aperion-shield 1.0.1

Aperion Shield -- a local MCP guardrail for AI coding agents with optional biometric identity gates (ID.me). Standalone, free, open source.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344

//! `aperion-shield --check-pushed-refs` — reads git's standard pre-push
//! stdin and refuses destructive ref updates against protected branches.
//!
//! ## Why a separate mode (vs running the engine on the whole commit range)
//!
//! Linting the lines that *moved* between `<remote_sha>..<local_sha>`
//! would just be a rerun of `--check-staged` on each commit -- valuable,
//! but a 100-commit branch turns the pre-push hook into a 10-second
//! wait. What we actually want at push time is the structural check
//! the file-content scanner can't see: **is this a force-push, and is
//! it landing on a branch that should be append-only?**
//!
//! That's what this module does.
//!
//! ## What it refuses
//!
//! For each ref line on stdin (format documented by `man githooks`):
//!
//!   `<local_ref> <local_sha> <remote_ref> <remote_sha>`
//!
//! we refuse the push (exit 1) if:
//!
//!   * `local_sha == 0000000000000000000000000000000000000000` AND
//!     `<remote_ref>` matches a protected pattern. (= **branch
//!     deletion** of a protected branch.)
//!
//!   * `<remote_ref>` matches a protected pattern AND `<remote_sha>` is
//!     not an ancestor of `<local_sha>`. (= **force-push** that
//!     rewrites history on a protected branch.)
//!
//! All other pushes pass through unchanged.
//!
//! ## Protected-branch pattern
//!
//! Default list:
//!
//!   * `main`, `master`, `prod`, `production`, `release`
//!   * `release/*`, `prod/*`, `hotfix/*`
//!
//! Overridable via `SHIELD_PROTECTED_BRANCHES` (comma-separated). Matches
//! are computed against the ref's short name (`main`, not
//! `refs/heads/main`).
//!
//! ## Exit codes
//!
//! Same convention as `--check-staged` (see `check_staged.rs`):
//!
//! | Code | Meaning                                                |
//! |------|--------------------------------------------------------|
//! | 0    | All refs OK.                                           |
//! | 1    | At least one destructive ref update was refused.       |
//! | 3    | Operational error (couldn't shell out to git, etc.).   |

use anyhow::{anyhow, Context, Result};
use std::io::BufRead;
use std::path::Path;
use std::process::Command;

const NULL_SHA: &str = "0000000000000000000000000000000000000000";

const DEFAULT_PROTECTED_BRANCHES: &[&str] = &[
    "main",
    "master",
    "prod",
    "production",
    "release",
    "release/*",
    "prod/*",
    "hotfix/*",
];

/// One stdin ref update line, parsed.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct RefUpdate {
    pub local_ref: String,
    pub local_sha: String,
    pub remote_ref: String,
    pub remote_sha: String,
}

#[derive(Debug, Clone)]
pub enum PushVerdict {
    Ok,
    Deletion {
        protected_branch: String,
    },
    ForcePush {
        protected_branch: String,
        remote_sha: String,
        local_sha: String,
    },
}

#[derive(Debug, Default)]
pub struct CheckPushedReport {
    pub refs_inspected: usize,
    pub violations: Vec<(RefUpdate, PushVerdict)>,
}

impl CheckPushedReport {
    pub fn exit_code(&self) -> u8 {
        if self.violations.is_empty() {
            0
        } else {
            1
        }
    }
}

/// Parse a single line of git's pre-push stdin protocol. Returns `None`
/// for empty lines so callers can skip them silently.
pub fn parse_line(line: &str) -> Option<RefUpdate> {
    let mut iter = line.split_whitespace();
    let local_ref = iter.next()?.to_string();
    let local_sha = iter.next()?.to_string();
    let remote_ref = iter.next()?.to_string();
    let remote_sha = iter.next()?.to_string();
    Some(RefUpdate {
        local_ref,
        local_sha,
        remote_ref,
        remote_sha,
    })
}

