@cristiancorreau/forge 2.9.6 → 2.9.8

package/assets/core/hooks/pre-bash-check.py

@@ -1,202 +0,0 @@
-#!/usr/bin/env python3
-"""
-Forge v2 — PreToolUse hook: pre-bash-check.py
-Bloquea comandos destructivos en contexto de producción.
-
-Contexto crítico: el 2026-04-28, --force-reset fue ejecutado accidentalmente
-contra la base de datos de producción de un proyecto real, borrando 225 usuarios
-y 35 formularios (recuperados desde backup de Supabase Pro). Este hook existe
-para que eso nunca vuelva a pasar.
-"""
-
-import json
-import os
-import re
-import sys
-
-
-DEBUG = os.environ.get("DEBUG", "") not in ("", "0", "false", "False")
-
-
-def dbg(msg):
-    if DEBUG:
-        print(f"[forge-hook-debug] {msg}", flush=True)
-
-
-def load_project_yaml():
-    """Walk up from cwd to find project.yaml. Returns dict or {}."""
-    try:
-        import yaml
-        path = os.getcwd()
-        for _ in range(6):
-            candidate = os.path.join(path, "project.yaml")
-            if os.path.isfile(candidate):
-                with open(candidate) as f:
-                    data = yaml.safe_load(f)
-                    return data if isinstance(data, dict) else {}
-            parent = os.path.dirname(path)
-            if parent == path:
-                break
-            path = parent
-    except Exception as e:
-        dbg(f"project.yaml load error: {e}")
-    return {}
-
-
-# ---------------------------------------------------------------------------
-# Patrones peligrosos hardcodeados
-# ---------------------------------------------------------------------------
-
-DANGEROUS_PATTERNS = [
-    (r"--force-reset",                              "--force-reset"),
-    (r"prisma\s+migrate\s+reset",                  "prisma migrate reset"),
-    (r"DROP\s+TABLE",                              "DROP TABLE"),
-    (r"TRUNCATE\s+",                               "TRUNCATE"),
-    (r"DELETE\s+FROM\s+\w+\s*;",                   "DELETE FROM sin WHERE"),
-    (r"DROP\s+DATABASE",                           "DROP DATABASE"),
-    (r"dropdb\s+",                                  "dropdb"),
-    (r"rm\s+-rf\s+/",                               "rm -rf /"),
-    (r"git\s+push\s+--force(?!\s+--with-lease)",   "git push --force sin --with-lease"),
-]
-
-
-def _match_dangerous(command: str) -> tuple[bool, str]:
-    """Retorna (matched, pattern_label). Verifica patrones hardcodeados."""
-    for pattern, label in DANGEROUS_PATTERNS:
-        if re.search(pattern, command, re.IGNORECASE):
-            return True, label
-    return False, ""
-
-
-def _match_project_forbidden(command: str, project: dict) -> tuple[bool, str]:
-    """Verifica patrones forbidden_in_production del project.yaml."""
-    try:
-        rules = project.get("rules", {})
-        forbidden = rules.get("forbidden_in_production", [])
-        if not isinstance(forbidden, list):
-            return False, ""
-        for pattern in forbidden:
-            if re.search(pattern, command):
-                return True, pattern
-    except Exception as e:
-        dbg(f"project.yaml forbidden_in_production error: {e}")
-    return False, ""
-
-
-def _is_production_context(command: str, project: dict) -> bool:
-    """
-    Retorna True si el comando se ejecuta en contexto de producción:
-    - La URL de producción aparece en el comando, o
-    - Variables de entorno PROD_* / PRODUCTION_* están seteadas en el proceso.
-    """
-    # URL de producción del project.yaml
-    deploy = project.get("deploy", {})
-    prod_url = deploy.get("production_url", "") or ""
-    project_id = deploy.get("project_id", "") or ""
-
-    if prod_url and prod_url in command:
-        dbg(f"production context: URL '{prod_url}' encontrada en comando")
-        return True
-    if project_id and project_id in command:
-        dbg(f"production context: project_id '{project_id}' encontrado en comando")
-        return True
-
-    # Variables de entorno que sugieren contexto de producción
-    prod_env_patterns = re.compile(r"^(PROD_|PRODUCTION_|PROD$|PRODUCTION$)", re.IGNORECASE)
-    for key, value in os.environ.items():
-        if prod_env_patterns.match(key) and value:
-            dbg(f"production context: env var '{key}' activa")
-            return True
-
-    return False
-
-
-def _extract_snippet(command: str, max_len: int = 120) -> str:
-    """Retorna un extracto legible del comando."""
