From c26f85a070a6573b00e22e5816bcb8dc7c50f496 Mon Sep 17 00:00:00 2001
From: "const.koutsakis@aurecongroup.com" <constantinos.koutsakis@gmail.com>
Date: Sun, 26 Apr 2026 20:12:34 +1000
Subject: [PATCH] chore: pre-commit hook stack (ruff, gitleaks, commitizen,
 mypy, hygiene) (#3)

Port .pre-commit-config.yaml from Teller. Bump pinned ruff to v0.15.12 (Teller's
v0.11.0 predates py314 target support). Update the JSONC exclude pattern from
Svelte's jsconfig.json to TypeScript's tsconfig*.json since the template uses TS.

Closes #3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .pre-commit-config.yaml | 56 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..cbca8e0
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,56 @@
+# See docs/DEVELOPMENT.md "Pre-commit setup" and docs/HARNESS.md for the
+# defence-in-depth rationale. The same gitleaks scan runs in CI; this
+# pre-commit layer is the first of three independent checkpoints.
+
+repos:
+  # Ruff — format + lint with auto-fix.
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.12
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  # Generic hygiene.
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-yaml
+      - id: check-toml
+      - id: check-json
+        # tsconfig.json uses JSONC (permits comments) per TS convention.
+        exclude: ^frontend/(tsconfig.*\.json|jsconfig\.json)$
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: [--maxkb=500]
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: mixed-line-ending
+        args: [--fix=lf]
+
+  # Secret scan — third checkpoint (local → pre-commit → CI).
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.3
+    hooks:
+      - id: gitleaks
+
+  # Conventional commit enforcement — runs at commit-msg stage.
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v4.1.0
+    hooks:
+      - id: commitizen
+        stages: [commit-msg]
+
+  # mypy — runs against the project's uv env so project deps are visible.
+  # CI runs the strict pass; pre-commit's job is fast feedback, not the gate.
+  - repo: local
+    hooks:
+      - id: mypy
+        name: mypy (strict, whole project)
+        # --frozen forbids uv from re-resolving the lockfile mid-invocation.
+        # Without it, a mid-edit pyproject.toml/uv.lock mismatch would
+        # trigger a silent transitive upgrade into the commit.
+        entry: uv run --frozen mypy src/ tests/
+        language: system
+        pass_filenames: false
+        types: [python]