chainwall 0.1.0

package/hooks/audit-logger.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# audit-logger.sh — records every tool call to .llm-av/audit.jsonl
+#
+# PostToolUse hook. Purely observational, never blocks (always exits 0).
+# Rotates the log at 10MB.
+#
+
+set -o pipefail
+
+if [[ "${LLMAV_SKIP:-}" == "1" ]]; then
+    # Log bypass even when skipping — audit trail must be complete
+    AUDIT_DIR=".llm-av"
+    AUDIT_FILE="${AUDIT_DIR}/audit.jsonl"
+    mkdir -p "$AUDIT_DIR"
+    TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    jq -cn \
+        --arg timestamp "$TIMESTAMP" \
+        --arg severity "warn" \
+        --arg category "audit" \
+        --arg pattern "" \
+        --arg tool "audit-logger" \
+        --arg content "LLMAV_SKIP bypass — audit logging skipped" \
+        '{timestamp:$timestamp,severity:$severity,category:$category,pattern:$pattern,tool:$tool,content:$content}' \
+        >> "$AUDIT_FILE" 2>/dev/null
+    exit 0
+fi
+
+# silently skip if jq missing — logging isn't worth breaking the workflow
+if ! command -v jq &> /dev/null; then
+    exit 0
+fi
+
+AUDIT_DIR=".llm-av"
+AUDIT_FILE="${AUDIT_DIR}/audit.jsonl"
+
+mkdir -p "$AUDIT_DIR"
+
+INPUT=$(cat)
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // "unknown"')
+HOOK_TYPE=$(echo "$INPUT" | jq -r '.hook_type // "post"')
+SESSION_ID=$(echo "$INPUT" | jq -r '.session_id // empty')
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+
+SUMMARY=""
+if [[ -n "$COMMAND" ]]; then
+    SUMMARY="${COMMAND:0:100}"
+elif [[ -n "$FILE_PATH" ]]; then
+    SUMMARY="file: $FILE_PATH"
+else
+    SUMMARY="(no command or file)"
+fi
+
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+jq -cn \
+    --arg timestamp "$TIMESTAMP" \
+    --arg severity "info" \
+    --arg category "audit" \
+    --arg pattern "" \
+    --arg tool "$TOOL_NAME" \
+    --arg content "$SUMMARY" \
+    '{timestamp:$timestamp,severity:$severity,category:$category,pattern:$pattern,tool:$tool,content:$content}' \
+    >> "$AUDIT_FILE" 2>/dev/null
+
+# rotate at 10MB
+if [[ -f "$AUDIT_FILE" ]]; then
+    SIZE=$(wc -c < "$AUDIT_FILE" 2>/dev/null | tr -d ' ')
+    if [[ "$SIZE" -gt 10485760 ]]; then
+        mv "$AUDIT_FILE" "${AUDIT_FILE}.$(date +%s)" 2>/dev/null
+    fi
+fi
+
+exit 0

package/hooks/detection-lib.sh

@@ -0,0 +1,301 @@
+#!/bin/bash
+#
+# detection-lib.sh — shared pattern library for ChainWall git hooks
+#
+# Provides credential, private key, PII, and dangerous command detection.
+# Sourced by git-pre-commit.sh and git-pre-push.sh.
+#
+# Bash 3.2 compatible. Requires jq.
+#
+
+# --- colors ---
+RED_BOLD=$'\e[1;31m'
+YELLOW=$'\e[33m'
+GREEN=$'\e[32m'
+RESET=$'\e[0m'
+
+# --- config ---
+CONFIG_GLOBAL="${HOME}/.llm-av/config.json"
+CONFIG_PROJECT=".llm-av/config.json"
+
+ALLOW_PATHS=""
+ALLOW_PATTERNS=""
+BLOCK_PATHS=""
+BLOCK_PATTERNS=""
+
+# --- protection toggle ---
+# Returns 0 if protection is disabled (caller should exit 0).
+# Returns 1 if protection is enabled (caller should continue).
