Compare commits
3 commits
fa8d293fca
...
dcb90f0fb6
| Author | SHA1 | Date | |
|---|---|---|---|
| dcb90f0fb6 | |||
| 55834529a7 | |||
| 73a031b677 |
4 changed files with 41 additions and 41 deletions
|
|
@ -1,17 +1,14 @@
|
|||
# --- Encryption Rules for Genomes ---
|
||||
# These directories are stored as encrypted AES-256 blobs on the remote server.
|
||||
# They require git-crypt and the specific genome key to be readable.
|
||||
|
||||
raw/private/** filter=git-crypt diff=git-crypt
|
||||
wiki/private/** filter=git-crypt diff=git-crypt
|
||||
|
||||
# --- Binary Integrity ---
|
||||
# Prevent line-ending conversion for encrypted files to avoid corruption.
|
||||
raw/private/** -text
|
||||
wiki/private/** -text
|
||||
|
||||
# --- Standard Text Configuration ---
|
||||
*.md text eol=lf
|
||||
*.sh text eol=lf
|
||||
*.env text eol=lf
|
||||
Makefile text eol=lf
|
||||
|
||||
# --- Encryption Rules ---
|
||||
# MUST come after text rules: in .gitattributes the last matching rule wins per attribute.
|
||||
# Placing **/private/** here ensures -text overrides the *.md text=lf rule above,
|
||||
# preventing EOL conversion from corrupting AES-256 encrypted blobs.
|
||||
#
|
||||
# **/private/** catches any private/ directory at any depth in the repo,
|
||||
# including directories created at runtime by the LLM agent.
|
||||
**/private/** filter=git-crypt diff=git-crypt -text
|
||||
|
|
|
|||
|
|
@ -1,49 +1,47 @@
|
|||
#!/usr/bin/env bash
|
||||
# =============================================================================
|
||||
# .git/hooks/pre-commit
|
||||
# Fail-safe security hook: Prevents plaintext leaks of sensitive data.
|
||||
# Fail-safe security hook: prevents plaintext commits of encrypted files.
|
||||
# Reads encryption requirements dynamically from .gitattributes via
|
||||
# git check-attr — no hardcoded paths, inherits all future rules automatically.
|
||||
# =============================================================================
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Directories that MUST be encrypted
|
||||
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
|
||||
FAILED=0
|
||||
|
||||
# Check on git-crypt
|
||||
# Verify git-crypt is initialized
|
||||
if [[ ! -d ".git-crypt" ]]; then
|
||||
echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m"
|
||||
echo "Run 'git-crypt init' and 'make setup' before committing."
|
||||
printf "\n\033[0;31m[CRITICAL] git-crypt not initialized.\033[0m\n"
|
||||
printf "Run 'git-crypt init' and 'make setup' before committing.\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Get staged files (excluding deletions)
|
||||
# Get staged files (additions, copies, modifications — no deletions)
|
||||
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
|
||||
|
||||
if [[ -z "$STAGED_FILES" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
[[ -z "$STAGED_FILES" ]] && exit 0
|
||||
|
||||
for pattern in "${PRIVATE_PATTERNS[@]}"; do
|
||||
while IFS= read -r file; do
|
||||
if [[ "$file" == ${pattern}* ]]; then
|
||||
# Check encryption status via git-crypt
|
||||
STATUS=$(git-crypt status "$file" 2>/dev/null || echo "error")
|
||||
if echo "$STATUS" | grep -q "not encrypted"; then
|
||||
echo -e "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m"
|
||||
echo "-----------------------------------------------------------"
|
||||
echo "File: $file"
|
||||
echo "Status: This file is in a private/ folder but is NOT encrypted."
|
||||
echo "Action: Fix your .gitattributes or run 'git-crypt init'."
|
||||
echo "-----------------------------------------------------------"
|
||||
# Dynamically check if this file requires git-crypt encryption
|
||||
filter=$(git check-attr filter -- "$file" 2>/dev/null | sed 's/.*: //')
|
||||
[[ "$filter" != "git-crypt" ]] && continue
|
||||
|
||||
# File is required to be encrypted — verify it actually is
|
||||
status=$(git-crypt status "$file" 2>/dev/null || printf "error")
|
||||
if printf '%s\n' "$status" | grep -q "not encrypted"; then
|
||||
printf "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m\n"
|
||||
printf -- "-----------------------------------------------------------\n"
|
||||
printf "File: %s\n" "$file"
|
||||
printf "Status: Marked for git-crypt in .gitattributes but NOT encrypted.\n"
|
||||
printf "Action: Verify .gitattributes rules and re-run 'git-crypt init'.\n"
|
||||
printf -- "-----------------------------------------------------------\n"
|
||||
FAILED=1
|
||||
fi
|
||||
fi
|
||||
done <<< "$STAGED_FILES"
|
||||
done
|
||||
|
||||
if [[ "$FAILED" -ne 0 ]]; then
|
||||
echo -e "\033[0;31mCommit blocked for security reasons.\033[0m\n"
|
||||
printf "\n\033[0;31mCommit blocked: security policy violation.\033[0m\n\n"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,8 @@ private: false
|
|||
|
||||
**[AGENT INSTRUCTION]**
|
||||
This is the primary navigation file. Read it first on every session before accessing individual pages.
|
||||
Maintain strict alphabetical sorting within each section.
|
||||
Append new entries at the bottom of the relevant section — do not reorder or rewrite sections.
|
||||
Alphabetical sorting is handled automatically by the pre-commit hook.
|
||||
Update `last_updated` in the YAML frontmatter on every edit.
|
||||
Entry format: `- [[folder/slug]] — One-line summary. \`maturity: <value>\``
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@ private: false
|
|||
|
||||
# Operations Log: {{GENOME_NAME}}
|
||||
|
||||
**[ORCHESTRATOR]**
|
||||
Inject only the last 20 entries into agent context: `tail -n 20 wiki/log.md`
|
||||
The agent must never load or read the full log file — it grows unbounded.
|
||||
|
||||
**[AGENT INSTRUCTION]**
|
||||
This is an append-only system ledger. Never edit or delete previous entries.
|
||||
Append new entries at the bottom using the format defined below.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue