 1985fc6..649b850 100644 --- a/templates/pre-commit.sh +++ b/templates/pre-commit.sh @@ -10,6 +10,13 @@ set -euo pipefail PRIVATE_PATTERNS=("raw/private/" "wiki/private/") FAILED=0 +# Check on git-crypt +if [[ ! -d ".git-crypt" ]]; then + echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m" + echo "Run 'git-crypt init' and 'make setup' before committing." + exit 1 +fi + # Get staged files (excluding deletions) STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)