+check_protection_enabled() {
+    if [[ -f "$CONFIG_GLOBAL" ]]; then
+        local enabled
+        enabled=$(jq -r 'if .enabled == false then "false" else "true" end' "$CONFIG_GLOBAL" 2>/dev/null)
+        if [[ "$enabled" == "false" ]]; then
+            log_event "info" "protection_disabled" "Real-time protection disabled"
+            return 0
+        fi
+    fi
+    return 1
+}
+
+# --- config loading ---
+load_config() {
+    if [[ -f "$CONFIG_GLOBAL" ]]; then
+        ALLOW_PATHS=$(jq -r '.allowlist.paths[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        ALLOW_PATTERNS=$(jq -r '.allowlist.patterns[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        BLOCK_PATHS=$(jq -r '.blocklist.paths[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+        BLOCK_PATTERNS=$(jq -r '.blocklist.patterns[]? // empty' "$CONFIG_GLOBAL" 2>/dev/null | tr '\n' '|')
+    fi
+
+    if [[ -f "$CONFIG_PROJECT" ]]; then
+        local proj_ap proj_apatt proj_bp proj_bpatt
+        proj_ap=$(jq -r '.allowlist.paths[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_apatt=$(jq -r '.allowlist.patterns[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_bp=$(jq -r '.blocklist.paths[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+        proj_bpatt=$(jq -r '.blocklist.patterns[]? // empty' "$CONFIG_PROJECT" 2>/dev/null | tr '\n' '|')
+
+        if [[ -n "$proj_ap" ]]; then
+            [[ -n "$ALLOW_PATHS" ]] && ALLOW_PATHS="${ALLOW_PATHS}|${proj_ap}" || ALLOW_PATHS="$proj_ap"
+        fi
+        if [[ -n "$proj_apatt" ]]; then
+            [[ -n "$ALLOW_PATTERNS" ]] && ALLOW_PATTERNS="${ALLOW_PATTERNS}|${proj_apatt}" || ALLOW_PATTERNS="$proj_apatt"
+        fi
+        if [[ -n "$proj_bp" ]]; then
+            [[ -n "$BLOCK_PATHS" ]] && BLOCK_PATHS="${BLOCK_PATHS}|${proj_bp}" || BLOCK_PATHS="$proj_bp"
+        fi
+        if [[ -n "$proj_bpatt" ]]; then
+            [[ -n "$BLOCK_PATTERNS" ]] && BLOCK_PATTERNS="${BLOCK_PATTERNS}|${proj_bpatt}" || BLOCK_PATTERNS="$proj_bpatt"
+        fi
+    fi
+
+    ALLOW_PATHS="${ALLOW_PATHS#|}"; ALLOW_PATHS="${ALLOW_PATHS%|}"
+    ALLOW_PATTERNS="${ALLOW_PATTERNS#|}"; ALLOW_PATTERNS="${ALLOW_PATTERNS%|}"
+    BLOCK_PATHS="${BLOCK_PATHS#|}"; BLOCK_PATHS="${BLOCK_PATHS%|}"
+    BLOCK_PATTERNS="${BLOCK_PATTERNS#|}"; BLOCK_PATTERNS="${BLOCK_PATTERNS%|}"
+}
+
+# --- allowlist check ---
+check_allowlist() {
+    local value="$1"
+    local patterns="$2"
+
+    [[ -z "$patterns" ]] && return 1
+
+    local IFS='|'
+    for pattern in $patterns; do
+        [[ -n "$pattern" ]] && [[ "$value" =~ $pattern ]] && return 0
+    done
+
+    return 1
+}
+
+# --- audit logging ---
+log_event() {
+    local severity="$1"
+    local category="$2"
+    local detail="$3"
+
+    local audit_dir=".llm-av"
+    local audit_file="${audit_dir}/audit.jsonl"
+    mkdir -p "$audit_dir"
+
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+    jq -cn \
+        --arg timestamp "$timestamp" \
+        --arg severity "$severity" \
+        --arg category "$category" \
+        --arg pattern "" \
+        --arg tool "git-hook" \
+        --arg content "${detail:0:200}" \
+        '{timestamp:$timestamp,severity:$severity,category:$category,pattern:$pattern,tool:$tool,content:$content}' \
+        >> "$audit_file" 2>/dev/null
+}
+
+# --- redact match for display ---
+redact_match() {
+    local text="$1"
+    local len=${#text}
+
+    if (( len <= 8 )); then
+        printf '%*s' "$len" '' | tr ' ' '*'
+        return
+    fi
+
+    local show=4
+    local masked=$((len - show * 2))
+    local prefix="${text:0:$show}"
+    local suffix="${text:$((len - show)):$show}"
+    local stars
+    stars=$(printf '%*s' "$masked" '' | tr ' ' '*')
+    printf '%s%s%s' "$prefix" "$stars" "$suffix"
+}
+
+# --- credential detection ---
+# Returns 0 (found) or 1 (clean). Sets DETECT_RULE and DETECT_MATCH on hit.
