[GUARD] Add model size guard script for >5GB policy enforcement (#188)

workspace/timmy-config/scripts/guard_large_models.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# Guard script: prevent local download of models >5GB
+# Policy from Issue #188: Any model over ~5GB must use a serverless endpoint
+
+THRESHOLD_GB=5
+THRESHOLD_BYTES=$((THRESHOLD_GB * 1024 * 1024 * 1024))
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+log_guard() {
+    echo -e "${RED}[MODEL GUARD]${NC} $1" >&2
+}
+
+warn_guard() {
+    echo -e "${YELLOW}[MODEL GUARD WARNING]${NC} $1" >&2
+}
+
+# Check a specific file or directory for models >5GB
+check_path() {
+    local path="$1"
+    if [[ -f "$path" ]]; then
+        local size=$(stat -c%s "$path" 2>/dev/null || stat -f%z "$path" 2>/dev/null)
+        if [[ "$size" -gt "$THRESHOLD_BYTES" ]]; then
+            local size_gb=$(echo "scale=2; $size / 1024 / 1024 / 1024" | bc 2>/dev/null || echo "$((size / 1024 / 1024 / 1024))")
+            log_guard "BLOCKED: $path is ${size_gb}GB (exceeds ${THRESHOLD_GB}GB policy threshold)"
+            log_guard "Directive: Deploy models >5GB to RunPod serverless or other cloud endpoint."
+            log_guard "See timmy-config Issue #188 for migration process."
+            return 1
+        fi
+    fi
+    return 0
+}
+
+# Scan directories for models >5GB and report them
+scan_models() {
+    local found=0
+    for dir in "$@"; do
+        if [[ -d "$dir" ]]; then
+            while IFS= read -r file; do
+                local size=$(stat -c%s "$file" 2>/dev/null || stat -f%z "$file" 2>/dev/null)
+                if [[ "$size" -gt "$THRESHOLD_BYTES" ]]; then
+                    local size_gb=$(echo "scale=2; $size / 1024 / 1024 / 1024" | bc 2>/dev/null || echo "$((size / 1024 / 1024 / 1024))")
+                    warn_guard "VIOLATION: $file is ${size_gb}GB (exceeds ${THRESHOLD_GB}GB threshold)"
+                    found=1
+                fi
+            done < <(find "$dir" -type f \( -name "*.gguf" -o -name "*.safetensors" -o -name "*.bin" -o -name "*.pt" -o -name "*.pth" -o -name "*.ckpt" \) 2>/dev/null)
+        fi
+    done
+    return $found
+}
+
+# Main action based on command
+ case "${1:-scan}" in
+    check)
+        shift
+        for path in "$@"; do
+            check_path "$path" || exit 1
+        done
+        ;;
+    scan)
+        shift
+        scan_models "$@"
+        exit $?
+        ;;
+    audit)
+        # Default audit of known model directories
+        scan_models \
+            /root/.ollama/models \
+            /root/models \
+            /opt/models \
+            /root/wizards/*/hermes-agent/~/.hermes/profiles/*/models \
+            /root/.hermes/models \
+            /root/.cache/huggingface \
+            "$HOME/.cache/huggingface"
+        exit $?
+        ;;
+    *)
+        echo "Usage: $0 {check <path>|scan <dir>...|audit}"
+        echo ""
+        echo "  check <path>  - Check if a specific file exceeds the 5GB threshold"
+        echo "  scan <dir>... - Scan directories for models exceeding the threshold"
+        echo "  audit         - Full fleet audit of known model directories"
+        exit 1
+        ;;
+ esac