Initial commit with translated description

2026-03-29 10:19:19 +08:00
commit 5aa1f324c6
81 changed files with 27526 additions and 0 deletions
--- a/scripts/checks/README.md
+++ b/scripts/checks/README.md
@@ -0,0 +1,48 @@
+# Pre-commit Checks
+
+Automated enforcement of rules from `AGENTS.md` and `CONTRIBUTING.md`.
+
+## Checks
+
+| Check             | Rule Source           | Description                                          |
+| ----------------- | --------------------- | ---------------------------------------------------- |
+| `version-sync.sh` | CONTRIBUTING.md       | Ensures `package.json` and `SKILL.md` versions match |
+| `no-user-data.sh` | public/data/AGENTS.md | Blocks commits of user-specific data files           |
+| `no-secrets.sh`   | AGENTS.md             | Scans for accidentally committed secrets             |
+
+## Adding New Checks
+
+1. Create a new script in `scripts/checks/` named `<check-name>.sh`
+2. Script must:
+   - Accept repo root as first argument (`$1`)
+   - Exit `0` on success
+   - Exit `1` on failure
+   - Print clear error messages when failing
+3. Make it executable: `chmod +x scripts/checks/<check-name>.sh`
+
+## Running Manually
+
+```bash
+# Run all checks
+./scripts/pre-commit
+
+# Run individual check
+./scripts/checks/version-sync.sh .
+```
+
+## Installing the Hook
+
+```bash
+make install-hooks
+# or manually:
+cp scripts/pre-commit .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+## Bypassing (Not Recommended)
+
+```bash
+git commit --no-verify
+```
+
+Only use this if you understand why the check is failing and have a valid reason to bypass.
--- a/scripts/checks/no-secrets.sh
+++ b/scripts/checks/no-secrets.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+#
+# Check: No Secrets
+# Basic check for accidentally committed secrets
+#
+# Rule: AGENTS.md - never commit secrets, API keys, or credentials
+#
+
+REPO_ROOT="${1:-.}"
+
+# Patterns that might indicate secrets
+SECRET_PATTERNS=(
+    'sk-[a-zA-Z0-9]{20,}'           # OpenAI API keys
+    'xoxb-[0-9]+-[0-9]+-[a-zA-Z0-9]+' # Slack bot tokens
+    'xoxp-[0-9]+-[0-9]+-[a-zA-Z0-9]+' # Slack user tokens
+    'ghp_[a-zA-Z0-9]{36}'           # GitHub personal access tokens
+    'gho_[a-zA-Z0-9]{36}'           # GitHub OAuth tokens
+    'AKIA[0-9A-Z]{16}'              # AWS access key IDs
+    'password\s*[=:]\s*["\047][^"\047]{8,}' # Hardcoded passwords
+)
+
+# Get staged file contents (only added/modified lines)
+STAGED_DIFF=$(git diff --cached --diff-filter=AM 2>/dev/null || echo "")
+
+FOUND_SECRETS=0
+
+for pattern in "${SECRET_PATTERNS[@]}"; do
+    if echo "$STAGED_DIFF" | grep -qE "$pattern"; then
+        echo "  ⚠️  Potential secret detected matching pattern: $pattern"
+        FOUND_SECRETS=1
+    fi
+done
+
+if [[ $FOUND_SECRETS -eq 1 ]]; then
+    echo "      Review staged changes and remove any secrets before committing."
+    exit 1
+fi
+
+exit 0
--- a/scripts/checks/no-user-data.sh
+++ b/scripts/checks/no-user-data.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Check: No User Data
+# Ensures user-specific data files are not staged for commit
+#
+# Rule: public/data/AGENTS.md - never commit operators.json or privacy-settings.json
+#
+
+REPO_ROOT="${1:-.}"
+
+# Check if any user data files are staged
+STAGED_FILES=$(git diff --cached --name-only 2>/dev/null || echo "")
+
+USER_DATA_FILES=(
+    "public/data/operators.json"
+    "public/data/privacy-settings.json"
+)
+
+FOUND_USER_DATA=0
+
+for file in "${USER_DATA_FILES[@]}"; do
+    if echo "$STAGED_FILES" | grep -q "^$file$"; then
+        echo "  ⚠️  User data file staged: $file"
+        echo "      This file contains user-specific data and should not be committed."
+        echo "      Use 'git reset HEAD $file' to unstage."
+        FOUND_USER_DATA=1
+    fi
+done
+
+if [[ $FOUND_USER_DATA -eq 1 ]]; then
+    exit 1
+fi
+
+exit 0
--- a/scripts/checks/version-sync.sh
+++ b/scripts/checks/version-sync.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+#
+# Check: Version Sync
+# Ensures package.json and SKILL.md versions are in sync
+#
+# Rule: AGENTS.md / CONTRIBUTING.md - versions must match
+#
+
+REPO_ROOT="${1:-.}"
+
+# Extract version from package.json
+PKG_VERSION=$(grep -o '"version": *"[^"]*"' "$REPO_ROOT/package.json" | head -1 | sed 's/.*"version": *"\([^"]*\)".*/\1/')
+
+# Extract version from SKILL.md frontmatter
+SKILL_VERSION=$(grep -E '^version:' "$REPO_ROOT/SKILL.md" | head -1 | sed 's/version: *//')
+
+if [[ -z "$PKG_VERSION" ]]; then
+    echo "  ⚠️  Could not read version from package.json"
+    exit 1
+fi
+
+if [[ -z "$SKILL_VERSION" ]]; then
+    echo "  ⚠️  Could not read version from SKILL.md"
+    exit 1
+fi
+
+if [[ "$PKG_VERSION" != "$SKILL_VERSION" ]]; then
+    echo "  ⚠️  Version mismatch:"
+    echo "      package.json: $PKG_VERSION"
+    echo "      SKILL.md:     $SKILL_VERSION"
+    echo "  → Both files must have the same version"
+    exit 1
+fi
+
+exit 0