+detect_credentials() {
+    local text="$1"
+    DETECT_RULE=""
+    DETECT_MATCH=""
+
+    if [[ "$text" =~ AKIA[0-9A-Z]{16} ]]; then
+        DETECT_RULE="AWS Access Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ ghp_[a-zA-Z0-9]{36} ]]; then
+        DETECT_RULE="GitHub Personal Access Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59} ]]; then
+        DETECT_RULE="GitHub Fine-Grained Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ gh[ours]_[a-zA-Z0-9]{36} ]]; then
+        DETECT_RULE="GitHub OAuth/App Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ sk-ant-[a-zA-Z0-9_-]{40,} ]]; then
+        DETECT_RULE="Anthropic API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    elif [[ "$text" =~ sk-proj-[a-zA-Z0-9_-]{48,} ]]; then
+        DETECT_RULE="OpenAI Project API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    elif [[ "$text" =~ sk-[a-zA-Z0-9_-]{48} ]]; then
+        DETECT_RULE="OpenAI API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ xox[pboa]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,} ]]; then
+        DETECT_RULE="Slack Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ sk_(live|test)_[a-zA-Z0-9]{24,} ]]; then
+        DETECT_RULE="Stripe API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43} ]]; then
+        DETECT_RULE="SendGrid API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ SK[a-f0-9]{32} ]]; then
+        DETECT_RULE="Twilio API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ AIza[0-9A-Za-z_-]{35} ]]; then
+        DETECT_RULE="Google API Key"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ glpat-[a-zA-Z0-9_-]{20,} ]]; then
+        DETECT_RULE="GitLab Personal Access Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ npm_[a-zA-Z0-9]{36} ]]; then
+        DETECT_RULE="npm Access Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ hvs\.[a-zA-Z0-9_-]{24,} ]]; then
+        DETECT_RULE="Vault Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ dapi[a-f0-9]{32} ]]; then
+        DETECT_RULE="Databricks Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+    if [[ "$text" =~ shp(at|ca|pa)_[a-f0-9]{32} ]]; then
+        DETECT_RULE="Shopify Token"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+    fi
+
+    return 1
+}
+
+# --- private key detection ---
+detect_private_keys() {
+    local text="$1"
+    DETECT_RULE=""
+    DETECT_MATCH=""
+
+    if [[ "$text" == *"-----BEGIN RSA PRIVATE KEY-----"* ]]; then
+        DETECT_RULE="RSA private key"; DETECT_MATCH="-----BEGIN RSA PRIVATE KEY-----"; return 0
+    fi
+    if [[ "$text" == *"-----BEGIN DSA PRIVATE KEY-----"* ]]; then
+        DETECT_RULE="DSA private key"; DETECT_MATCH="-----BEGIN DSA PRIVATE KEY-----"; return 0
+    fi
+    if [[ "$text" == *"-----BEGIN EC PRIVATE KEY-----"* ]]; then
+        DETECT_RULE="EC private key"; DETECT_MATCH="-----BEGIN EC PRIVATE KEY-----"; return 0
+    fi
+    if [[ "$text" == *"-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
+        DETECT_RULE="OpenSSH private key"; DETECT_MATCH="-----BEGIN OPENSSH PRIVATE KEY-----"; return 0
+    fi
+    if [[ "$text" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
