2026-05-13

Codex/guard_apply_patch.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  guard_apply_patch.sh PATCH_FILE [--cwd DIR] [--allow-deletes] [--max-files N] [--max-changed-lines N] [--allow-path-prefix PREFIX ...]
+
+Description:
+  Validates a patch and applies it only if policy checks pass.
+EOF
+}
+
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" || "${#}" -lt 1 ]]; then
+  usage
+  exit 0
+fi
+
+PATCH_FILE="$1"
+shift
+
+CWD="$(pwd)"
+VALIDATOR_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --cwd)
+      CWD="$2"
+      shift 2
+      ;;
+    --allow-deletes)
+      VALIDATOR_ARGS+=("$1")
+      shift
+      ;;
+    --max-files|--max-changed-lines|--allow-path-prefix)
+      VALIDATOR_ARGS+=("$1" "$2")
+      shift 2
+      ;;
+    *)
+      VALIDATOR_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+
+if [[ ! -f "$PATCH_FILE" ]]; then
+  echo "Patch file not found: $PATCH_FILE" >&2
+  exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+VALIDATOR="$SCRIPT_DIR/guard_validate_patch.py"
+
+python3 "$VALIDATOR" "$PATCH_FILE" --cwd "$CWD" "${VALIDATOR_ARGS[@]}"
+
+echo "Validation passed. Running dry-run apply..."
+patch -p1 --dry-run -d "$CWD" < "$PATCH_FILE"
+
+echo "Applying patch..."
+patch -p1 -d "$CWD" < "$PATCH_FILE"
+
+echo "Done."