-    command = command.strip()
-    if len(command) <= max_len:
-        return command
-    return command[:max_len] + "..."
-
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-def main():
-    try:
-        raw = sys.stdin.read()
-        if not raw.strip():
-            dbg("empty stdin, allowing")
-            sys.exit(0)
-        data = json.loads(raw)
-    except Exception as e:
-        dbg(f"stdin parse error: {e}")
-        sys.exit(0)
-
-    try:
-        tool_name = data.get("tool_name", "")
-        if tool_name != "Bash":
-            sys.exit(0)
-
-        tool_input = data.get("tool_input", {})
-        command = tool_input.get("command", "")
-        if not command:
-            sys.exit(0)
-
-        dbg(f"command: {command[:200]!r}")
-
-        project = load_project_yaml()
-
-        # Verificar patrones peligrosos hardcodeados
-        matched, pattern_label = _match_dangerous(command)
-
-        # Verificar patrones custom del project.yaml
-        if not matched:
-            matched, pattern_label = _match_project_forbidden(command, project)
-
-        if not matched:
-            sys.exit(0)
-
-        # Hay un patrón peligroso — ¿es contexto de producción?
-        in_production = _is_production_context(command, project)
-
-        snippet = _extract_snippet(command)
-
-        if in_production:
-            # BLOQUEAR
-            print(
-                f"forge: BLOQUEADO — comando destructivo detectado en contexto de producción.\n"
-                f"\n"
-                f"  Comando: {snippet}\n"
-                f"  Patrón: {pattern_label}\n"
-                f"\n"
-                f"  Si necesitás ejecutar esto, hacelo MANUALMENTE en la terminal\n"
-                f"  con plena consciencia de que afecta producción.\n"
-                f"\n"
-                f"  Lección del 2026-04-28: --force-reset borró 225 usuarios y\n"
-                f"  35 formularios en producción. Este hook existe por eso.",
-                flush=True,
-            )
-            sys.exit(2)
-        else:
-            # ADVERTIR — no bloquear
-            print(
-                f"forge: ADVERTENCIA — comando potencialmente destructivo detectado.\n"
-                f"\n"
-                f"  Comando: {snippet}\n"
-                f"  Patrón: {pattern_label}\n"
-                f"\n"
-                f"  Si esto apunta a producción, cancela y ejecuta manualmente.\n"
-                f"  Confirmá que el contexto es seguro antes de continuar.",
-                flush=True,
-            )
-            sys.exit(0)
-
-    except Exception as e:
-        dbg(f"unexpected error: {e}")
-        sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()

package/assets/core/hooks/pre-edit-check.py

@@ -1,317 +0,0 @@
-#!/usr/bin/env python3
-"""
-Forge v2 — PreToolUse hook: pre-edit-check.py
-Enforces branch guard, debug detection, and secret detection before file edits.
-"""
-
-import json
-import os
-import re
-import subprocess
-import sys
-
-
-DEBUG = os.environ.get("DEBUG", "") not in ("", "0", "false", "False")
-
-
-def dbg(msg):
-    if DEBUG:
-        print(f"[forge-hook-debug] {msg}", flush=True)
-
-
-def load_project_yaml():
-    """Walk up from cwd to find project.yaml. Returns dict or {}."""
-    try:
-        import yaml
-        path = os.getcwd()
-        for _ in range(6):
-            candidate = os.path.join(path, "project.yaml")
-            if os.path.isfile(candidate):
-                with open(candidate) as f:
-                    data = yaml.safe_load(f)
-                    return data if isinstance(data, dict) else {}
-            parent = os.path.dirname(path)
-            if parent == path:
-                break
-            path = parent
-    except Exception as e:
-        dbg(f"project.yaml load error: {e}")
-    return {}
-
-
-# ---------------------------------------------------------------------------
-# File classification helpers
-# ---------------------------------------------------------------------------
-
-CODE_EXTENSIONS = {
-    ".py", ".ts", ".js", ".tsx", ".jsx",
-    ".php", ".rb", ".go", ".rs", ".java",
-    ".cs", ".cpp", ".c", ".sh",
-}
-
-NON_CODE_EXTENSIONS = {
-    ".md", ".yaml", ".yml", ".json", ".toml", ".txt", ".lock",
-}
-
-ROOT_PROTECTED_NAMES = {"README.md", "CLAUDE.md", "CHANGELOG.md"}
-
-PROTECTED_DIRS = ("docs/", ".claude/")
-
-
-def is_code_file(file_path):
-    """Return True if the file path is considered a code file."""