+        DETECT_RULE="PGP private key"; DETECT_MATCH="-----BEGIN PGP PRIVATE KEY BLOCK-----"; return 0
+    fi
+
+    return 1
+}
+
+# --- PII detection ---
+detect_pii() {
+    local text="$1"
+    DETECT_RULE=""
+    DETECT_MATCH=""
+
+    # SSN
+    if [[ "$text" =~ ([0-9]{3})-([0-9]{2})-([0-9]{4}) ]]; then
+        local ssn_first="${BASH_REMATCH[1]}"
+        local ssn_middle="${BASH_REMATCH[2]}"
+        local ssn_last="${BASH_REMATCH[3]}"
+        if [[ "$ssn_first" != "000" && "$ssn_first" != "666" && "$ssn_middle" != "00" && "$ssn_last" != "0000" ]]; then
+            local ssn_num=$((10#$ssn_first))
+            if (( ssn_num < 900 )); then
+                DETECT_RULE="Potential SSN"; DETECT_MATCH="${BASH_REMATCH[0]}"; return 0
+            fi
+        fi
+    fi
+
+    # Credit card (15-16 digits with BIN validation)
+    if [[ "$text" =~ ([0-9]{4})[-[:space:]]?[0-9]{4}[-[:space:]]?[0-9]{4}[-[:space:]]?[0-9]{3,4} ]]; then
+        local cc_first4="${BASH_REMATCH[1]}"
+        local cc_first2="${cc_first4:0:2}"
+        local cc_first1="${cc_first4:0:1}"
+        if [[ "$cc_first1" == "4" ]] || \
+           [[ "$cc_first2" == "51" || "$cc_first2" == "52" || "$cc_first2" == "53" || "$cc_first2" == "54" || "$cc_first2" == "55" ]] || \
+           [[ "$cc_first2" == "34" || "$cc_first2" == "37" ]] || \
+           [[ "$cc_first2" == "60" || "$cc_first2" == "65" ]]; then
+            DETECT_RULE="Potential credit card number"; DETECT_MATCH="XXXX-XXXX-XXXX-XXXX"; return 0
+        fi
+    fi
+
+    return 1
+}
+
+# --- sensitive filename detection ---
+detect_sensitive_filename() {
+    local filename="$1"
+    DETECT_RULE=""
+
+    local basename_f
+    basename_f=$(basename "$filename")
+
+    case "$basename_f" in
+        .env|.env.local|.env.production|.env.development|\
+        id_rsa|id_dsa|id_ed25519|\
+        .npmrc|.pypirc|credentials.json|secrets.json)
+            DETECT_RULE="Sensitive file: $basename_f"
+            return 0
+            ;;
+    esac
+
+    return 1
+}
+
+# --- allowlist mutation (shared with git hooks) ---
+add_to_allowlist() {
+    local filepath="$1"
+    local config_file="${HOME}/.llm-av/config.json"
+    mkdir -p "${HOME}/.llm-av"
+    if [[ -f "$config_file" ]]; then
+        local tmp
+        tmp=$(jq --arg p "$filepath" \
+            '.allowlist.paths = ((.allowlist.paths // []) + [$p] | unique)' \
+            "$config_file") && echo "$tmp" > "$config_file"
+    else
+        jq -n --arg p "$filepath" \
+            '{"allowlist":{"paths":[$p],"patterns":[],"rules":[]}}' > "$config_file"
+    fi
+}
+
+# --- run all content detections on text ---
+# Returns 0 on first hit, 1 if clean. Sets DETECT_RULE and DETECT_MATCH.
+detect_in_content() {
+    local text="$1"
+
+    detect_credentials "$text" && return 0
+    detect_private_keys "$text" && return 0
+    detect_pii "$text" && return 0
+
+    return 1
+}

package/hooks/git-pre-commit.sh

@@ -0,0 +1,195 @@
+#!/bin/bash
+#
+# git-pre-commit.sh — ChainWall pre-commit hook
+#
+# Scans staged files for credentials, private keys, PII, and sensitive filenames.
+# Respects .llm-av/config.json allowlist/blocklist.
+#
+# Exit 0 = allow commit, exit 1 = block commit.
+# Set LLMAV_SKIP=1 to bypass (logged).
