feat: add prek pre-commit hooks and dependabot (#1720)

* feat: add prek pre-commit hooks and dependabot

Pre-commit hooks (via prek):
- Basic hygiene: trailing-whitespace, end-of-file-fixer, check-yaml, check-added-large-files, check-merge-conflict
- Security: detect-secrets, zizmor (GitHub Actions audit)
- Linting: shellcheck, actionlint, oxlint, swiftlint
- Formatting: oxfmt, swiftformat

Dependabot:
- npm and GitHub Actions ecosystems
- Grouped updates (production/development/actions)
- 7-day cooldown for supply chain protection

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: add prek install instruction to AGENTS.md

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

.github/actionlint.yaml

@@ -0,0 +1,17 @@
+# actionlint configuration
+# https://github.com/rhysd/actionlint/blob/main/docs/config.md
+
+self-hosted-runner:
+  labels:
+    # Blacksmith CI runners
+    - blacksmith-4vcpu-ubuntu-2404
+    - blacksmith-4vcpu-windows-2025
+
+# Ignore patterns for known issues
+paths:
+  .github/workflows/**/*.yml:
+    ignore:
+      # Ignore shellcheck warnings (we run shellcheck separately)
+      - 'shellcheck reported issue.+'
+      # Ignore intentional if: false for disabled jobs
+      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -0,0 +1,113 @@
+# Dependabot configuration
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+
+registries:
+  npm-npmjs:
+    type: npm-registry
+    url: https://registry.npmjs.org
+    replaces-base: true
+
+updates:
+  # npm dependencies (root)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      production:
+        dependency-type: production
+        update-types:
+          - minor
+          - patch
+      development:
+        dependency-type: development
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 10
+    registries:
+      - npm-npmjs
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - macOS app
+  - package-ecosystem: swift
+    directory: /apps/macos
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - shared ClawdbotKit
+  - package-ecosystem: swift
+    directory: /apps/shared/ClawdbotKit
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - Swabble
+  - package-ecosystem: swift
+    directory: /Swabble
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Gradle - Android app
+  - package-ecosystem: gradle
+    directory: /apps/android
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      android-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5

.pre-commit-config.yaml

@@ -0,0 +1,85 @@
+# Pre-commit hooks for clawdbot
+# Install: prek install
+# Run manually: prek run --all-files
+#
+# See https://pre-commit.com for more information
+
+repos:
+  # Basic file hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
+      - id: end-of-file-fixer
+        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: check-added-large-files
+        args: [--maxkb=500]
+      - id: check-merge-conflict
+
+  # Secret detection (same as CI)
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: [--baseline, .secrets.baseline]
+
+  # Shell script linting
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+        args: [--severity=error]  # Only fail on errors, not warnings/info
+        # Exclude vendor and scripts with embedded code or known issues
+        exclude: '^(vendor/|scripts/e2e/)'
+
+  # GitHub Actions linting
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.10
+    hooks:
+      - id: actionlint
+
+  # GitHub Actions security audit
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
+        exclude: '^(vendor/|Swabble/)'
+
+  # Project checks (same commands as CI)
+  - repo: local
+    hooks:
+      # oxlint --type-aware src test
+      - id: oxlint
+        name: oxlint
+        entry: npx oxlint --type-aware src test
+        language: system
+        pass_filenames: false
+        types_or: [javascript, jsx, ts, tsx]
+
+      # oxfmt --check src test
+      - id: oxfmt
+        name: oxfmt
+        entry: npx oxfmt --check src test
+        language: system
+        pass_filenames: false
+        types_or: [javascript, jsx, ts, tsx]
+
+      # swiftlint (same as CI)
+      - id: swiftlint
+        name: swiftlint
+        entry: swiftlint --config .swiftlint.yml
+        language: system
+        pass_filenames: false
+        types: [swift]
+
+      # swiftformat --lint (same as CI)
+      - id: swiftformat
+        name: swiftformat
+        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
+        language: system
+        pass_filenames: false
+        types: [swift]

