diff options
| author | Craig Jennings <c@cjennings.net> | 2026-04-19 12:46:59 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-04-19 12:46:59 -0500 |
| commit | 129b13f85ede90b50ac9e2131bddf30659fa57a9 (patch) | |
| tree | f1c09b852b3ebb9de2312779d5796127dafa8134 /githooks/pre-commit | |
| parent | 72a52a14455335be97a7d2b4820ec86c259d9236 (diff) | |
| download | chime-129b13f85ede90b50ac9e2131bddf30659fa57a9.tar.gz chime-129b13f85ede90b50ac9e2131bddf30659fa57a9.zip | |
chore: add Claude Code ruleset via ~/code/rulesets install-elisp
Installs the Elisp ruleset from the rulesets repo:
- CLAUDE.md (project instructions template)
- .claude/rules/ (testing, verification, elisp, elisp-testing)
- .claude/hooks/validate-el.sh (check-parens + byte-compile + run
matching tests on every .el edit via PostToolUse)
- .claude/settings.json (permission allowlist + hook wiring)
- githooks/pre-commit (secret scan + staged-file paren check)
core.hooksPath set to githooks/ so the pre-commit activates automatically.
Hooks use \$CLAUDE_PROJECT_DIR with a script-relative fallback, so a
fresh clone works without path edits.
.gitignore extended with personal-override entries (settings.local.json,
.cache/) and byte-compile artifacts (*.elc, *.eln).
Diffstat (limited to 'githooks/pre-commit')
| -rwxr-xr-x | githooks/pre-commit | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/githooks/pre-commit b/githooks/pre-commit new file mode 100755 index 0000000..909cde2 --- /dev/null +++ b/githooks/pre-commit @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# Pre-commit hook: secret scan + paren validation on staged .el files. +# Use `git commit --no-verify` to bypass for confirmed false positives. + +set -u + +REPO_ROOT="$(git rev-parse --show-toplevel)" +cd "$REPO_ROOT" + +# --- 1. Secret scan --- +# Patterns for common credentials. Scans only added lines in the staged diff. +SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])' + +secret_hits="$(git diff --cached -U0 --diff-filter=AM \ + | grep '^+' | grep -v '^+++' \ + | grep -iEn "$SECRET_PATTERNS" || true)" + +if [ -n "$secret_hits" ]; then + echo "pre-commit: potential secret in staged changes:" >&2 + echo "$secret_hits" >&2 + echo "" >&2 + echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2 + echo "bypass with: git commit --no-verify" >&2 + exit 1 +fi + +# --- 2. Paren check on staged .el files --- +staged_el="$(git diff --cached --name-only --diff-filter=AM | grep '\.el$' || true)" + +if [ -n "$staged_el" ]; then + paren_fail="" + while IFS= read -r f; do + [ -z "$f" ] && continue + [ -f "$f" ] || continue + if ! out="$(emacs --batch --no-site-file --no-site-lisp "$f" \ + --eval '(check-parens)' 2>&1)"; then + paren_fail="${paren_fail}${f}: +${out} + +" + fi + done <<< "$staged_el" + + if [ -n "$paren_fail" ]; then + printf 'pre-commit: paren check failed:\n\n%s' "$paren_fail" >&2 + exit 1 + fi +fi + +exit 0 |