a66bd91721
- Add setup_forge() to bin/disinto: provisions Forgejo via Docker, creates admin + bot users (dev-bot, review-bot), generates API tokens, creates repo, and pushes code — all automated - Rename env vars: CODEBERG_TOKEN→FORGE_TOKEN, REVIEW_BOT_TOKEN→ FORGE_REVIEW_TOKEN, CODEBERG_REPO→FORGE_REPO, CODEBERG_API→ FORGE_API, CODEBERG_WEB→FORGE_WEB, CODEBERG_BOT_USERNAMES→ FORGE_BOT_USERNAMES (with backwards-compat fallbacks) - Rename API helpers: codeberg_api()→forge_api(), codeberg_api_all() →forge_api_all() (with compat aliases) - Add forge_url field to project TOML; load-project.sh derives FORGE_API/FORGE_WEB from forge_url + repo - Update parse_repo_slug() to accept any host URL, not just codeberg - Forgejo data stored under ~/.disinto/forgejo/ (not in factory repo) - Update all 58 files: agent scripts, formulas, docs, site HTML Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
143 lines
6.6 KiB
Bash
Executable file
143 lines
6.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# on-pretooluse-guard.sh — PreToolUse hook: guard destructive operations.
|
|
#
|
|
# Called by Claude Code before executing a Bash command in agent sessions.
|
|
# Blocks:
|
|
# - git push --force / -f to primary branch
|
|
# - rm -rf targeting paths outside the worktree
|
|
# - Direct forge API merge calls (should go through phase protocol)
|
|
# - Direct issue close calls (should go through phase protocol)
|
|
# - git checkout / git switch to primary branch (stay on feature branch)
|
|
# - FACTORY_ROOT access from worktrees (formula agents exempted)
|
|
# - System commands (kill, docker, tmux) outside supervisor sessions
|
|
#
|
|
# Usage (in .claude/settings.json):
|
|
# {"type":"command","command":"this-script <primary_branch> <worktree_path> [session_name]"}
|
|
#
|
|
# Args: $1 = primary branch (default: main), $2 = worktree absolute path,
|
|
# $3 = session name (optional — used to detect formula agents)
|
|
#
|
|
# Exit 0: allow (tool proceeds)
|
|
# Exit 2: deny (reason on stdout — Claude sees it and can self-correct)
|
|
|
|
primary_branch="${1:-main}"
|
|
worktree_path="${2:-}"
|
|
session_name="${3:-}"
|
|
|
|
# Detect formula sessions by session name prefix.
|
|
# Formula agents (supervisor, gardener, planner, predictor) need read access
|
|
# to FACTORY_ROOT for env.sh, AGENTS.md, formulas/, lib/.
|
|
# Supervisor additionally needs write access for system commands.
|
|
is_formula=false
|
|
is_supervisor=false
|
|
case "$session_name" in
|
|
supervisor-*) is_formula=true; is_supervisor=true ;;
|
|
gardener-*|planner-*|predictor-*) is_formula=true ;;
|
|
esac
|
|
|
|
# Resolve FACTORY_ROOT (parent of lib/hooks/ where this script lives)
|
|
factory_root="$(cd "$(dirname "$0")/../.." 2>/dev/null && pwd)"
|
|
|
|
input=$(cat)
|
|
|
|
# Extract the command string from hook JSON
|
|
command_str=$(printf '%s' "$input" | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
