ci(hooks): pre-commit security check (mirror of fai/platform)

Mirrors the hook + script from `fai/platform`@1ebf893 verbatim
so commits to fai_studio go through the same gate: secrets,
forbidden filenames, confidentiality references, marketing-
speak, DCO sign-off, Conventional Commits subject, no Claude
co-author trailer.

A `.security-allow` file at the repo root extends the script's
universal excludes with three Studio-specific paths whose
content legitimately includes the filtered terms — the
Today-Hero proposal pipeline (LLM prompt + accept gate), its
runtime loader equivalent, and its operator-facing policy doc.

No CI mirror yet — Studio doesn't have a Forgejo workflow
(Flutter-on-DinD is a chunk of work). The local hook is the
gate for now; CI mirror follows when Flutter CI lands.

Activate once with `bash tools/install-hooks.sh`.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
flemming-it 2026-05-09 13:32:26 +02:00
parent c389876a2f
commit 01f3f773cf
5 changed files with 290 additions and 0 deletions

18
tools/install-hooks.sh Executable file
View file

@ -0,0 +1,18 @@
#!/usr/bin/env bash
# F∆I Platform — one-time hook activation for this clone.
# Points git at the versioned `.githooks/` directory so pre-commit and
# commit-msg checks run on every commit (including amends and rebases).
#
# Run once after cloning:
# bash tools/install-hooks.sh
set -euo pipefail
cd "$(git rev-parse --show-toplevel)"
git config core.hooksPath .githooks
chmod +x .githooks/* tools/security/*.sh tools/install-hooks.sh
echo "✓ core.hooksPath = .githooks"
echo " Active hooks:"
ls -1 .githooks/ | sed 's/^/ /'
echo ""
echo "Next commit will be gated by tools/security/check-staged.sh."