feat(git-hooks): make security checks mandatory, lint/test optional

jdalton · jdalton · commit 93d756c6308c · 2025-11-02T04:51:20.000-05:00
Synchronized git hooks from socket-registry to enforce security at push-time
while allowing fast local commits with --no-verify.

**Bypassable with --no-verify**:
- Lint
- Unit tests

**NOT bypassable** (enforced at push):
- AI attribution detection
- Security checks (API keys, secrets, .env files, etc.)

See socket-registry commit f57bbb18 for full details.
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
@@ -1,6 +1,7 @@
 #!/bin/bash
 # Socket Security Pre-push Hook
-# Final security check before pushing to remote.
+# MANDATORY ENFORCEMENT LAYER - Cannot be bypassed with --no-verify.
+# Validates all commits being pushed for security issues and AI attribution.
 
 set -e
 
@@ -10,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo "${GREEN}Running final security validation before push...${NC}"
+echo "${GREEN}Running mandatory pre-push validation...${NC}"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -19,6 +20,8 @@ ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 remote="$1"
 url="$2"
 
+TOTAL_ERRORS=0
+
 # Read stdin for refs being pushed.
 while read local_ref local_sha remote_ref remote_sha; do
   # Get the range of commits being pushed.
@@ -30,59 +33,122 @@ while read local_ref local_sha remote_ref remote_sha; do
     range="$remote_sha..$local_sha"
   fi
 
-  # Get all files changed in these commits.
-  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
-
-  if [ -z "$CHANGED_FILES" ]; then
-    continue
-  fi
-
   ERRORS=0
 
-  # Check for sensitive files.
-  if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-    echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
-    ERRORS=$((ERRORS + 1))
-  fi
+  # ============================================================================
+  # CHECK 1: Scan commit messages for AI attribution
+  # ============================================================================
+  echo "Checking commit messages for AI attribution..."
 
-  # Check for .DS_Store.
-  if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-    echo "${YELLOW}⚠ WARNING: .DS_Store file in push${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
-  fi
+  # Check each commit in the range for AI patterns.
+  while IFS= read -r commit_sha; do
+    full_msg=$(git log -1 --format='%B' "$commit_sha")
 
-  # Sample files for API keys (only check files that exist).
-  for file in $CHANGED_FILES; do
-    if [ -f "$file" ] && [ ! -d "$file" ]; then
-      # Skip test files.
-      if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.example$'; then
-        continue
-      fi
-
-      # Check for Socket API keys.
-      if grep -E 'sktsec_[a-zA-Z0-9_-]{40,}' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-        echo "${RED}✗ BLOCKED: Real API key detected in push!${NC}"
-        echo "File: $file"
-        echo "Line(s):"
-        grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-        ERRORS=$((ERRORS + 1))
+    if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
+      if [ $ERRORS -eq 0 ]; then
+        echo "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}"
+        echo "Commits with AI attribution:"
       fi
+      echo "  - $(git log -1 --oneline "$commit_sha")"
+      ERRORS=$((ERRORS + 1))
     fi
-  done
+  done < <(git rev-list "$range")
 
   if [ $ERRORS -gt 0 ]; then
     echo ""
-    echo "${RED}✗ Push blocked by security validation!${NC}"
-    echo "Remove sensitive data from your commits before pushing."
+    echo "These commits were likely created with --no-verify, bypassing the"
+    echo "commit-msg hook that strips AI attribution."
     echo ""
     echo "To fix:"
-    echo "  1. Remove sensitive data from files"
-    echo "  2. Amend or rebase your commits"
-    echo "  3. Push again"
-    exit 1
+    echo "  git rebase -i $remote_sha"
+    echo "  Mark commits as 'reword', remove AI attribution, save"
+    echo "  git push"
+  fi
+
+  # ============================================================================
+  # CHECK 2: File content security checks
+  # ============================================================================
+  echo "Checking files for security issues..."
+
+  # Get all files changed in these commits.
+  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
+
+  if [ -n "$CHANGED_FILES" ]; then
+    # Check for sensitive files.
+    if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
+      echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for .DS_Store.
+    if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
+      echo "${RED}✗ BLOCKED: .DS_Store file in push!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for log files.
+    if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
+      echo "${RED}✗ BLOCKED: Log file in push!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check file contents for secrets.
+    for file in $CHANGED_FILES; do
+      if [ -f "$file" ] && [ ! -d "$file" ]; then
+        # Skip test files, example files, and hook scripts.
+        if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+          continue
+        fi
+
+        # Check for hardcoded user paths.
+        if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}"
+          grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for Socket API keys.
+        if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+          echo "${RED}✗ BLOCKED: Real API key detected in: $file${NC}"
+          grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for AWS keys.
+        if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}"
+          grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for GitHub tokens.
+        if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}"
+          grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for private keys.
+        if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Private key found in: $file${NC}"
+          ERRORS=$((ERRORS + 1))
+        fi
+      fi
+    done
   fi
+
+  TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
 done
 
-echo "${GREEN}✓ Security validation passed!${NC}"
+if [ $TOTAL_ERRORS -gt 0 ]; then
+  echo ""
+  echo "${RED}✗ Push blocked by mandatory validation!${NC}"
+  echo "Fix the issues above before pushing."
+  exit 1
+fi
+
+echo "${GREEN}✓ All mandatory validation passed!${NC}"
 exit 0
diff --git a/.husky/commit-msg b/.husky/commit-msg
@@ -0,0 +1,2 @@
+# Run commit message validation and auto-strip AI attribution.
+.git-hooks/commit-msg "$1"
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1,5 +1,5 @@
-# Run security checks first.
-.husky/security-checks.sh
+# Optional checks - can be bypassed with --no-verify for fast local commits.
+# Mandatory security checks run in pre-push hook.
 
 if [ -z "${DISABLE_PRECOMMIT_LINT}" ]; then
   pnpm lint --staged
diff --git a/.husky/pre-push b/.husky/pre-push
@@ -0,0 +1,2 @@
+# Run pre-push security validation.
+.git-hooks/pre-push "$@"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Run commit message validation and auto-strip AI attribution.`
	`2`	`+.git-hooks/commit-msg "$1"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Run pre-push security validation.`
	`2`	`+.git-hooks/pre-push "$@"`