Quelle  .pre-commit-config.yaml   Sprache: unbekannt

# Pre-commit hooks for openclaw
# Install: prek install
# Run manually: prek run --all-files
#
# See https://pre-commit.com for more information

repos:
  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: end-of-file-fixer
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: check-yaml
        args: [--allow-multiple-documents]
      - id: check-added-large-files
        args: [--maxkb=500]
      - id: check-merge-conflict
      - id: detect-private-key
        exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'

  # Secret detection (same as CI)
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args:
          - --baseline
          - .secrets.baseline
          - --exclude-files
          - '(^|/)pnpm-lock\.yaml$'
          - --exclude-lines
          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
          - --exclude-lines
          - 'case \.apiKeyEnv: "API key \(env var\)"'
          - --exclude-lines
          - 'case apikey = "apiKey"'
          - --exclude-lines
          - '"gateway\.remote\.password"'
          - --exclude-lines
          - '"gateway\.auth\.password"'
          - --exclude-lines
          - '"talk\.apiKey"'
          - --exclude-lines
          - '=== "string"'
          - --exclude-lines
          - 'typeof remote\?\.password === "string"'
          - --exclude-lines
          - "OPENCLAW_DOCKER_GPG_FINGERPRINT="
          - --exclude-lines
          - '"secretShape": "(secret_input|sibling_ref)"'
          - --exclude-lines
          - 'API key rotation \(provider-specific\): set `\*_API_KEYS`'
          - --exclude-lines
          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`'
          - --exclude-lines
          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`'
          - --exclude-files
          - '^src/gateway/client\.watchdog\.test\.ts$'
          - --exclude-lines
          - 'export CUSTOM_API_K[E]Y="your-key"'
          - --exclude-lines
          - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF'''
          - --exclude-lines
          - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},'
          - --exclude-lines
          - '"ap[i]Key": "xxxxx"(,)?'
          - --exclude-lines
          - 'ap[i]Key: "A[I]za\.\.\.",'
          - --exclude-lines
          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
          - --exclude-lines
          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
    hooks:
      - id: shellcheck
        args: [--severity=error] # Only fail on errors, not warnings/info
        # Exclude vendor and scripts with embedded code or known issues
        exclude: "^(vendor/|scripts/e2e/)"

  # GitHub Actions linting
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.10
    hooks:
      - id: actionlint

  # GitHub Actions security audit
  - repo: https://github.com/zizmorcore/zizmor-pre-commit
    rev: v1.22.0
    hooks:
      - id: zizmor
        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
        exclude: "^(vendor/|Swabble/)"

  # Python checks for skills scripts
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.14.1
    hooks:
      - id: ruff
        files: "^skills/.*\\.py$"
        args: [--config, pyproject.toml]

  - repo: local
    hooks:
      - id: skills-python-tests
        name: skills python tests
        entry: pytest -q skills
        language: python
        additional_dependencies: [pytest>=8, <9]
        pass_filenames: false
        files: "^skills/.*\\.py$"

  # Project checks (same commands as CI)
  - repo: local
    hooks:
      # node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
      - id: pnpm-audit-prod
        name: pnpm-audit-prod
        entry: node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
        language: system
        pass_filenames: false

      # oxlint --type-aware src test
      - id: oxlint
        name: oxlint
        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # oxfmt --check src test
      - id: oxfmt
        name: oxfmt
        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # swiftlint (same as CI)
      - id: swiftlint
        name: swiftlint
        entry: swiftlint --config .swiftlint.yml
        language: system
        pass_filenames: false
        types: [swift]

      # swiftformat --lint (same as CI)
      - id: swiftformat
        name: swiftformat
        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
        language: system
        pass_filenames: false
        types: [swift]