Skip to content

Refactors post-commit hook generation to eliminate code duplication, improve security, and ensure truly silent operation.#13

Merged
wesm merged 2 commits intomainfrom
hooks-work
Jan 9, 2026
Merged

Refactors post-commit hook generation to eliminate code duplication, improve security, and ensure truly silent operation.#13
wesm merged 2 commits intomainfrom
hooks-work

Conversation

@wesm
Copy link
Collaborator

@wesm wesm commented Jan 9, 2026

Follow on work from code review

Changes

  • Factor out generateHookContent() helper - Hook script generation was duplicated in init and install-hook commands, risking drift. Now uses a single shared function.
  • Security: prefer baked path over PATH lookup - Hook now uses the absolute path baked at install time first, only falling back to command -v roborev if the baked binary is missing. Prevents PATH injection attacks from repo-local or malicious binaries.
  • Add stderr redirect for silence - Hook now redirects stderr (2>/dev/null) so errors from roborev enqueue --quiet don't leak to the terminal.
  • Add comprehensive tests - TestGenerateHookContent verifies:
    • Shebang and RoboRev comment present
    • Baked path assignment comes before PATH fallback (security)
    • Enqueue line has --quiet, 2>/dev/null, and & on same line
    • Baked path is properly quoted

Hook before/after

Before:

#!/bin/sh
# RoboRev post-commit hook - auto-reviews every commit
roborev enqueue --quiet &

After:

#!/bin/sh
# RoboRev post-commit hook - auto-reviews every commit
ROBOREV="/path/to/roborev"
if [ ! -x "$ROBOREV" ]; then
		ROBOREV=$(command -v roborev 2>/dev/null) || exit 0
		[ ! -x "$ROBOREV" ] && exit 0
fi
"$ROBOREV" enqueue --quiet 2>/dev/null &

Test plan

  • go test ./... passes
  • Run roborev install-hook --force and verify hook content
  • Make a commit and verify no output appears
  • Test with baked path removed (should fall back to PATH)

wesm and others added 2 commits January 8, 2026 19:23
@wesm @claude
Refactor hook generation: prefer PATH, add stderr redirect, add tests
4adfeae 
- Factor hook generation into generateHookContent() helper (fixes drift)
- Prefer PATH lookup first (command -v roborev), fall back to baked path
  (enables upgrades without hook reinstall)
- Add 2>/dev/null to silence any stderr from roborev enqueue
- Add TestGenerateHookContent to verify hook structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@wesm @claude
Security: prefer baked path over PATH lookup, improve tests
7d3f451 
- Hook now uses baked absolute path first, only falls back to PATH if
  baked path is missing (prevents PATH injection attacks)
- Tests now verify: baked path comes before PATH lookup, enqueue line
  has all required parts on same line, baked path is quoted

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@wesm
Copy link
Collaborator Author

wesm commented Jan 9, 2026

@sinzin91 I'm going to cut a release after merging this, let me know if this breaks your workflow and we can work with the minions to fix

@wesm wesm merged commit ae6ddac into main Jan 9, 2026
2 checks passed
@wesm wesm deleted the hooks-work branch January 9, 2026 01:28
andyxhadji pushed a commit to andyxhadji/roborev that referenced this pull request Jan 9, 2026
@wesm @claude @andyxhadji
Refactors post-commit hook generation to eliminate code duplication, …
b4943d8 
…improve security, and ensure truly silent operation. (roborev-dev#13)

Follow on work from code review

## Changes
- **Factor out `generateHookContent()` helper** - Hook script generation
was duplicated in `init` and `install-hook` commands, risking drift. Now
uses a single shared function.
- **Security: prefer baked path over PATH lookup** - Hook now uses the
absolute path baked at install time first, only falling back to `command
-v roborev` if the baked binary is missing. Prevents PATH injection
attacks from repo-local or malicious binaries.
- **Add stderr redirect for silence** - Hook now redirects stderr
(`2>/dev/null`) so errors from `roborev enqueue --quiet` don't leak to
the terminal.
- **Add comprehensive tests** - `TestGenerateHookContent` verifies:
	- Shebang and RoboRev comment present
	- Baked path assignment comes before PATH fallback (security)
	- Enqueue line has `--quiet`, `2>/dev/null`, and `&` on same line
	- Baked path is properly quoted
## Hook before/after
**Before:**

```sh
#!/bin/sh
# RoboRev post-commit hook - auto-reviews every commit
roborev enqueue --quiet &
```

After:

```
#!/bin/sh
# RoboRev post-commit hook - auto-reviews every commit
ROBOREV="/path/to/roborev"
if [ ! -x "$ROBOREV" ]; then
		ROBOREV=$(command -v roborev 2>/dev/null) || exit 0
		[ ! -x "$ROBOREV" ] && exit 0
fi
"$ROBOREV" enqueue --quiet 2>/dev/null &
```

Test plan
- go test ./... passes
- Run roborev install-hook --force and verify hook content
- Make a commit and verify no output appears
- Test with baked path removed (should fall back to PATH)

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wesm