A small collection of standalone shell/Python utilities that I use across projects and machines. Installable individually via a bootstrap script that verifies SHA-256 checksums before writing anything executable to disk.
Every utility here is something I'd want to curl | bash onto a new machine. That's convenient — and it's also how supply-chain attacks land. So the governing rule for this repo is that curl | bash flows must verify what they fetch before running it.
That rule, plus a handful of shell-hygiene rules that keep the scripts predictable under set -euo pipefail, is captured in ai_docs/REQUIREMENTS.md. It's a merge-blocker, not a style guide. New modules are expected to meet the bar.
This repo deliberately does not tag or cut releases — master is the normal install target. If you want to pin to a specific commit for reproducibility, SCRIPT_UTILS_REF=<sha> is supported. See CHANGELOG.md for a ledger of structural changes.
| Module | Purpose | Installable |
|---|---|---|
installer/ |
Bootstrap script (install.sh) that fetches and verifies the other modules. Reads a per-module install.yml + checksums.txt over HTTPS. |
— (it is the installer) |
append-files/ |
Concatenates files (and optionally transforms Python code to IDL/JSON) into a single blob suitable for pasting to an LLM. | yes |
secrets-sanitizer/ |
Redacts AWS/Azure/Google/GitHub/JWT/PEM secrets from text or clipboard content before you paste it somewhere public. macOS-only. | yes |
update-dns-a-record/ |
Cron-friendly heartbeat that updates a Route53 A record when your public IP changes. Root-only. | — (cron-installed manually) |
validate-path/ |
Read-only diagnostics for $PATH and the rc files that build it — finds missing directories, duplicates, and :: empty entries. |
— (run directly from checkout) |
curl -sSL https://raw.githubusercontent.com/descoped/script-utils/master/installer/install.sh \
| bash -s -- <module_name>The installer fetches <module>/checksums.txt first, then verifies install.yml and every listed file against it before any chmod +x. A missing checksums.txt aborts the install unless you explicitly set ALLOW_UNVERIFIED=1 (emits a loud warning).
Full env-var surface (including SCRIPT_UTILS_REF for pinning to a specific commit) and YAML grammar are in installer/README.md.
git clone https://github.com/descoped/script-utils.git
cd script-utils
# Run the verification sweep (same checks CI runs)
find . -name '*.sh' -not -path './.git/*' -print0 | xargs -0 shellcheck --severity=style
find . -name '*.sh' -not -path './.git/*' -print0 | xargs -0 -I{} bash -n {}
for d in append-files secrets-sanitizer; do (cd "$d" && shasum -a 256 -c checksums.txt); doneWhen you edit an installable module's code, regenerate its checksums in the same commit:
cd <module>/
shasum -a 256 *.sh *.py README.md install.yml > checksums.txtMIT — see LICENSE.