security fixes

.pre-commit-config.yaml

@@ -0,0 +1,66 @@
+# Pre-commit hooks for OpenRabbit
+# Install: pip install pre-commit && pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  # Security scanning with custom OpenRabbit scanner
+  - repo: local
+    hooks:
+      - id: security-scan
+        name: Security Scanner
+        entry: python tools/ai-review/security/pre_commit_scan.py
+        language: python
+        types: [python]
+        pass_filenames: true
+        additional_dependencies: []
+
+      - id: workflow-validation
+        name: Validate Workflow Files
+        entry: python tools/ai-review/security/validate_workflows.py
+        language: python
+        files: ^\.gitea/workflows/.*\.yml$
+        pass_filenames: true
+
+      - id: no-secrets
+        name: Check for hardcoded secrets
+        entry: python tools/ai-review/security/check_secrets.py
+        language: python
+        types: [text]
+        exclude: ^(\.git/|tests/fixtures/|\.pre-commit-config\.yaml)
+
+  # YAML linting
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-yaml
+        args: [--unsafe]  # Allow custom tags in workflows
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: ['--maxkb=1000']
+      - id: detect-private-key
+
+  # Python code quality
+  - repo: https://github.com/psf/black
+    rev: 23.12.1
+    hooks:
+      - id: black
+        language_version: python3.11
+
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.0.0
+    hooks:
+      - id: flake8
+        args: [
+          '--max-line-length=100',
+          '--extend-ignore=E203,W503',
+        ]
+
+  # Security: bandit for Python
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        args: ['-c', 'pyproject.toml', '--severity-level', 'medium']
+        additional_dependencies: ['bandit[toml]']