Add pre-commit and pre-push git hooks (#1437)

* Add pre-commit hook for rubocop, brakeman, and safety checks

Runs on every commit:
- rubocop on staged .rb files only
- brakeman security scan
- checks for debug statements (binding.pry, byebug, etc.)
- checks for merge conflict markers
- blocks committing .env/secrets files

Hook is auto-installed via bin/setup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Move rubocop and brakeman to pre-push hook for faster commits

Pre-commit now only runs lightweight safety checks (debug statements,
conflict markers, secrets). Heavier tools run before push instead.
Also removes credentials.yml.enc from secrets blocklist since it's
meant to be committed (it's encrypted).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Allow .env.example through pre-commit secrets check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: maebeale

bin/pre-commit

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+staged_files=$(git diff --cached --name-only --diff-filter=d)
+staged_rb_files=$(echo "$staged_files" | grep '\.rb$' || true)
+
+# Check for debug statements
+if [ -n "$staged_rb_files" ]; then
+  if echo "$staged_rb_files" | xargs grep -n 'binding\.pry\|binding\.irb\|byebug\|debugger' 2>/dev/null; then
+    echo "ERROR: Debug statements found in staged files. Remove them before committing."
+    exit 1
+  fi
+fi
+
+# Check for merge conflict markers
+if [ -n "$staged_files" ]; then
+  if echo "$staged_files" | xargs grep -n '<<<<<<<\|>>>>>>>\|=======' 2>/dev/null; then
+    echo "ERROR: Merge conflict markers found in staged files. Resolve them before committing."
+    exit 1
+  fi
+fi
+
+# Check for secrets/env files (allow .env.example)
+if echo "$staged_files" | grep '\.env$\|\.env\.\|master\.key' | grep -qv '\.env\.example$'; then
+  echo "ERROR: Potentially sensitive files staged for commit:"
+  echo "$staged_files" | grep '\.env$\|\.env\.\|master\.key' | grep -v '\.env\.example$'
+  echo "Remove them from staging before committing."
+  exit 1
+fi

bin/pre-push

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+eval "$(command /opt/homebrew/bin/mise activate zsh)"
+
+# Run rubocop on all Ruby files
+echo "Running rubocop..."
+bundle exec rubocop || exit 1
+
+# Run brakeman security scan
+echo "Running brakeman security scan..."
+bundle exec brakeman --no-pager -q || exit 1

bin/setup

@@ -70,6 +70,11 @@ FileUtils.chdir APP_ROOT do
   puts "\n== Building Vite test assets =="
   system! "RAILS_ENV=test npx vite build --mode test"
 
+  puts "\n== Installing git hooks =="
+  system! 'cp bin/pre-commit .git/hooks/pre-commit'
+  system! 'chmod +x .git/hooks/pre-commit'
+  system! 'cp bin/pre-push .git/hooks/pre-push'
+  system! 'chmod +x .git/hooks/pre-push'
   puts "\n== Cleaning logs and tempfiles =="
   system! "bin/rails log:clear tmp:clear"