+#
+
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Source shared detection library
+if [[ -f "${SCRIPT_DIR}/detection-lib.sh" ]]; then
+    source "${SCRIPT_DIR}/detection-lib.sh"
+else
+    echo "WARNING: detection-lib.sh not found, skipping security scan" >&2
+    exit 0
+fi
+
+# jq required
+if ! command -v jq &> /dev/null; then
+    echo "WARNING: jq not installed, skipping pre-commit scan" >&2
+    exit 0
+fi
+
+# escape hatch
+if [[ "${LLMAV_SKIP:-}" == "1" ]]; then
+    echo -e "${YELLOW}WARNING: Pre-commit security checks bypassed via LLMAV_SKIP${RESET}" >&2
+    log_event "warn" "git_pre_commit" "LLMAV_SKIP bypass — pre-commit checks skipped"
+    exit 0
+fi
+
+# protection toggle
+if check_protection_enabled; then
+    exit 0
+fi
+
+load_config
+
+# Get staged files (Added, Copied, Modified only — not Deleted)
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null)
+
+if [[ -z "$STAGED_FILES" ]]; then
+    exit 0
+fi
+
+BLOCKED=0
+BLOCKED_FILES=()
+BLOCKED_RULES=()
+BLOCKED_MATCHES=()
+
+MAX_FILE_SIZE=10485760  # 10MB
+
+while IFS= read -r file; do
+    [[ -z "$file" ]] && continue
+
+    # Skip test directories and test files (contain intentional fake credentials)
+    # Exception: .env files in test dirs are still checked (real secrets leak risk)
+    case "$file" in
+        tests/*|test/*|__tests__/*|spec/*|specs/*|e2e/*|cypress/*|playwright/*|__mocks__/*|__fixtures__/*)
+            case "$file" in
+                *.env|*.env.*) ;; # still check .env files in test dirs
+                *) continue ;;
+            esac
+            ;;
+        *.test.ts|*.test.js|*.test.tsx|*.test.jsx|*.spec.ts|*.spec.js|*.spec.tsx|*.spec.jsx)
+            continue
+            ;;
+    esac
+
+    # Check path allowlist
+    if check_allowlist "$file" "$ALLOW_PATHS"; then
+        continue
+    fi
+
+    # Check path blocklist
+    if [[ -n "$BLOCK_PATHS" ]]; then
+        IFS_BAK="$IFS"
+        IFS='|'
+        for pattern in $BLOCK_PATHS; do
+            if [[ -n "$pattern" ]] && [[ "$file" =~ $pattern ]]; then
+                BLOCKED_FILES+=("$file")
+                BLOCKED_RULES+=("Custom blocklist path: $pattern")
+                BLOCKED_MATCHES+=("$file")
+                BLOCKED=1
+            fi
+        done
+        IFS="$IFS_BAK"
+    fi
+
+    # Check sensitive filename
+    if detect_sensitive_filename "$file"; then
+        BLOCKED_FILES+=("$file")
+        BLOCKED_RULES+=("$DETECT_RULE")
+        BLOCKED_MATCHES+=("$file")
+        BLOCKED=1
+        continue
+    fi
+
+    # Skip binary files
+    if git diff --cached --numstat -- "$file" 2>/dev/null | grep -q '^-'; then
+        continue
+    fi
+
+    # Check file size (from index)
+    FILE_SIZE=$(git cat-file -s ":$file" 2>/dev/null || echo 0)
+    if (( FILE_SIZE > MAX_FILE_SIZE )); then
+        continue
+    fi
+
+    # Get staged content
+    CONTENT=$(git show ":$file" 2>/dev/null) || continue
+
+    # Content allowlist check
+    if check_allowlist "$CONTENT" "$ALLOW_PATTERNS"; then
