feat(shell): add bash pre-commit secret redaction guard

Author: skulidropek

.githooks/pre-commit

@@ -1,8 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-node scripts/split-knowledge-large-files.js
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$HOOK_DIR/.." && pwd)"
+cd "$REPO_ROOT"
 
+node scripts/split-knowledge-large-files.js
 if [ -d ".knowledge" ]; then
   git add -A .knowledge
 fi
@@ -29,3 +32,5 @@ if [ "${#too_large[@]}" -gt 0 ]; then
   printf ' - %s\n' "${too_large[@]}"
   exit 1
 fi
+
+bash "$REPO_ROOT/scripts/pre-commit-secret-guard.sh"

package.json

@@ -8,6 +8,7 @@
     "packages/*"
   ],
   "scripts": {
+    "setup:pre-commit-hook": "node scripts/setup-pre-commit-hook.js",
     "build": "pnpm --filter ./packages/app build",
     "check": "pnpm --filter ./packages/app check && pnpm --filter ./packages/lib typecheck",
     "changeset": "changeset",

scripts/pre-commit-secret-guard.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# CHANGE: Add bash-only pre-commit guard that redacts probable GitHub/OAuth secrets in staged files.
+# WHY: Avoid relying on Node runtime in hook execution and keep local push-protection checks deterministic.
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+cd "$ROOT_DIR"
+
+command -v git >/dev/null || { echo "ERROR: git is required" >&2; exit 1; }
+command -v perl >/dev/null || { echo "ERROR: perl is required" >&2; exit 1; }
+
+SECRET_PATTERN='\b(?:github_pat_|gho_|ghp_|ghu_|ghs_|ghr_|gha_)[A-Za-z0-9_]{20,255}\b'
+
+redacted_count=0
+manual_fix_files=()
+has_staged_files=0
+
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+while IFS= read -r -d '' path; do
+  if [ -z "$path" ]; then
+    continue
+  fi
+
+  if ! git cat-file -e ":$path" 2>/dev/null; then
+    continue
+  fi
+
+  has_staged_files=1
+  tmp_path="${TMP_DIR}/entry"
+  has_unstaged=false
+
+  if ! git diff --quiet -- "$path"; then
+    has_unstaged=true
+  fi
+
+  if [ "$has_unstaged" = true ]; then
+    git cat-file -p ":$path" > "$tmp_path"
+
+  if grep -Pq "$SECRET_PATTERN" "$tmp_path"; then
+      manual_fix_files+=("$path")
+    fi
+
+    continue
+  fi
+
+  if ! grep -Pq "$SECRET_PATTERN" "$path"; then
+    continue
+  fi
+
+  perl -0pi -e 's/\b(?:github_pat_|gho_|ghp_|ghu_|ghs_|ghr_|gha_)[A-Za-z0-9_]{20,255}\b/<REDACTED_GITHUB_TOKEN>/g' "$path"
+  git add -- "$path"
+  redacted_count=$((redacted_count + 1))
+done < <(git diff --cached --name-only --diff-filter=ACM -z)
+
+if [ "$has_staged_files" -eq 0 ]; then
+  exit 0
+fi
+
+if [ "${#manual_fix_files[@]}" -gt 0 ]; then
+  echo "ERROR: secret-like tokens found in staged versions with unstaged changes."
+  echo "Please fix these files manually in index or clear unstaged changes, then commit again:"
+  for file in "${manual_fix_files[@]}"; do
+    echo " - $file"
+  done
+  echo "Hint: clean working tree for those files first (git restore --worktree -- <file> && git add -- <file>)."
+  exit 1
+fi
+
+if [ "$redacted_count" -gt 0 ]; then
+  echo "pre-commit: auto-redacted secrets in $redacted_count staged file(s)."
+fi
+
+exit 0

scripts/setup-pre-commit-hook.js

@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+
+// CHANGE: Add repeatable pre-commit hook setup for secret auto-redaction
+// WHY: Keep secret scanning on every commit without one-time manual hook wiring.
+// SOURCE: n/a
+// PURITY: SHELL (git config + filesystem)
+
+const fs = require("node:fs");
+const path = require("node:path");
+
+const repoRoot = path.resolve(__dirname, "..");
+
+const hooksDir = path.join(repoRoot, ".githooks");
+const hookPath = path.join(hooksDir, "pre-commit");
+
+fs.mkdirSync(hooksDir, { recursive: true });
+fs.writeFileSync(
+  hookPath,
+  `#!/usr/bin/env bash
+set -euo pipefail
+
+HOOK_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$HOOK_DIR/.." && pwd)"
+cd "$REPO_ROOT"
+
+node scripts/split-knowledge-large-files.js
+if [ -d ".knowledge" ]; then
+  git add -A .knowledge
+fi
+
+if [ -d ".knowlenge" ]; then
+  git add -A .knowlenge
+fi
+
+MAX_BYTES=$((99 * 1000 * 1000))
+too_large=()
+
+while IFS= read -r -d '' path; do
+  if ! git cat-file -e ":$path" 2>/dev/null; then
+    continue
+  fi
+  size=$(git cat-file -s ":$path")
+  if [ "$size" -gt "$MAX_BYTES" ]; then
+    too_large+=("$path ($size bytes)")
+  fi
+done < <(git diff --cached --name-only -z --diff-filter=ACM)
+
+if [ "\${#too_large[@]}" -gt 0 ]; then
+  echo "ERROR: Staged files exceed 99MB limit (99,000,000 bytes)."
+  printf ' - %s\\n' "\${too_large[@]}"
+  exit 1
+fi
+
+bash "$REPO_ROOT/scripts/pre-commit-secret-guard.sh"
+`,
+  "utf8"
+);
+
+fs.chmodSync(hookPath, 0o755);
+
+console.log(
+  "Installed .githooks/pre-commit."
+);
+console.log("Enable it for this repository with: git config core.hooksPath .githooks");