[ -z "$command_str" ] && exit 0
|
|
|
|
# --- Guard 1: force push to primary branch ---
|
|
# Also blocks bare "git push --force" (no branch arg) since the upstream
|
|
# tracking branch might point to the primary branch.
|
|
if printf '%s' "$command_str" | grep -qE '\bgit\s+push\b' \
|
|
&& printf '%s' "$command_str" | grep -qE '(--force|--force-with-lease|\s-[a-zA-Z]*f)\b'; then
|
|
if printf '%s' "$command_str" | grep -qw "$primary_branch"; then
|
|
printf 'BLOCKED: Force-pushing to %s is not allowed. Push to your feature branch instead.\n' "$primary_branch"
|
|
exit 2
|
|
fi
|
|
# Bare force push with no explicit branch — could target primary via upstream
|
|
if ! printf '%s' "$command_str" | grep -qE '\bgit\s+push\s+\S+\s+\S'; then
|
|
printf 'BLOCKED: Bare force-push without an explicit branch is not allowed (upstream may point to %s). Specify your feature branch: git push --force-with-lease origin <branch>\n' "$primary_branch"
|
|
exit 2
|
|
fi
|
|
fi
|
|
|
|
# --- Guard 2: rm -rf outside worktree ---
|
|
if [ -n "$worktree_path" ] \
|
|
&& printf '%s' "$command_str" | grep -qE '\brm\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)\b'; then
|
|
# Extract absolute paths from the command
|
|
abs_paths=$(printf '%s' "$command_str" | grep -oE "/[^[:space:];|&>\"']+" || true)
|
|
if [ -n "$abs_paths" ]; then
|
|
while IFS= read -r p; do
|
|
[ -z "$p" ] && continue
|
|
case "$p" in
|
|
"${worktree_path}"/*|"${worktree_path}") ;; # Inside worktree — allow
|
|
/tmp/*|/tmp) ;; # Temp files — allow (agents use /tmp for scratch)
|
|
/dev/*) ;; # Device paths — allow
|
|
"${factory_root}"/*|"${factory_root}")
|
|
# Formula agents may clean up inside FACTORY_ROOT; others are blocked
|
|
if ! "$is_formula"; then
|
|
printf 'BLOCKED: rm -rf targets %s which is outside the worktree (%s). Only delete files within your worktree.\n' "$p" "$worktree_path"
|
|
exit 2
|
|
fi
|
|
;;
|
|
*)
|
|
printf 'BLOCKED: rm -rf targets %s which is outside the worktree (%s). Only delete files within your worktree.\n' "$p" "$worktree_path"
|
|
exit 2
|
|
;;
|
|
esac
|
|
done <<< "$abs_paths"
|
|
fi
|
|
fi
|
|
|
|
# --- Guard 3: Direct forge API merge calls ---
|
|
if printf '%s' "$command_str" | grep -qE '/pulls/[0-9]+/merge'; then
|
|
printf 'BLOCKED: Direct API merge calls must go through the phase protocol. Push your changes and write PHASE:awaiting_ci — the orchestrator handles merges.\n'
|
|
exit 2
|
|
fi
|
|
|
|
# --- Guard 5: Direct issue close calls ---
|
|
# Defense in depth: Claude should never close issues directly — the orchestrator
|
|
# closes issues after a successful merge via the phase protocol.
|
|
if printf '%s' "$command_str" | grep -qE '/issues/[0-9]+.*state.*closed'; then
|
|
printf 'BLOCKED: Closing issues must go through the phase protocol. Write PHASE:done — the orchestrator closes issues after merge.\n'
|
|
exit 2
|
|
fi
|
|
|
|
# --- Guard 4: checkout/switch to primary branch ---
|
|
# Blocks: git checkout main, git switch main, git switch --detach main, etc.
|
|
# Allows: git checkout -b branch main, git checkout -- file
|
|
escaped_branch=$(printf '%s' "$primary_branch" | sed 's/[.[\*^$()+?{|]/\\&/g')
|
|
if printf '%s' "$command_str" | grep -qE "\bgit\s+(checkout|switch)\s+(-[^ ]+\s+)*${escaped_branch}\b" \
|
|
&& ! printf '%s' "$command_str" | grep -qE '(\s--\s|\s-[bBcC]\s)'; then
|
|
printf 'BLOCKED: Switching to %s is not allowed. Stay on your feature branch.\n' "$primary_branch"
|
|
exit 2
|
|
fi
|
|
|
|
# --- Guard 6: FACTORY_ROOT access from worktrees ---
|
|
# Formula agents (supervisor, gardener, planner, predictor) run in worktrees
|
|
# but need to read FACTORY_ROOT for env.sh, AGENTS.md, formulas/, lib/.
|
|
# Dev/review/action agents must stay inside their worktree.
|
|
# Only matches commands that actually access the filesystem (cd, source, cat,
|
|
# ls, etc.) — not strings that merely mention the path (e.g. in commit messages).
|
|
if [ -n "$worktree_path" ] && [ -n "$factory_root" ] \
|
|
&& [ "$worktree_path" != "$factory_root" ]; then
|
|
escaped_fr=$(printf '%s' "$factory_root" | sed 's/[.[\*^$()+?{|\/]/\\&/g')
|
|
if printf '%s' "$command_str" | grep -qE "(^|\s|&&|\|\||;)(cd|source|\.|\bcat\b|\bls\b|\bread\b|\bhead\b|\btail\b|\bcp\b|\bmv\b)\s+[\"']?${escaped_fr}"; then
|
|
if ! "$is_formula"; then
|
|
printf 'BLOCKED: Accessing %s is not allowed from worktree sessions. Use files within your worktree (%s) instead.\n' "$factory_root" "$worktree_path"
|
|
exit 2
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# --- Guard 7: system commands restricted to supervisor ---
|
|
# Only the supervisor session may run system management commands (kill, docker,
|
|
# tmux send-keys/kill-session). Other agents — including other formula agents —
|
|
# must not manage host processes.
|
|
if ! "$is_supervisor"; then
|
|
if printf '%s' "$command_str" | grep -qE '\b(kill\s+-[0-9A-Z]|\bkill\s+[0-9]|docker\s+(prune|rm|stop|kill)|tmux\s+(kill-session|send-keys))\b'; then
|
|
printf 'BLOCKED: System management commands (kill, docker, tmux) are only allowed in supervisor sessions.\n'
|
|
exit 2
|
|
fi
|
|
fi
|
|
|
|
exit 0
|