architecture/scripts/pre-commit-checks.sh

#!/bin/bash
# Pre-commit validation script for Claude Code
# Validates YAML, checks for secrets, validates K8s manifests

set -e

# Get staged files
STAGED_FILES=$(git diff --cached --name-only 2>/dev/null || echo "")

if [ -z "$STAGED_FILES" ]; then
  exit 0
fi

# Check for potential secrets in staged files
echo "Checking for potential secrets..."
SECRET_PATTERN='(password|secret|token|api_key|apikey|private_key).*[=:].{20,}'
if echo "$STAGED_FILES" | xargs grep -l -iE "$SECRET_PATTERN" 2>/dev/null | grep -v '.sops.yaml' | grep -v 'secret.*\.enc\.yaml'; then
  echo "WARNING: Potential secrets detected in staged files (excluding SOPS-encrypted files)"
  echo "Please verify these are encrypted or not actual secrets."
fi

# Validate YAML syntax
echo "Validating YAML syntax..."
for file in $(echo "$STAGED_FILES" | grep -E '\.ya?ml$'); do
  if [ -f "$file" ]; then
    if ! python3 -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
      echo "ERROR: Invalid YAML syntax: $file"
      exit 1
    fi
  fi
done

# Validate Kubernetes manifests (if kubectl available)
if command -v kubectl &>/dev/null; then
  echo "Validating Kubernetes manifests..."
  for file in $(echo "$STAGED_FILES" | grep -E '\.ya?ml$'); do
    if [ -f "$file" ] && grep -q "^kind:" "$file" 2>/dev/null; then
      # Skip SOPS-encrypted files and kustomization files
      if echo "$file" | grep -qE '(\.sops\.yaml|\.enc\.yaml|kustomization\.yaml)$'; then
        continue
      fi
      if ! kubectl apply --dry-run=client -f "$file" 2>/dev/null; then
        echo "WARNING: Kubernetes validation failed: $file (may be expected for partial manifests)"
      fi
    fi
  done
fi

echo "Pre-commit checks passed."
exit 0