florian/git-hardening
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e11105b5c2c32baa7a1c89c0bff8ea51d16763d
git-hardening/AGENTS.md
Flo 2a5302388e feat(git-harden): implement git-harden.sh script 
Interactive shell script that audits and hardens global git config.
Implements the design spec with: object integrity checks, protocol
restrictions, filesystem protection, hook redirection, SSH signing
wizard with FIDO2 support, SSH config hardening, and credential
helper detection. Supports --audit, -y, and interactive modes.

Implements: #5

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-30 13:38:34 +02:00

2.2 KiB
Raw Blame History

Shell Script Development Standards (v2.0)

If you're going to write shell scripts, at least try to make them look like a professional wrote them. The following standards are non-negotiable for git-harden.

1. The Header: No More sh From the 80s

Use bash via env for portability. We need modern features like arrays and local scoping.

#!/usr/bin/env bash
set -o errexit   # -e: Abort on nonzero exitstatus
set -o nounset   # -u: Abort on unbound variable
set -o pipefail  # Don't hide errors within pipes
IFS=$'\n\t'      # Stop splitting on spaces like a maniac

2. Scoping & Immutability (Functional-ish)

  • Global Constants: Always readonly. Use UPPER_CASE.
  • Functions: Every variable MUST be local. No global state soup.
  • Returns: Use return for status codes, echo to "return" data via command substitution.
  • Early Returns: Guard clauses are your friend. Flatten the control flow. If I see more than 3 levels of indentation, I'm quitting.

3. Syntax & Safety

  • Conditionals: Always use [[ ... ]], not [ ... ]. It's safer and less likely to blow up on empty strings.
  • Arithmetic: Use (( ... )) for numeric comparisons and math.
  • Subshells: Use $(...), never backticks. It's not 1985.
  • Quoting: Quote EVERYTHING. "${var}", not $var. No exceptions.
  • Tool Checks: Use command -v tool_name to check for dependencies. which is for people who don't care about portability.

4. Logging & Error Handling

  • Die Early: Use a die() function for fatal errors.
  • Stderr: All logging (info, warn, error) goes to stderr (>&2). stdout is reserved for data/results.
  • XDG Compliance: Respect ${XDG_CONFIG_HOME:-$HOME/.config}. Don't just dump files in $HOME.
  • Temp Files: Use mktemp -t or mktemp -d. Clean them up using a trap.

5. Portability (The macOS/Linux Divide)

  • Avoid sed -i (it's different on macOS and Linux). Use a temporary file and mv.
  • Use printf instead of echo -e or echo -n.
  • Test on both bash 3.2 (macOS default) and 5.x (modern Linux).

6. Verification

  • All scripts MUST pass shellcheck. If it's yellow or red, it's garbage. Fix it.
Reference in New Issue View Git Blame Copy Permalink