Phase 1 of AUDIT-2026-Q3.md item P1.7.
.pre-commit-config.yaml was defined but hooks were not installed in
this repo (no .git/hooks/pre-commit). Installed via pre-commit install
and verified the full hook chain fires on a staged Python file:
trim trailing whitespace........Passed
fix end of files.................Passed
check yaml/json..................Skipped (not Python)
check for added large files.....Passed
check for merge conflicts.......Passed
mixed line ending...............Passed
ruff check......................Passed
ruff format.....................Passed
mypy............................Passed
Detect hardcoded secrets........Passed (gitleaks)
Makefile install target now runs pre-commit install after pip install
so every fresh checkout gets the hook chain automatically. Idempotent:
exits cleanly if pre-commit is not on PATH.
Config fixes applied to make hooks actually run (audit findings):
- detect-private-keys: removed (dropped from pre-commit-hooks v5.0.0)
- no-commit-to-branch: removed (project policy: main is primary)
- git-hound repo: removed (ejcx/git-hound no longer maintained)
- ruff hook id: legacy "ruff" alias produced E902 because the
pre-commit-hooks entry already prepends "ruff check --force-exclude";
switching to the canonical "ruff-check" id with args=["--fix"]
fixes the spurious file lookup. ruff-format was already correct.
- gitleaks args: dropped --no-git/--source; pre-commit auto-invokes
the gitleaks "git" subcommand in pre-commit mode so the manual
flags conflict.
Phase 5 will tighten the hooks (auto-fix currently skipped to avoid
the ~2K ruff warnings from prior refactors landing in one commit).