.shellcheckrc

@@ -0,0 +1,25 @@
+# ShellCheck configuration
+# https://www.shellcheck.net/wiki/
+
+# Disable common false positives and style suggestions
+
+# SC2034: Variable appears unused (often exported or used indirectly)
+disable=SC2034
+
+# SC2155: Declare and assign separately (common idiom, rarely causes issues)
+disable=SC2155
+
+# SC2295: Expansions inside ${..} need quoting (info-level, rarely causes issues)
+disable=SC2295
+
+# SC1012: \r is literal (tr -d '\r' works as intended on most systems)
+disable=SC1012
+
+# SC2026: Word outside quotes (info-level, often intentional)
+disable=SC2026
+
+# SC2016: Expressions don't expand in single quotes (often intentional in sed/awk)
+disable=SC2016
+
+# SC2129: Consider using { cmd1; cmd2; } >> file (style preference)
+disable=SC2129

AGENTS.md

@@ -37,6 +37,7 @@
 ## Build, Test, and Development Commands
 - Runtime baseline: Node **22+** (keep Node + Bun paths working).
 - Install deps: `pnpm install`
+- Pre-commit hooks: `prek install` (runs same checks as CI)
 - Also supported: `bun install` (keep `pnpm-lock.yaml` + Bun patching in sync when touching deps/patches).
 - Prefer Bun for TypeScript execution (scripts, dev, tests): `bun <file.ts>` / `bunx <tool>`.
 - Run CLI in dev: `pnpm clawdbot ...` (bun) or `pnpm dev`.

SECURITY.md

@@ -12,4 +12,3 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:
 
 - `https://docs.clawd.bot/gateway/security`
-

apps/android/app/src/main/java/com/clawdbot/android/CameraHudState.kt

@@ -12,4 +12,3 @@ data class CameraHudState(
   val kind: CameraHudKind,
   val message: String,
 )
-

apps/android/app/src/main/java/com/clawdbot/android/VoiceWakeMode.kt

@@ -12,4 +12,3 @@ enum class VoiceWakeMode(val rawValue: String) {
     }
   }
 }
-

apps/android/app/src/main/res/values/colors.xml

@@ -1,4 +1,3 @@
 <resources>
     <color name="ic_launcher_background">#0A0A0A</color>
 </resources>
-

apps/android/app/src/main/res/values/strings.xml

@@ -1,4 +1,3 @@
 <resources>
     <string name="app_name">Clawdbot Node</string>
 </resources>
-

apps/android/app/src/test/java/com/clawdbot/android/voice/VoiceWakeCommandExtractorTest.kt

@@ -23,4 +23,3 @@ class VoiceWakeCommandExtractorTest {
     assertNull(VoiceWakeCommandExtractor.extractCommand("hey claude!", listOf("claude")))
   }
 }
-

apps/android/settings.gradle.kts

@@ -16,4 +16,3 @@ dependencyResolutionManagement {
 
 rootProject.name = "ClawdbotNodeAndroid"
 include(":app")
-

apps/ios/.swiftlint.yml

@@ -3,4 +3,3 @@ parent_config: ../../.swiftlint.yml
 included:
   - Sources
   - ../shared/ClawdisNodeKit/Sources
-

extensions/voice-call/src/manager/context.ts

@@ -19,4 +19,3 @@ export type CallManagerContext = {
   transcriptWaiters: Map<CallId, TranscriptWaiter>;
   maxDurationTimers: Map<CallId, NodeJS.Timeout>;
 };
-

extensions/voice-call/src/manager/events.ts

@@ -175,4 +175,3 @@ export function processEvent(ctx: CallManagerContext, event: NormalizedEvent): v
 
   persistCallRecord(ctx.storePath, call);
 }
-

extensions/voice-call/src/manager/lookup.ts

@@ -31,4 +31,3 @@ export function findCall(params: {
     providerCallId: params.callIdOrProviderCallId,
   });
 }
-

extensions/voice-call/src/manager/state.ts

@@ -48,4 +48,3 @@ export function addTranscriptEntry(
   };
   call.transcript.push(entry);
 }
-

extensions/voice-call/src/manager/store.ts

@@ -86,4 +86,3 @@ export async function getCallHistoryFromStore(
 
   return calls;
 }
-

extensions/voice-call/src/manager/timers.ts

@@ -84,4 +84,3 @@ export function waitForFinalTranscript(
     ctx.transcriptWaiters.set(callId, { resolve, reject, timeout });
   });
 }
-

extensions/voice-call/src/manager/twiml.ts

@@ -7,4 +7,3 @@ export function generateNotifyTwiml(message: string, voice: string): string {
   <Hangup/>
 </Response>`;
 }
-

extensions/voice-call/src/providers/plivo.test.ts

@@ -26,4 +26,3 @@ describe("PlivoProvider", () => {
     expect(result.providerResponseBody).toContain('length="300"');
   });
 });
-