+        continue
+    fi
+
+    # Run content detection
+    if detect_in_content "$CONTENT"; then
+        REDACTED=$(redact_match "$DETECT_MATCH")
+        BLOCKED_FILES+=("$file")
+        BLOCKED_RULES+=("$DETECT_RULE")
+        BLOCKED_MATCHES+=("$REDACTED")
+        BLOCKED=1
+    fi
+
+done <<< "$STAGED_FILES"
+
+if (( BLOCKED > 0 )); then
+    echo "" >&2
+    echo -e "${RED_BOLD}╔══════════════════════════════════════════════╗${RESET}" >&2
+    echo -e "${RED_BOLD}║  COMMIT BLOCKED — Security findings detected ║${RESET}" >&2
+    echo -e "${RED_BOLD}╚══════════════════════════════════════════════╝${RESET}" >&2
+    echo "" >&2
+
+    IDX=0
+    while (( IDX < ${#BLOCKED_FILES[@]} )); do
+        echo -e "${RED_BOLD}  File:  ${BLOCKED_FILES[$IDX]}${RESET}" >&2
+        echo -e "${RED_BOLD}  Rule:  ${BLOCKED_RULES[$IDX]}${RESET}" >&2
+        echo -e "${RED_BOLD}  Match: ${BLOCKED_MATCHES[$IDX]}${RESET}" >&2
+        echo "" >&2
+        log_event "block" "git_pre_commit" "${BLOCKED_RULES[$IDX]}: ${BLOCKED_FILES[$IDX]}"
+        IDX=$((IDX + 1))
+    done
+
+    echo -e "${YELLOW}Remediation:${RESET}" >&2
+    echo -e "  - Move secrets to environment variables or a vault" >&2
+    echo -e "  - Use git reset HEAD <file> to unstage" >&2
+    echo -e "  - Set LLMAV_SKIP=1 to bypass (logged)" >&2
+    echo "" >&2
+
+    # Interactive prompt if TTY available
+    if [[ -t 0 ]] || [[ -t 2 ]]; then
+        echo -e "${YELLOW}[a]llow once  [p]ermanently allowlist  [b]lock (default)${RESET}" >&2
+        printf "Choice: " >&2
+        CHOICE=""
+        read -r -n 1 CHOICE < /dev/tty 2>/dev/null || true
+        echo "" >&2
+
+        case "$CHOICE" in
+            a|A)
+                log_event "warn" "git_pre_commit" "User allowed once — commit proceeding"
+                exit 0
+                ;;
+            p|P)
+                IDX=0
+                while (( IDX < ${#BLOCKED_FILES[@]} )); do
+                    add_to_allowlist "${BLOCKED_FILES[$IDX]}"
+                    echo -e "${GREEN}  Allowlisted: ${BLOCKED_FILES[$IDX]}${RESET}" >&2
+                    log_event "info" "git_pre_commit" "User permanently allowlisted: ${BLOCKED_FILES[$IDX]}"
+                    IDX=$((IDX + 1))
+                done
+                exit 0
+                ;;
+        esac
+    else
+        # Non-TTY (CI, piped) — suggest allowlist commands
+        echo -e "${YELLOW}To allowlist blocked files:${RESET}" >&2
+        IDX=0
+        while (( IDX < ${#BLOCKED_FILES[@]} )); do
+            echo -e "  chainwall allow ${BLOCKED_FILES[$IDX]}" >&2
+            IDX=$((IDX + 1))
+        done
+        echo "" >&2
+    fi
+
+    exit 1
+fi
+
+exit 0

package/hooks/git-pre-push.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+# git-pre-push.sh — ChainWall pre-push hook
+#
+# Blocks force-push to protected branches (main/master).
+# Optional deep scan with LLMAV_SCAN_PUSH=1.
+#
+# Exit 0 = allow push, exit 1 = block push.
+# Set LLMAV_SKIP=1 to bypass (logged).