-    _, ext = os.path.splitext(file_path)
-    if ext.lower() in CODE_EXTENSIONS:
-        return True
-    if ext.lower() in NON_CODE_EXTENSIONS:
-        return False
-    # Default: treat unknown extensions as non-code (safe)
-    return False
-
-
-def is_exempt_from_branch_guard(file_path):
-    """Return True if the file should be exempt from branch-guard blocking."""
-    norm = file_path.replace("\\", "/")
-    # Exempt protected dirs
-    for d in PROTECTED_DIRS:
-        if norm.startswith(d) or f"/{d.rstrip('/')}" in norm:
-            return True
-    # Exempt root-level protected names
-    basename = os.path.basename(norm)
-    if basename in ROOT_PROTECTED_NAMES:
-        return True
-    # Exempt root-level *.md files
-    if basename.endswith(".md") and "/" not in norm.lstrip("./"):
-        return True
-    # Exempt root-level *.yaml / *.json config files
-    if "/" not in norm.lstrip("./"):
-        _, ext = os.path.splitext(basename)
-        if ext.lower() in (".yaml", ".yml", ".json"):
-            return True
-    return False
-
-
-# ---------------------------------------------------------------------------
-# Check 1 — Branch guard
-# ---------------------------------------------------------------------------
-
-PROTECTED_BRANCHES = {"main", "master", "develop"}
-
-
-def check_branch_guard(file_path):
-    """Block code edits on protected branches."""
-    try:
-        result = subprocess.run(
-            ["git", "branch", "--show-current"],
-            capture_output=True,
-            text=True,
-            timeout=5,
-        )
-        branch = result.stdout.strip()
-        dbg(f"current branch: {branch!r}")
-    except Exception as e:
-        dbg(f"git branch error: {e}")
-        return None
-
-    if branch not in PROTECTED_BRANCHES:
-        return None
-
-    if not is_code_file(file_path):
-        return None
-
-    if is_exempt_from_branch_guard(file_path):
-        return None
-
-    return (
-        f"forge: edición bloqueada en {branch}. Crea una feature branch:\n"
-        f"  git checkout -b feature/<tema>-$(date +%Y-%m-%d)"
-    )
-
-
-# ---------------------------------------------------------------------------
-# Check 2 — Debug statements
-# ---------------------------------------------------------------------------
-
-def check_debug_statements(file_path, content):
-    """Warn (not block) if debug statements are found in new content."""
-    _, ext = os.path.splitext(file_path)
-    ext = ext.lower()
-
-    if ext not in CODE_EXTENSIONS:
-        return None
-
-    found = False
-    basename = os.path.basename(file_path)
-    norm = file_path.replace("\\", "/")
-
-    if ext in (".ts", ".js", ".tsx", ".jsx"):
-        if "console.log(" in content or "debugger;" in content:
-            found = True
-
-    elif ext == ".php":
-        if "var_dump(" in content or "dd(" in content or "print_r(" in content:
-            found = True
-
-    elif ext == ".py":
-        # Skip forge scripts and .agentic/ files
-        is_forge_script = basename.startswith("forge") and basename.endswith(".py")
-        in_agentic = ".agentic/" in norm
-        if not is_forge_script and not in_agentic:
-            if "print(" in content:
-                found = True
-
-    elif ext == ".rb":
-        if re.search(r"^\s*(puts |pp |p )", content, re.MULTILINE):
-            found = True
-
-    if found:
-        return (
-            f"forge: debug statement detectado en {file_path}"
-            " — recuerda quitarlo antes del commit"
-        )
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Check 3 — Secret detection
-# ---------------------------------------------------------------------------
-
-SECRET_PATTERN = re.compile(
-    r'(password|passwd|secret|api_key|apikey|token|private_key)\s*[=:]\s*["\'][^"\']{8,}["\']',
-    re.IGNORECASE,
-)
-
-LONG_SECRET_PATTERN = re.compile(
-    r'\b(key|secret|token|password|auth|api_key|apikey)\b\s*[=:]\s*["\'][A-Za-z0-9+/=_\-]{20,}["\']',
-    re.IGNORECASE,
-)
-
-EXEMPT_EXTENSIONS = {".md"}
-EXEMPT_SUFFIXES = (".env.example", ".env.sample")
-TEST_PATTERNS = re.compile(r'\.(test|spec)\.')
