Add lefthook with gitleaks pre-commit hook (#39) #61
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!61
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "39-lefthook"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #39.
Summary
lefthookas a devDep (^2.1.9) and wireprepare: "lefthook install || true"inpackage.json. The|| truekeeps the Dockerfile'snpm ciworking — the build image has no.git, solefthook installwould otherwise fail.lefthook.ymlwith onepre-commitcommand: gitleaks scanning staged changes (gitleaks protect --staged --redact).--redactkeeps detected secret values out of terminal output / shell history.PATH, the hook fails closed with a clear "✗ gitleaks not installed — see README" message instead of silently passing. Avoids the "secret-scanning enabled" theatre when the tool isn't actually there.brew install gitleaksor grab a binary from the project's releases page) plus a note thatLEFTHOOK_EXCLUDE=<name>is the supported per-commit skip path.Out of scope
Verification (locally)
npm installauto-runslefthook install;.git/hooks/pre-commitis now lefthook's wrapper.ghp_…) and rangit commit: gitleaks outputWRN leaks found: 1, lefthook reported🥊 gitleaks(blocked), exit status 1, no commit was made. Cleaned up the test file before committing the real changes.AKIAIOSFODNN7EXAMPLE) was a no-op — gitleaks has it on a known-good allowlist as documentation example. Worth knowing for future bug reports.✔️ gitleaks, 88.7ms scanning ~7.9 KB).npm run typecheck,npm run lint,npm testall green (86 passed, 24 skipped). Lefthook adds no test-runtime surface.Test plan
if ! command -vbranch; not exercised in CI because the CI box has gitleaks via Linuxbrew on this dev machine).npm cisucceeds despiteprepareinvokinglefthook install(the|| trueguard).🤖 Generated with Claude Code
8f27100724851db45d6b