From 50f233d16d529645c368476f294f268f2d3e9c6c Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 25 Jan 2026 10:55:28 +0000
Subject: [PATCH] chore: stabilize prek hooks runner selection (#1720) (thanks
 @dguido)

---
 .detect-secrets.cfg                 |  4 ++++
 .pre-commit-config.yaml             | 26 ++++++++++++++++++---
 .secrets.baseline                   | 36 +----------------------------
 CHANGELOG.md                        |  1 +
 scripts/pre-commit/run-node-tool.sh | 31 +++++++++++++++++++++++++
 5 files changed, 60 insertions(+), 38 deletions(-)
 create mode 100755 scripts/pre-commit/run-node-tool.sh

diff --git a/.detect-secrets.cfg b/.detect-secrets.cfg
index 66ed5236e..38912567c 100644
--- a/.detect-secrets.cfg
+++ b/.detect-secrets.cfg
@@ -7,6 +7,10 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
+# Generated output and vendored assets.
+pattern = (^|/)(dist|vendor)/
+# Local config file with allowlist patterns.
+pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4be40f8a8..80813a0d3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,7 +24,27 @@ repos:
     rev: v1.5.0
     hooks:
       - id: detect-secrets
-        args: [--baseline, .secrets.baseline]
+        args:
+          - --baseline
+          - .secrets.baseline
+          - --exclude-files
+          - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)'
+          - --exclude-lines
+          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
+          - --exclude-lines
+          - 'case \.apiKeyEnv: "API key \(env var\)"'
+          - --exclude-lines
+          - 'case apikey = "apiKey"'
+          - --exclude-lines
+          - '"gateway\.remote\.password"'
+          - --exclude-lines
+          - '"gateway\.auth\.password"'
+          - --exclude-lines
+          - '"talk\.apiKey"'
+          - --exclude-lines
+          - '=== "string"'
+          - --exclude-lines
+          - 'typeof remote\?\.password === "string"'
 
   # Shell script linting
   - repo: https://github.com/koalaman/shellcheck-precommit
@@ -55,7 +75,7 @@ repos:
       # oxlint --type-aware src test
       - id: oxlint
         name: oxlint
-        entry: npx oxlint --type-aware src test
+        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
         language: system
         pass_filenames: false
         types_or: [javascript, jsx, ts, tsx]
@@ -63,7 +83,7 @@ repos:
       # oxfmt --check src test
       - id: oxfmt
         name: oxfmt
-        entry: npx oxfmt --check src test
+        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
         language: system
         pass_filenames: false
         types_or: [javascript, jsx, ts, tsx]
diff --git a/.secrets.baseline b/.secrets.baseline
index f02613353..826d5b4de 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -146,22 +146,6 @@
     }
   ],
   "results": {
-    ".detect-secrets.cfg": [
-      {
-        "type": "Private Key",
-        "filename": ".detect-secrets.cfg",
-        "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
-        "is_verified": false,
-        "line_number": 13
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": ".detect-secrets.cfg",
-        "hashed_secret": "fe88fceb47e040ba1bfafa4ac639366188df2f6d",
-        "is_verified": false,
-        "line_number": 15
-      }
-    ],
     ".env.example": [
       {
         "type": "Twilio API Key",
@@ -246,15 +230,6 @@
         "line_number": 100
       }
     ],
-    "dist/control-ui/assets/index-DsXRcnEw.js": [
-      {
-        "type": "Secret Keyword",
-        "filename": "dist/control-ui/assets/index-DsXRcnEw.js",
-        "hashed_secret": "ecb252044b5ea0f679ee78ec1a12904739e2904d",
-        "is_verified": false,
-        "line_number": 16
-      }
-    ],
     "docs/brave-search.md": [
       {
         "type": "Secret Keyword",
@@ -2210,16 +2185,7 @@
         "is_verified": false,
         "line_number": 182
       }
-    ],
-    "vendor/a2ui/README.md": [
-      {
-        "type": "Secret Keyword",
-        "filename": "vendor/a2ui/README.md",
-        "hashed_secret": "2619a5397a5d054dab3fe24e6a8da1fbd76ec3a6",
-        "is_verified": false,
-        "line_number": 123
-      }
     ]
   },
-  "generated_at": "2026-01-25T06:57:20Z"
+  "generated_at": "2026-01-25T10:55:04Z"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 91154c3e3..64f296fd8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Docs: https://docs.clawd.bot
 - TTS: add Edge TTS provider fallback, defaulting to keyless Edge with MP3 retry on format failures. (#1668) Thanks @steipete. https://docs.clawd.bot/tts
 - Web search: add Brave freshness filter parameter for time-scoped results. (#1688) Thanks @JonUleis. https://docs.clawd.bot/tools/web
 - TTS: add auto mode enum (off/always/inbound/tagged) with per-session `/tts` override. (#1667) Thanks @sebslight. https://docs.clawd.bot/tts
+- Dev: add prek pre-commit hooks + dependabot config for weekly updates. (#1720) Thanks @dguido.
 - Docs: expand FAQ (migration, scheduling, concurrency, model recommendations, OpenAI subscription auth, Pi sizing, hackable install, docs SSL workaround).
 - Docs: add verbose installer troubleshooting guidance.
 - Docs: add macOS VM guide with local/hosted options + VPS/nodes guidance. (#1693) Thanks @f-trycua.
diff --git a/scripts/pre-commit/run-node-tool.sh b/scripts/pre-commit/run-node-tool.sh
new file mode 100755
index 000000000..341630755
--- /dev/null
+++ b/scripts/pre-commit/run-node-tool.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+if [[ $# -lt 1 ]]; then
+  echo "usage: run-node-tool.sh <tool> [args...]" >&2
+  exit 2
+fi
+
+tool="$1"
+shift
+
+if [[ -f "$ROOT_DIR/pnpm-lock.yaml" ]] && command -v pnpm >/dev/null 2>&1; then
+  exec pnpm exec "$tool" "$@"
+fi
+
+if { [[ -f "$ROOT_DIR/bun.lockb" ]] || [[ -f "$ROOT_DIR/bun.lock" ]]; } && command -v bun >/dev/null 2>&1; then
+  exec bunx --bun "$tool" "$@"
+fi
+
+if command -v npm >/dev/null 2>&1; then
+  exec npm exec -- "$tool" "$@"
+fi
+
+if command -v npx >/dev/null 2>&1; then
+  exec npx "$tool" "$@"
+fi
+
+echo "Missing package manager: pnpm, bun, or npm required." >&2
+exit 1