# Pre-commit hooks for OpenRabbit
# Install: pip install pre-commit && pre-commit install
# Run manually: pre-commit run --all-files

repos:
  # Security scanning with custom OpenRabbit scanner
  - repo: local
    hooks:
      - id: security-scan
        name: Security Scanner
        entry: python tools/ai-review/security/pre_commit_scan.py
        language: python
        types: [python]
        pass_filenames: true
        additional_dependencies: []

      - id: workflow-validation
        name: Validate Workflow Files
        entry: python tools/ai-review/security/validate_workflows.py
        language: python
        files: ^\.gitea/workflows/.*\.yml$
        pass_filenames: true

      - id: no-secrets
        name: Check for hardcoded secrets
        entry: python tools/ai-review/security/check_secrets.py
        language: python
        types: [text]
        exclude: ^(\.git/|tests/fixtures/|\.pre-commit-config\.yaml)

  # YAML linting
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: check-yaml
        args: [--unsafe]  # Allow custom tags in workflows
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-merge-conflict
      - id: check-added-large-files
        args: ['--maxkb=1000']
      - id: detect-private-key

  # Python code quality
  - repo: https://github.com/psf/black
    rev: 23.12.1
    hooks:
      - id: black
        language_version: python3.11

  - repo: https://github.com/PyCQA/flake8
    rev: 7.0.0
    hooks:
      - id: flake8
        args: [
          '--max-line-length=100',
          '--extend-ignore=E203,W503',
        ]

  # Security: bandit for Python
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.6
    hooks:
      - id: bandit
        args: ['-c', 'pyproject.toml', '--severity-level', 'medium']
        additional_dependencies: ['bandit[toml]']