/// Resolve which patterns to consider protected. Honours the env var.
pub fn protected_patterns() -> Vec<String> {
    if let Ok(raw) = std::env::var("SHIELD_PROTECTED_BRANCHES") {
        raw.split(',')
            .map(|s| s.trim().to_string())
            .filter(|s| !s.is_empty())
            .collect()
    } else {
        DEFAULT_PROTECTED_BRANCHES
            .iter()
            .map(|s| (*s).to_string())
            .collect()
    }
}

/// Match a short branch name like `release/2026-05` against a pattern
/// like `release/*` (only `*` glob, only at the end of a component).
pub fn pattern_matches(pattern: &str, short_name: &str) -> bool {
    if let Some(prefix) = pattern.strip_suffix("/*") {
        return short_name.starts_with(&format!("{}/", prefix));
    }
    pattern == short_name
}

/// Reduce a full ref (`refs/heads/main`) to its short name (`main`).
fn short_name(full_ref: &str) -> &str {
    full_ref.strip_prefix("refs/heads/").unwrap_or(full_ref)
}

/// Test whether `short_name(remote_ref)` is in the protected set.
pub fn is_protected(remote_ref: &str, patterns: &[String]) -> Option<String> {
    let s = short_name(remote_ref);
    for p in patterns {
        if pattern_matches(p, s) {
            return Some(s.to_string());
        }
    }
    None
}

/// Ask git whether `ancestor_sha` is an ancestor of `descendant_sha`.
/// Returns `Ok(true)` for a normal fast-forward push, `Ok(false)` for
/// any history rewrite (= force-push).
fn is_ancestor(
    repo_root: &Path,
    ancestor_sha: &str,
    descendant_sha: &str,
) -> Result<bool> {
    if ancestor_sha == NULL_SHA {
        // Branch is being created -- there's nothing to rewrite, so
        // it's NOT a force-push.
        return Ok(true);
    }
    let status = Command::new("git")
        .args([
            "merge-base",
            "--is-ancestor",
            ancestor_sha,
            descendant_sha,
        ])
        .current_dir(repo_root)
        .status()
        .with_context(|| {
            "git merge-base --is-ancestor failed (is git installed?)"
        })?;
    // Exit 0 = is ancestor, exit 1 = not ancestor. Anything else =
    // error (e.g. unknown sha) and we treat as suspicious (not
    // ancestor) — fail closed.
    match status.code() {
        Some(0) => Ok(true),
        Some(1) => Ok(false),
        Some(code) => Err(anyhow!(
            "git merge-base exited unexpectedly with code {} for {}..{}",
            code,
            ancestor_sha,
            descendant_sha
        )),
        None => Err(anyhow!(
            "git merge-base was killed by signal during {}..{}",
            ancestor_sha,
            descendant_sha
        )),
    }
}

/// Verdict for a single ref update.
pub fn verdict(repo_root: &Path, upd: &RefUpdate, patterns: &[String]) -> Result<PushVerdict> {
    let protected = match is_protected(&upd.remote_ref, patterns) {
        Some(name) => name,
        None => return Ok(PushVerdict::Ok),
    };

    // Deletion?
    if upd.local_sha == NULL_SHA {
        return Ok(PushVerdict::Deletion {
            protected_branch: protected,
        });
    }

    // Branch is being CREATED on the remote (remote_sha is NULL) →
    // not a force-push, allow.
    if upd.remote_sha == NULL_SHA {
        return Ok(PushVerdict::Ok);
    }

    // Force-push detection: remote_sha must be an ancestor of local_sha.
    if !is_ancestor(repo_root, &upd.remote_sha, &upd.local_sha)? {
        return Ok(PushVerdict::ForcePush {
            protected_branch: protected,
            remote_sha: upd.remote_sha.clone(),
            local_sha: upd.local_sha.clone(),
        });
    }

