Compare commits

..

No commits in common. "dcb90f0fb66b73389ba9bcf54d3d0b63ef8bc292" and "fa8d293fca9f1a72d7f76de8a5f25b59ca56da1f" have entirely different histories.

4 changed files with 41 additions and 41 deletions

View file

@ -1,14 +1,17 @@
# --- Encryption Rules for Genomes ---
# These directories are stored as encrypted AES-256 blobs on the remote server.
# They require git-crypt and the specific genome key to be readable.
raw/private/** filter=git-crypt diff=git-crypt
wiki/private/** filter=git-crypt diff=git-crypt
# --- Binary Integrity ---
# Prevent line-ending conversion for encrypted files to avoid corruption.
raw/private/** -text
wiki/private/** -text
# --- Standard Text Configuration --- # --- Standard Text Configuration ---
*.md text eol=lf *.md text eol=lf
*.sh text eol=lf *.sh text eol=lf
*.env text eol=lf *.env text eol=lf
Makefile text eol=lf Makefile text eol=lf
# --- Encryption Rules ---
# MUST come after text rules: in .gitattributes the last matching rule wins per attribute.
# Placing **/private/** here ensures -text overrides the *.md text=lf rule above,
# preventing EOL conversion from corrupting AES-256 encrypted blobs.
#
# **/private/** catches any private/ directory at any depth in the repo,
# including directories created at runtime by the LLM agent.
**/private/** filter=git-crypt diff=git-crypt -text

View file

@ -1,47 +1,49 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# ============================================================================= # =============================================================================
# .git/hooks/pre-commit # .git/hooks/pre-commit
# Fail-safe security hook: prevents plaintext commits of encrypted files. # Fail-safe security hook: Prevents plaintext leaks of sensitive data.
# Reads encryption requirements dynamically from .gitattributes via
# git check-attr — no hardcoded paths, inherits all future rules automatically.
# ============================================================================= # =============================================================================
set -euo pipefail set -euo pipefail
# Directories that MUST be encrypted
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
FAILED=0 FAILED=0
# Verify git-crypt is initialized # Check on git-crypt
if [[ ! -d ".git-crypt" ]]; then if [[ ! -d ".git-crypt" ]]; then
printf "\n\033[0;31m[CRITICAL] git-crypt not initialized.\033[0m\n" echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m"
printf "Run 'git-crypt init' and 'make setup' before committing.\n" echo "Run 'git-crypt init' and 'make setup' before committing."
exit 1 exit 1
fi fi
# Get staged files (additions, copies, modifications — no deletions) # Get staged files (excluding deletions)
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true) STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
[[ -z "$STAGED_FILES" ]] && exit 0 if [[ -z "$STAGED_FILES" ]]; then
exit 0
fi
for pattern in "${PRIVATE_PATTERNS[@]}"; do
while IFS= read -r file; do while IFS= read -r file; do
# Dynamically check if this file requires git-crypt encryption if [[ "$file" == ${pattern}* ]]; then
filter=$(git check-attr filter -- "$file" 2>/dev/null | sed 's/.*: //') # Check encryption status via git-crypt
[[ "$filter" != "git-crypt" ]] && continue STATUS=$(git-crypt status "$file" 2>/dev/null || echo "error")
if echo "$STATUS" | grep -q "not encrypted"; then
# File is required to be encrypted — verify it actually is echo -e "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m"
status=$(git-crypt status "$file" 2>/dev/null || printf "error") echo "-----------------------------------------------------------"
if printf '%s\n' "$status" | grep -q "not encrypted"; then echo "File: $file"
printf "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m\n" echo "Status: This file is in a private/ folder but is NOT encrypted."
printf -- "-----------------------------------------------------------\n" echo "Action: Fix your .gitattributes or run 'git-crypt init'."
printf "File: %s\n" "$file" echo "-----------------------------------------------------------"
printf "Status: Marked for git-crypt in .gitattributes but NOT encrypted.\n"
printf "Action: Verify .gitattributes rules and re-run 'git-crypt init'.\n"
printf -- "-----------------------------------------------------------\n"
FAILED=1 FAILED=1
fi fi
fi
done <<< "$STAGED_FILES" done <<< "$STAGED_FILES"
done
if [[ "$FAILED" -ne 0 ]]; then if [[ "$FAILED" -ne 0 ]]; then
printf "\n\033[0;31mCommit blocked: security policy violation.\033[0m\n\n" echo -e "\033[0;31mCommit blocked for security reasons.\033[0m\n"
exit 1 exit 1
fi fi

View file

@ -11,8 +11,7 @@ private: false
**[AGENT INSTRUCTION]** **[AGENT INSTRUCTION]**
This is the primary navigation file. Read it first on every session before accessing individual pages. This is the primary navigation file. Read it first on every session before accessing individual pages.
Append new entries at the bottom of the relevant section — do not reorder or rewrite sections. Maintain strict alphabetical sorting within each section.
Alphabetical sorting is handled automatically by the pre-commit hook.
Update `last_updated` in the YAML frontmatter on every edit. Update `last_updated` in the YAML frontmatter on every edit.
Entry format: `- [[folder/slug]] — One-line summary. \`maturity: <value>\`` Entry format: `- [[folder/slug]] — One-line summary. \`maturity: <value>\``

View file

@ -9,10 +9,6 @@ private: false
# Operations Log: {{GENOME_NAME}} # Operations Log: {{GENOME_NAME}}
**[ORCHESTRATOR]**
Inject only the last 20 entries into agent context: `tail -n 20 wiki/log.md`
The agent must never load or read the full log file — it grows unbounded.
**[AGENT INSTRUCTION]** **[AGENT INSTRUCTION]**
This is an append-only system ledger. Never edit or delete previous entries. This is an append-only system ledger. Never edit or delete previous entries.
Append new entries at the bottom using the format defined below. Append new entries at the bottom using the format defined below.