-
-
-def is_exempt_from_secret_check(file_path):
-    norm = file_path.replace("\\", "/")
-    basename = os.path.basename(norm)
-    _, ext = os.path.splitext(basename)
-
-    if ext.lower() in EXEMPT_EXTENSIONS:
-        return True
-    for suffix in EXEMPT_SUFFIXES:
-        if norm.endswith(suffix):
-            return True
-    if TEST_PATTERNS.search(basename):
-        return True
-    return False
-
-
-def check_secret_detection(file_path, content):
-    """Block if hardcoded credentials are detected."""
-    if is_exempt_from_secret_check(file_path):
-        return None
-
-    if SECRET_PATTERN.search(content) or LONG_SECRET_PATTERN.search(content):
-        return (
-            f"forge: posible credencial hardcodeada detectada en {file_path}."
-            " Usa variables de entorno."
-        )
-    return None
-
-
-# ---------------------------------------------------------------------------
-# project.yaml — custom forbidden patterns + enterprise mode
-# ---------------------------------------------------------------------------
-
-def check_project_yaml_patterns(file_path, content, project):
-    """Check project.yaml forbidden_patterns if present."""
-    try:
-        rules = project.get("rules", {})
-        forbidden = rules.get("forbidden_patterns", [])
-        if not isinstance(forbidden, list):
-            return None
-        for pattern in forbidden:
-            if re.search(pattern, content):
-                return (
-                    f"forge: patrón prohibido detectado en {file_path} "
-                    f"(regla: {pattern!r})"
-                )
-    except Exception as e:
-        dbg(f"project.yaml patterns error: {e}")
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-def main():
-    try:
-        raw = sys.stdin.read()
-        if not raw.strip():
-            dbg("empty stdin, allowing")
-            sys.exit(0)
-
-        data = json.loads(raw)
-    except Exception as e:
-        dbg(f"stdin parse error: {e}")
-        sys.exit(0)
-
-    try:
-        tool_name = data.get("tool_name", "")
-        tool_input = data.get("tool_input", {})
-
-        file_path = tool_input.get("file_path", "")
-        if not file_path:
-            sys.exit(0)
-
-        # Determine new content being written
-        if tool_name == "Write":
-            new_content = tool_input.get("content", "")
-        elif tool_name == "Edit":
-            new_content = tool_input.get("new_string", "")
-        else:
-            sys.exit(0)
-
-        dbg(f"tool={tool_name} file={file_path} content_len={len(new_content)}")
-
-        project = load_project_yaml()
-        enterprise_mode = project.get("mode", "") == "enterprise"
-
-        # Check 1 — Branch guard
-        block_msg = check_branch_guard(file_path)
-        if block_msg:
-            print(block_msg, flush=True)
-            sys.exit(2)
-
-        # Check 2 — Debug statements
-        warn_msg = check_debug_statements(file_path, new_content)
-        if warn_msg:
-            if enterprise_mode:
-                print(warn_msg, flush=True)
-                sys.exit(2)
-            else:
-                print(warn_msg, flush=True)
-                # fall through — warning only
-
-        # Check 3 — Secret detection
-        block_msg = check_secret_detection(file_path, new_content)
-        if block_msg:
-            print(block_msg, flush=True)
-            sys.exit(2)
-
-        # project.yaml forbidden patterns
-        block_msg = check_project_yaml_patterns(file_path, new_content, project)
-        if block_msg:
-            print(block_msg, flush=True)
-            sys.exit(2)
-
-    except Exception as e:
-        dbg(f"unexpected error: {e}")
-        sys.exit(0)
-
-    sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()