38 lines
1.2 KiB
Bash
Executable File
38 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Validate file operations on sensitive files
|
|
# This hook warns when modifying configuration and credential files
|
|
|
|
# Read the tool input from stdin
|
|
INPUT=$(cat)
|
|
|
|
# Extract the file path from the JSON input
|
|
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
|
|
|
|
if [ -z "$FILE_PATH" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# Get just the filename
|
|
FILENAME=$(basename "$FILE_PATH")
|
|
|
|
# Warn on environment and secret files
|
|
if echo "$FILENAME" | grep -qE '^\.(env|env\..*)$|\.pem$|\.key$|credentials\.json$|secrets?\.(json|yaml|yml)$'; then
|
|
echo '{"decision": "block", "reason": "Modifying credential/secret file. Please confirm this change is intentional."}'
|
|
exit 0
|
|
fi
|
|
|
|
# Warn on critical config files
|
|
if echo "$FILENAME" | grep -qE '^(wrangler\.toml|package\.json|tsconfig\.json)$'; then
|
|
echo '{"decision": "ask", "reason": "Modifying critical configuration file. Please review the changes carefully."}'
|
|
exit 0
|
|
fi
|
|
|
|
# Warn on lock files
|
|
if echo "$FILENAME" | grep -qE '\.(lock|lockb)$|lock\.json$'; then
|
|
echo '{"decision": "block", "reason": "Lock files should not be manually edited. Use package manager commands instead."}'
|
|
exit 0
|
|
fi
|
|
|
|
# Allow the operation
|
|
exit 0
|