blob: 4e75f400432ef161bed62ea9c9a901165894281f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/usr/bin/env bash
# Validate shell files after Edit/Write/MultiEdit.
# PostToolUse hook: receives tool-call JSON on stdin.
#
# On success: exit 0 silent.
# On failure: emit JSON with hookSpecificOutput.additionalContext so Claude
# sees a structured error in its context, THEN exit 2 to block the tool
# pipeline. stderr still echoes the error for terminal visibility.
#
# Gate: shellcheck. It catches the bugs that define shell — unquoted
# expansions, unset variables, masked exit codes — and is the high-value,
# universally-agreed check. Formatting (shfmt) is deliberately NOT enforced
# here: shell has no single canonical style (tabs vs spaces), so blocking on
# it would impose a contested choice. bash.md recommends shfmt; this hook
# enforces correctness.
#
# Scope: .sh and .bash files, plus extensionless files whose first line is a
# sh/bash shebang (the CLI tools that fill a shell-heavy repo carry no
# extension).
set -u
# Emit a JSON failure payload and exit 2. Arguments:
# $1 — short failure type (e.g. "SHELLCHECK FAILED")
# $2 — file path
# $3 — tool output (error body)
fail_json() {
local ctx
ctx="$(printf '%s: %s\n\n%s\n\nFix before proceeding.' "$1" "$2" "$3" \
| jq -Rs .)"
cat <<EOF
{"hookSpecificOutput": {"hookEventName": "PostToolUse", "additionalContext": $ctx}}
EOF
printf '%s: %s\n%s\n' "$1" "$2" "$3" >&2
exit 2
}
f="$(jq -r '.tool_input.file_path // .tool_response.filePath // empty')"
[ -z "$f" ] && exit 0
[ -f "$f" ] || exit 0
# Is this a shell file? By extension, or by shebang when it has no extension.
# Match on the basename, not the full path — a temp/parent dir can carry a dot
# (e.g. validate-bash-bats.XXXX/) and misfire the "*.*" extension test.
is_shell=0
base="${f##*/}"
case "$base" in
*.sh | *.bash) is_shell=1 ;;
*.*) is_shell=0 ;; # some other extension — not ours
*)
# No extension: sniff the shebang.
if head -1 "$f" 2>/dev/null | grep -qE '^#!.*\b(bash|sh)\b'; then
is_shell=1
fi
;;
esac
[ "$is_shell" -eq 1 ] || exit 0
# No shellcheck on this machine — nothing to validate, don't block the edit.
command -v shellcheck >/dev/null 2>&1 || exit 0
if ! out="$(shellcheck "$f" 2>&1)"; then
fail_json "SHELLCHECK FAILED" "$f" "$out"
fi
exit 0
|
