1#!/bin/sh
2# planning-with-files: lock the current task_plan.md content with a SHA-256 attestation.
3#
4# Use after you finalise (or intentionally edit) a plan. The hooks then refuse
5# to inject plan content into the model context if the file diverges from the
6# attested hash, surfacing a "[PLAN TAMPERED]" warning instead.
7#
8# Resolution:
9#   1. $PLAN_ID env var → ./.planning/$PLAN_ID/
10#   2. ./.planning/.active_plan
11#   3. Newest ./.planning/<dir>/ by mtime
12#   4. Legacy ./task_plan.md at project root
13#
14# Usage:
15#   sh scripts/attest-plan.sh         # attest the active plan
16#   sh scripts/attest-plan.sh --show  # print the stored hash
17#   sh scripts/attest-plan.sh --clear # remove the attestation (re-open the plan)
18 
19set -u
20 
21SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
22RESOLVER="${SCRIPT_DIR}/resolve-plan-dir.sh"
23 
24resolve_plan_file() {
25    plan_dir=""
26    if [ -f "${RESOLVER}" ]; then
27        plan_dir="$(sh "${RESOLVER}" 2>/dev/null)"
28    fi
29    if [ -n "${plan_dir}" ] && [ -f "${plan_dir}/task_plan.md" ]; then
30        printf "%s\n" "${plan_dir}/task_plan.md"
31        return 0
32    fi
33    if [ -f "./task_plan.md" ]; then
34        printf "%s\n" "./task_plan.md"
35        return 0
36    fi
37    return 1
38}
39 
40attestation_path_for() {
41    plan_file="$1"
42    plan_dir="$(dirname "${plan_file}")"
43    if [ "${plan_dir}" = "." ]; then
44        # Legacy mode: store at project root.
45        printf "%s\n" "./.plan-attestation"
46    else
47        printf "%s\n" "${plan_dir}/.attestation"
48    fi
49}
50 
51compute_hash() {
52    target="$1"
53    if command -v sha256sum >/dev/null 2>&1; then
54        sha256sum "${target}" | awk '{print $1}'
55    elif command -v shasum >/dev/null 2>&1; then
56        shasum -a 256 "${target}" | awk '{print $1}'
57    else
58        printf "ERROR: no sha256 utility available\n" >&2
59        return 1
60    fi
61}
62 
63mode="attest"
64case "${1:-}" in
65    --show)  mode="show"  ;;
66    --clear) mode="clear" ;;
67    "")      mode="attest" ;;
68    *)
69        printf "Usage: %s [--show|--clear]\n" "$0" >&2
70        exit 2
71        ;;
72esac
73 
74plan_file="$(resolve_plan_file)" || {
75    printf "[plan-attest] No task_plan.md found. Create a plan first.\n" >&2
76    exit 1
77}
78 
79attestation_file="$(attestation_path_for "${plan_file}")"
80 
81case "${mode}" in
82    show)
83        if [ -f "${attestation_file}" ]; then
84            printf "Plan: %s\n" "${plan_file}"
85            printf "Attestation: %s\n" "${attestation_file}"
86            printf "SHA-256: %s\n" "$(cat "${attestation_file}")"
87        else
88            printf "[plan-attest] No attestation set for %s.\n" "${plan_file}"
89            exit 1
90        fi
91        ;;
92    clear)
93        if [ -f "${attestation_file}" ]; then
94            rm -f "${attestation_file}"
95            printf "[plan-attest] Cleared attestation for %s.\n" "${plan_file}"
96        else
97            printf "[plan-attest] No attestation to clear.\n"
98        fi
99        ;;
100    attest)
101        hash_val="$(compute_hash "${plan_file}")" || exit 1
102        printf "%s\n" "${hash_val}" > "${attestation_file}"
103        short_hash="$(printf "%s" "${hash_val}" | cut -c1-12)"
104        printf "[plan-attest] Locked %s\n" "${plan_file}"
105        printf "[plan-attest] SHA-256: %s... (stored in %s)\n" "${short_hash}" "${attestation_file}"
106        printf "[plan-attest] Hooks will block injection if the file is modified without re-running this command.\n"
107        ;;
108esac
109 
110exit 0
111