# Pre-commit hooks for clawdbot
# Install: prek install
# Run manually: prek run --all-files
#
# See https://pre-commit.com for more information

repos:
  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: end-of-file-fixer
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: check-yaml
        args: [--allow-multiple-documents]
      - id: check-added-large-files
        args: [--maxkb=500]
      - id: check-merge-conflict

  # Secret detection (same as CI)
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args:
          - --baseline
          - .secrets.baseline
          - --exclude-files
          - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)'
          - --exclude-lines
          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
          - --exclude-lines
          - 'case \.apiKeyEnv: "API key \(env var\)"'
          - --exclude-lines
          - 'case apikey = "apiKey"'
          - --exclude-lines
          - '"gateway\.remote\.password"'
          - --exclude-lines
          - '"gateway\.auth\.password"'
          - --exclude-lines
          - '"talk\.apiKey"'
          - --exclude-lines
          - '=== "string"'
          - --exclude-lines
          - 'typeof remote\?\.password === "string"'

  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
    hooks:
      - id: shellcheck
        args: [--severity=error]  # Only fail on errors, not warnings/info
        # Exclude vendor and scripts with embedded code or known issues
        exclude: '^(vendor/|scripts/e2e/)'

  # GitHub Actions linting
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.10
    hooks:
      - id: actionlint

  # GitHub Actions security audit
  - repo: https://github.com/zizmorcore/zizmor-pre-commit
    rev: v1.22.0
    hooks:
      - id: zizmor
        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
        exclude: '^(vendor/|Swabble/)'

  # Project checks (same commands as CI)
  - repo: local
    hooks:
      # oxlint --type-aware src test
      - id: oxlint
        name: oxlint
        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # oxfmt --check src test
      - id: oxfmt
        name: oxfmt
        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # swiftlint (same as CI)
      - id: swiftlint
        name: swiftlint
        entry: swiftlint --config .swiftlint.yml
        language: system
        pass_filenames: false
        types: [swift]

      # swiftformat --lint (same as CI)
      - id: swiftformat
        name: swiftformat
        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
        language: system
        pass_filenames: false
        types: [swift]