extensions/voice-call/src/providers/twilio/webhook.ts

@@ -27,4 +27,3 @@ export function verifyTwilioProviderWebhook(params: {
     reason: result.reason,
   };
 }
-

extensions/zalouser/src/channel.test.ts

@@ -15,4 +15,3 @@ describe("zalouser outbound chunker", () => {
     expect(chunks.every((c) => c.length <= limit)).toBe(true);
   });
 });
-

scripts/update-clawtributors.types.ts

@@ -30,4 +30,3 @@ export type Entry = {
   avatar_url: string;
   lines: number;
 };
-

ui/src/main.ts

@@ -1,3 +1,2 @@
 import "./styles.css";
 import "./ui/app.ts";
-

ui/src/styles/chat/layout.css

@@ -279,4 +279,3 @@
     min-width: 120px;
   }
 }
-

ui/src/styles/chat/text.css

@@ -122,4 +122,3 @@
   border-top: 1px solid var(--border);
   margin: 1em 0;
 }
-

ui/src/styles/chat/tool-cards.css

@@ -196,4 +196,3 @@
     transform: scale(1);
   }
 }
-

ui/src/ui/app-events.ts

@@ -3,4 +3,3 @@ export type EventLogEntry = {
   event: string;
   payload?: unknown;
 };
-

ui/src/ui/controllers/config/form-utils.ts

@@ -74,4 +74,3 @@ export function removePathValue(
     delete (current as Record<string, unknown>)[lastKey];
   }
 }
-

ui/src/ui/controllers/debug.ts

@@ -54,4 +54,3 @@ export async function callDebugMethod(state: DebugState) {
     state.debugCallError = String(err);
   }
 }
-

ui/src/ui/controllers/presence.ts

@@ -33,4 +33,3 @@ export async function loadPresence(state: PresenceState) {
     state.presenceLoading = false;
   }
 }
-

ui/src/ui/format.test.ts

@@ -39,4 +39,3 @@ describe("stripThinkingTags", () => {
     expect(stripThinkingTags("Hello</final>")).toBe("Hello");
   });
 });
-

ui/src/ui/markdown.test.ts

@@ -30,4 +30,3 @@ describe("toSanitizedMarkdownHtml", () => {
     expect(html).toContain("console.log(1)");
   });
 });
-

ui/src/ui/presenter.ts

@@ -55,4 +55,3 @@ export function formatCronPayload(job: CronJob) {
   if (p.kind === "systemEvent") return `System: ${p.text}`;
   return `Agent: ${p.message}`;
 }
-

ui/src/ui/uuid.test.ts

@@ -30,4 +30,3 @@ describe("generateUUID", () => {
     expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
   });
 });
-

ui/src/ui/uuid.ts

@@ -40,4 +40,3 @@ export function generateUUID(cryptoLike: CryptoLike | null = globalThis.crypto):
 
   return uuidFromBytes(weakRandomBytes());
 }
-

ui/src/ui/views/channels.shared.ts

@@ -43,4 +43,3 @@ export function renderChannelAccountCount(
   if (count < 2) return nothing;
   return html`<div class="account-count">Accounts (${count})</div>`;
 }
-

ui/src/ui/views/channels.whatsapp.ts

@@ -116,4 +116,3 @@ export function renderWhatsAppCard(params: {
     </div>
   `;
 }
-

ui/src/ui/views/config-form.shared.ts

@@ -89,4 +89,3 @@ export function isSensitivePath(path: Array<string | number>): boolean {
     key.endsWith("key")
   );
 }
-

ui/src/ui/views/config-form.ts

@@ -5,4 +5,3 @@ export {
 } from "./config-form.analyze";
 export { renderNode } from "./config-form.node";
 export { schemaType, type JsonSchema } from "./config-form.shared";
-

zizmor.yml

@@ -0,0 +1,17 @@
+# zizmor configuration
+# https://docs.zizmor.sh/configuration/
+
+rules:
+  # Disable unpinned-uses - pinning to SHA hashes is a significant change
+  # that should be done deliberately, not enforced by pre-commit
+  unpinned-uses:
+    disable: true
+
+  # Disable excessive-permissions for now - adding explicit permissions
+  # blocks requires careful review of each workflow's needs
+  excessive-permissions:
+    disable: true
+
+  # Disable artipacked (persist-credentials) - low confidence finding
+  artipacked:
+    disable: true