knowledge-genome-orchestrator/templates/pre-commit.sh

50 lines
1.6 KiB
Bash

#!/usr/bin/env bash
# =============================================================================
# .git/hooks/pre-commit
# Fail-safe security hook: Prevents plaintext leaks of sensitive data.
# =============================================================================
set -euo pipefail
# Directories that MUST be encrypted
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
FAILED=0
# Check on git-crypt
if [[ ! -d ".git-crypt" ]]; then
echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m"
echo "Run 'git-crypt init' and 'make setup' before committing."
exit 1
fi
# Get staged files (excluding deletions)
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
if [[ -z "$STAGED_FILES" ]]; then
exit 0
fi
for pattern in "${PRIVATE_PATTERNS[@]}"; do
while IFS= read -r file; do
if [[ "$file" == ${pattern}* ]]; then
# Check encryption status via git-crypt
STATUS=$(git-crypt status "$file" 2>/dev/null || echo "error")
if echo "$STATUS" | grep -q "not encrypted"; then
echo -e "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m"
echo "-----------------------------------------------------------"
echo "File: $file"
echo "Status: This file is in a private/ folder but is NOT encrypted."
echo "Action: Fix your .gitattributes or run 'git-crypt init'."
echo "-----------------------------------------------------------"
FAILED=1
fi
fi
done <<< "$STAGED_FILES"
done
if [[ "$FAILED" -ne 0 ]]; then
echo -e "\033[0;31mCommit blocked for security reasons.\033[0m\n"
exit 1
fi
exit 0