Danijel Martinek
9b235c7d1c
Blocks commits containing known secret patterns (e.g. Stripe sk_test_*) before they reach the remote. Exits gracefully with a warning when gitleaks is not in $PATH so developers who haven't installed it are not blocked. .gitleaks.toml extends the upstream default ruleset and allowlists __seeds__/** to prevent false positives from test fixtures. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
29 lines
1.1 KiB
Bash
Executable File
29 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
|
|
# Pre-commit gates — fast checks only. Slow checks (full conformance, full
|
|
# test, full typecheck) stay in CI.
|
|
|
|
# 1. lint-staged: format + lint staged files
|
|
pnpm exec lint-staged || exit 1
|
|
|
|
# 2. If any docs/work/ markdown is staged, regenerate _state.json + re-stage it
|
|
if git diff --cached --name-only | grep -qE '^docs/work/.*\.md$'; then
|
|
pnpm work rebuild-state
|
|
git add docs/work/_state.json
|
|
fi
|
|
|
|
# 3. Run the state-sync guard: refuses to commit if _state.json is
|
|
# staged but doesn't match what rebuild-state would produce. Catches the case
|
|
# where someone hand-edits _state.json without going through rebuild-state.
|
|
node scripts/work/state-sync-guard.mjs || exit 1
|
|
|
|
# 4. Check library decision traces for new runtime deps in feature/core packages.
|
|
node scripts/library-decisions/check.mjs || exit 1
|
|
|
|
# 5. Scan staged changes for secrets (skip gracefully if gitleaks is not installed).
|
|
if command -v gitleaks > /dev/null 2>&1; then
|
|
gitleaks protect --staged --redact || exit 1
|
|
else
|
|
echo "gitleaks not found in \$PATH — skipping secret scan (install via brew install gitleaks or https://github.com/gitleaks/gitleaks)"
|
|
fi
|