+#
+
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Source shared detection library
+if [[ -f "${SCRIPT_DIR}/detection-lib.sh" ]]; then
+    source "${SCRIPT_DIR}/detection-lib.sh"
+else
+    echo "WARNING: detection-lib.sh not found, skipping push checks" >&2
+    exit 0
+fi
+
+# jq required
+if ! command -v jq &> /dev/null; then
+    echo "WARNING: jq not installed, skipping pre-push checks" >&2
+    exit 0
+fi
+
+# escape hatch
+if [[ "${LLMAV_SKIP:-}" == "1" ]]; then
+    echo -e "${YELLOW}WARNING: Pre-push security checks bypassed via LLMAV_SKIP${RESET}" >&2
+    log_event "warn" "git_pre_push" "LLMAV_SKIP bypass — pre-push checks skipped"
+    exit 0
+fi
+
+# protection toggle
+if check_protection_enabled; then
+    exit 0
+fi
+
+load_config
+
+PROTECTED_BRANCHES="main|master"
+REMOTE="$1"
+URL="$2"
+
+# Read push info from stdin (format: local_ref local_sha remote_ref remote_sha)
+BLOCKED=0
+while read -r LOCAL_REF LOCAL_SHA REMOTE_REF REMOTE_SHA; do
+    [[ -z "$REMOTE_REF" ]] && continue
+
+    # Extract branch name from ref
+    BRANCH="${REMOTE_REF#refs/heads/}"
+
+    # Check if pushing to protected branch
+    if [[ "$BRANCH" =~ ^($PROTECTED_BRANCHES)$ ]]; then
+        # Detect force-push: check if remote_sha is ancestor of local_sha
+        if [[ "$REMOTE_SHA" != "0000000000000000000000000000000000000000" ]]; then
+            if ! git merge-base --is-ancestor "$REMOTE_SHA" "$LOCAL_SHA" 2>/dev/null; then
+                echo "" >&2
+                echo -e "${RED_BOLD}╔══════════════════════════════════════════════╗${RESET}" >&2
+                echo -e "${RED_BOLD}║  PUSH BLOCKED — Force-push to $BRANCH        ║${RESET}" >&2
+                echo -e "${RED_BOLD}╚══════════════════════════════════════════════╝${RESET}" >&2
+                echo "" >&2
+                echo -e "${YELLOW}Force-pushing to ${BRANCH} is blocked.${RESET}" >&2
+                echo -e "${YELLOW}Use a feature branch or set LLMAV_SKIP=1 to bypass (logged).${RESET}" >&2
+                echo "" >&2
+                log_event "block" "git_pre_push" "Force-push to protected branch: ${BRANCH}"
+
+                # Interactive prompt if TTY available
+                if [[ -t 0 ]] || [[ -t 2 ]]; then
+                    echo -e "${YELLOW}[a]llow once  [b]lock (default)${RESET}" >&2
+                    printf "Choice: " >&2
+                    CHOICE=""
+                    read -r -n 1 CHOICE < /dev/tty 2>/dev/null || true
+                    echo "" >&2
+
+                    case "$CHOICE" in
+                        a|A)
+                            log_event "warn" "git_pre_push" "User allowed force-push once to ${BRANCH}"
+                            continue
+                            ;;
+                    esac
+                fi
+
+                BLOCKED=1
+            fi
+        fi
+    fi
+
+    # Optional deep scan of commits being pushed
+    if [[ "${LLMAV_SCAN_PUSH:-}" == "1" ]]; then
+        if [[ "$REMOTE_SHA" == "0000000000000000000000000000000000000000" ]]; then
+            # New branch — scan all commits
+            COMMITS=$(git rev-list "$LOCAL_SHA" --not --remotes 2>/dev/null)
+        else
+            COMMITS=$(git rev-list "${REMOTE_SHA}..${LOCAL_SHA}" 2>/dev/null)
+        fi
+
+        while IFS= read -r commit; do
+            [[ -z "$commit" ]] && continue
+            FILES=$(git diff-tree --no-commit-id --name-only -r "$commit" 2>/dev/null)
+            while IFS= read -r file; do
+                [[ -z "$file" ]] && continue
+                CONTENT=$(git show "${commit}:${file}" 2>/dev/null) || continue
+                if detect_in_content "$CONTENT"; then
+                    REDACTED=$(redact_match "$DETECT_MATCH")
+                    echo -e "${RED_BOLD}  Finding in ${commit:0:8}:${file}${RESET}" >&2
+                    echo -e "${RED_BOLD}  Rule:  ${DETECT_RULE}${RESET}" >&2
+                    echo -e "${RED_BOLD}  Match: ${REDACTED}${RESET}" >&2
+                    echo "" >&2
+                    log_event "block" "git_pre_push" "${DETECT_RULE}: ${commit:0:8}:${file}"
+                    BLOCKED=1
+                fi
+            done <<< "$FILES"
+        done <<< "$COMMITS"
+    fi
+done
+
+if (( BLOCKED > 0 )); then
+    exit 1
+fi
+
+exit 0