    Ok(PushVerdict::Ok)
}

/// Top-level entrypoint. Reads stdin line by line, returns a report.
pub fn run(repo_root: &Path, stdin: impl BufRead) -> Result<CheckPushedReport> {
    let patterns = protected_patterns();
    let mut report = CheckPushedReport::default();

    for line in stdin.lines() {
        let line = line?;
        if line.trim().is_empty() {
            continue;
        }
        let upd = match parse_line(&line) {
            Some(u) => u,
            None => continue,
        };
        report.refs_inspected += 1;
        let v = verdict(repo_root, &upd, &patterns)?;
        if !matches!(v, PushVerdict::Ok) {
            report.violations.push((upd, v));
        }
    }
    Ok(report)
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::sync::Mutex;

    // cargo runs lib tests in parallel within a single binary. The two
    // tests that mutate `SHIELD_PROTECTED_BRANCHES` would otherwise
    // race each other (one sets, the other reads default, fails). We
    // serialise only those two via a module-local lock -- no new
    // dependency, no impact on the other tests in this module.
    static ENV_LOCK: Mutex<()> = Mutex::new(());

    #[test]
    fn parses_well_formed_stdin_line() {
        let l = "refs/heads/feat/foo 1111 refs/heads/main 2222";
        let u = parse_line(l).unwrap();
        assert_eq!(u.local_ref, "refs/heads/feat/foo");
        assert_eq!(u.local_sha, "1111");
        assert_eq!(u.remote_ref, "refs/heads/main");
        assert_eq!(u.remote_sha, "2222");
    }

    #[test]
    fn parse_line_handles_short_input() {
        assert!(parse_line("").is_none());
        assert!(parse_line("only one field").is_none());
    }

    #[test]
    fn pattern_matches_exact_and_globbed() {
        assert!(pattern_matches("main", "main"));
        assert!(!pattern_matches("main", "develop"));
        assert!(pattern_matches("release/*", "release/2026-05"));
        assert!(pattern_matches("release/*", "release/foo/bar")); // first component matches
        assert!(!pattern_matches("release/*", "release"));
        assert!(!pattern_matches("release/*", "feature/release/x"));
    }

    // NB: tests that touch `SHIELD_PROTECTED_BRANCHES` are written
    // defensively — each one explicitly removes the var at the top
    // and reads via the documented default-resolution path. We do NOT
    // rely on `serial_test` or a mutex because cargo runs lib tests
    // in parallel by default and one stray leak would flake any test
    // that calls `protected_patterns()` (= every protected-branch test).

    #[test]
    fn is_protected_recognises_default_set() {
        let _guard = ENV_LOCK.lock().unwrap();
        std::env::remove_var("SHIELD_PROTECTED_BRANCHES");
        let pats = protected_patterns();
        assert_eq!(is_protected("refs/heads/main", &pats).as_deref(), Some("main"));
        assert_eq!(is_protected("refs/heads/master", &pats).as_deref(), Some("master"));
        assert_eq!(
            is_protected("refs/heads/release/2026-05", &pats).as_deref(),
            Some("release/2026-05")
        );
        assert_eq!(is_protected("refs/heads/develop", &pats), None);
    }

    #[test]
    fn env_override_protected_branches() {
        let _guard = ENV_LOCK.lock().unwrap();
        std::env::set_var("SHIELD_PROTECTED_BRANCHES", "trunk, deploy/*");
        let pats = protected_patterns();
        assert!(is_protected("refs/heads/trunk", &pats).is_some());
        assert!(is_protected("refs/heads/deploy/prod", &pats).is_some());
        assert!(is_protected("refs/heads/main", &pats).is_none());
        std::env::remove_var("SHIELD_PROTECTED_BRANCHES");
    }

    #[test]
    fn empty_stdin_yields_clean_report() {
        let tmp = tempfile::tempdir().unwrap();
        let report = run(tmp.path(), std::io::Cursor::new(b"")).expect("run");
        assert_eq!(report.refs_inspected, 0);
        assert!(report.violations.is_empty());
        assert_eq!(report.exit_code(), 0);
    }
}