#!/bin/sh # Root secret-capture guard (arch-review 08 round 2 NF1). # Scans ONLY the staged diff for obvious credential material and blocks the # commit if found. Opt-in: `git config core.hooksPath tools/hooks`. # Bypass a knowing false positive with: git commit --no-verify diff=$(git diff --cached -U0) # 1) Inbound API token: sbk__ token=$(printf '%s\n' "$diff" | grep -nE '^\+.*sbk_[0-9a-f]{16,}_[A-Za-z0-9_-]{20,}') # 2) Plaintext password assignment added to a root-level .txt/.md file. pw=$(printf '%s\n' "$diff" | grep -nE '^\+.*[Pp]assword[0-9]*[[:space:]]*[:=][[:space:]]*[^[:space:]]') if [ -n "$token" ] || [ -n "$pw" ]; then echo "pre-commit: possible secret in staged changes — commit blocked." >&2 [ -n "$token" ] && echo " inbound API token (sbk_...) matched:" >&2 && printf '%s\n' "$token" >&2 [ -n "$pw" ] && echo " plaintext password assignment matched:" >&2 && printf '%s\n' "$pw" >&2 echo "Bypass a false positive with: git commit --no-verify" >&2 exit 1 fi exit 0