Compare commits

..

3 commits

4 changed files with 41 additions and 41 deletions

View file

@ -1,17 +1,14 @@
# --- Encryption Rules for Genomes ---
# These directories are stored as encrypted AES-256 blobs on the remote server.
# They require git-crypt and the specific genome key to be readable.
raw/private/** filter=git-crypt diff=git-crypt
wiki/private/** filter=git-crypt diff=git-crypt
# --- Binary Integrity ---
# Prevent line-ending conversion for encrypted files to avoid corruption.
raw/private/** -text
wiki/private/** -text
# --- Standard Text Configuration --- # --- Standard Text Configuration ---
*.md text eol=lf *.md text eol=lf
*.sh text eol=lf *.sh text eol=lf
*.env text eol=lf *.env text eol=lf
Makefile text eol=lf Makefile text eol=lf
# --- Encryption Rules ---
# MUST come after text rules: in .gitattributes the last matching rule wins per attribute.
# Placing **/private/** here ensures -text overrides the *.md text=lf rule above,
# preventing EOL conversion from corrupting AES-256 encrypted blobs.
#
# **/private/** catches any private/ directory at any depth in the repo,
# including directories created at runtime by the LLM agent.
**/private/** filter=git-crypt diff=git-crypt -text

View file

@ -1,49 +1,47 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# ============================================================================= # =============================================================================
# .git/hooks/pre-commit # .git/hooks/pre-commit
# Fail-safe security hook: Prevents plaintext leaks of sensitive data. # Fail-safe security hook: prevents plaintext commits of encrypted files.
# Reads encryption requirements dynamically from .gitattributes via
# git check-attr — no hardcoded paths, inherits all future rules automatically.
# ============================================================================= # =============================================================================
set -euo pipefail set -euo pipefail
# Directories that MUST be encrypted
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
FAILED=0 FAILED=0
# Check on git-crypt # Verify git-crypt is initialized
if [[ ! -d ".git-crypt" ]]; then if [[ ! -d ".git-crypt" ]]; then
echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m" printf "\n\033[0;31m[CRITICAL] git-crypt not initialized.\033[0m\n"
echo "Run 'git-crypt init' and 'make setup' before committing." printf "Run 'git-crypt init' and 'make setup' before committing.\n"
exit 1 exit 1
fi fi
# Get staged files (excluding deletions) # Get staged files (additions, copies, modifications — no deletions)
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true) STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
if [[ -z "$STAGED_FILES" ]]; then [[ -z "$STAGED_FILES" ]] && exit 0
exit 0
fi
for pattern in "${PRIVATE_PATTERNS[@]}"; do while IFS= read -r file; do
while IFS= read -r file; do # Dynamically check if this file requires git-crypt encryption
if [[ "$file" == ${pattern}* ]]; then filter=$(git check-attr filter -- "$file" 2>/dev/null | sed 's/.*: //')
# Check encryption status via git-crypt [[ "$filter" != "git-crypt" ]] && continue
STATUS=$(git-crypt status "$file" 2>/dev/null || echo "error")
if echo "$STATUS" | grep -q "not encrypted"; then # File is required to be encrypted — verify it actually is
echo -e "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m" status=$(git-crypt status "$file" 2>/dev/null || printf "error")
echo "-----------------------------------------------------------" if printf '%s\n' "$status" | grep -q "not encrypted"; then
echo "File: $file" printf "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m\n"
echo "Status: This file is in a private/ folder but is NOT encrypted." printf -- "-----------------------------------------------------------\n"
echo "Action: Fix your .gitattributes or run 'git-crypt init'." printf "File: %s\n" "$file"
echo "-----------------------------------------------------------" printf "Status: Marked for git-crypt in .gitattributes but NOT encrypted.\n"
printf "Action: Verify .gitattributes rules and re-run 'git-crypt init'.\n"
printf -- "-----------------------------------------------------------\n"
FAILED=1 FAILED=1
fi fi
fi done <<< "$STAGED_FILES"
done <<< "$STAGED_FILES"
done
if [[ "$FAILED" -ne 0 ]]; then if [[ "$FAILED" -ne 0 ]]; then
echo -e "\033[0;31mCommit blocked for security reasons.\033[0m\n" printf "\n\033[0;31mCommit blocked: security policy violation.\033[0m\n\n"
exit 1 exit 1
fi fi

View file

@ -11,7 +11,8 @@ private: false
**[AGENT INSTRUCTION]** **[AGENT INSTRUCTION]**
This is the primary navigation file. Read it first on every session before accessing individual pages. This is the primary navigation file. Read it first on every session before accessing individual pages.
Maintain strict alphabetical sorting within each section. Append new entries at the bottom of the relevant section — do not reorder or rewrite sections.
Alphabetical sorting is handled automatically by the pre-commit hook.
Update `last_updated` in the YAML frontmatter on every edit. Update `last_updated` in the YAML frontmatter on every edit.
Entry format: `- [[folder/slug]] — One-line summary. \`maturity: <value>\`` Entry format: `- [[folder/slug]] — One-line summary. \`maturity: <value>\``

View file

@ -9,6 +9,10 @@ private: false
# Operations Log: {{GENOME_NAME}} # Operations Log: {{GENOME_NAME}}
**[ORCHESTRATOR]**
Inject only the last 20 entries into agent context: `tail -n 20 wiki/log.md`
The agent must never load or read the full log file — it grows unbounded.
**[AGENT INSTRUCTION]** **[AGENT INSTRUCTION]**
This is an append-only system ledger. Never edit or delete previous entries. This is an append-only system ledger. Never edit or delete previous entries.
Append new entries at the bottom using the format defined below. Append new entries at the bottom using the format defined below.