#!/usr/bin/env bash # Verify .gitignore is excluding sensitive files and tracking key config files. # Run from ~/.hermes/ after git init and .gitignore creation. set -euo pipefail cd ~/.hermes errors=0 echo "=== Verifying .gitignore exclusions ===" # Files that MUST be excluded for pattern in \ ".env" \ "auth.json" \ "honcho.json" \ "memories/MEMORY.md" \ "memories/USER.md" \ "state.db" \ "kanban.db" \ "response_store.db" \ "logs/" \ "cache/" \ "sessions/" \ "hermes-agent/" \ "node_modules/" \ "__pycache__/" \ "*.pyc" do if git check-ignore -q "$pattern" 2>/dev/null; then echo " PASS: '$pattern' is excluded" else echo " FAIL: '$pattern' is NOT excluded" ((errors++)) || true fi done echo "" echo "=== Files that SHOULD be tracked ===" for file in \ "config.yaml" \ ".gitignore" \ "SOUL.md" \ "cron/jobs.json" \ "profiles/advisor/config.yaml" do if git ls-files --error-unmatch "$file" >/dev/null 2>&1; then echo " PASS: '$file' is tracked" else echo " FAIL: '$file' is NOT tracked" ((errors++)) || true fi done echo "" if [ "$errors" -eq 0 ]; then echo "ALL CHECKS PASSED" else echo "$errors FAILURE(S)" fi exit $errors