florian/git-hardening
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7eb697f1f207cbf7d9528bb76c6a3161d8b4f724
git-hardening/AGENTS.md
Flo 2a5302388e feat(git-harden): implement git-harden.sh script 
Interactive shell script that audits and hardens global git config.
Implements the design spec with: object integrity checks, protocol
restrictions, filesystem protection, hook redirection, SSH signing
wizard with FIDO2 support, SSH config hardening, and credential
helper detection. Supports --audit, -y, and interactive modes.

Implements: #5

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-30 13:38:34 +02:00

40 lines
2.2 KiB
Markdown
Raw Blame History

## Shell Script Development Standards (v2.0)
If you're going to write shell scripts, at least try to make them look like a professional wrote them. The following standards are non-negotiable for `git-harden`.
### 1. The Header: No More `sh` From the 80s
Use `bash` via `env` for portability. We need modern features like arrays and local scoping.
```bash
#!/usr/bin/env bash
set -o errexit # -e: Abort on nonzero exitstatus
set -o nounset # -u: Abort on unbound variable
set -o pipefail # Don't hide errors within pipes
IFS=$'\n\t' # Stop splitting on spaces like a maniac
```
### 2. Scoping & Immutability (Functional-ish)
- **Global Constants:** Always `readonly`. Use `UPPER_CASE`.
- **Functions:** Every variable MUST be `local`. No global state soup.
- **Returns:** Use `return` for status codes, `echo` to "return" data via command substitution.
- **Early Returns:** Guard clauses are your friend. Flatten the control flow. If I see more than 3 levels of indentation, I'm quitting.
### 3. Syntax & Safety
- **Conditionals:** Always use `[[ ... ]]`, not `[ ... ]`. It's safer and less likely to blow up on empty strings.
- **Arithmetic:** Use `(( ... ))` for numeric comparisons and math.
- **Subshells:** Use `$(...)`, never backticks. It's not 1985.
- **Quoting:** Quote EVERYTHING. `"${var}"`, not `$var`. No exceptions.
- **Tool Checks:** Use `command -v tool_name` to check for dependencies. `which` is for people who don't care about portability.
### 4. Logging & Error Handling
- **Die Early:** Use a `die()` function for fatal errors.
- **Stderr:** All logging (info, warn, error) goes to `stderr` (`>&2`). `stdout` is reserved for data/results.
- **XDG Compliance:** Respect `${XDG_CONFIG_HOME:-$HOME/.config}`. Don't just dump files in `$HOME`.
- **Temp Files:** Use `mktemp -t` or `mktemp -d`. Clean them up using a `trap`.
### 5. Portability (The macOS/Linux Divide)
- Avoid `sed -i` (it's different on macOS and Linux). Use a temporary file and `mv`.
- Use `printf` instead of `echo -e` or `echo -n`.
- Test on both `bash` 3.2 (macOS default) and 5.x (modern Linux).
### 6. Verification
- All scripts MUST pass `shellcheck`. If it's yellow or red, it's garbage. Fix it.
Reference in New Issue View Git Blame Copy Permalink