feat(dev-env): wire shared pre-commit secret scanner via core.hooksPath

Ships `modules/dev-env/scripts/git-hooks/pre-commit` — the same secret-scanner pattern omnixy uses, lightly adapted (drops the omnixy-specific test_auth.py skip, generic header comment). New option `lnbits-sensei.devEnv.gitHooks.enable` (off by default). When on, modules/dev-env/config.nix installs the hook at `~/.local/share/lnbits-sensei/git-hooks/pre-commit` and sets the consumer's git `core.hooksPath` to that directory, so every repo on the machine picks it up without per-repo wiring. The hook refuses to commit obvious secrets (PRIVATE KEY blocks, `password=…`, `secret=…`, `api_key=…`, `admin_key=…`, AWS keys, non-placeholder POSTGRES_PASSWORD) and unencrypted sops files (checks for a top-level `sops:` block AND `mac: ENC[…]` — either signal alone is forgeable). False positives are handled via `# pragma: allowlist secret` line- or block-level markers (gitleaks convention). docs/secrets-management.md gets a new subsection covering what the hook does, when to enable it, and the false-positive escape hatches. The Pitfalls section's reference to "the pre-commit hook most consumers use" is replaced with a concrete pointer to this option. `nix flake check --no-build` stays green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 09:21:27 +02:00 · 2026-05-26 09:21:27 +02:00 · 773632562e
commit 773632562e
parent fc1d31244a
4 changed files with 202 additions and 7 deletions
--- a/modules/dev-env/config.nix
+++ b/modules/dev-env/config.nix
@ -17,13 +17,31 @@
 }:

 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkMerge;
  cfg = config.lnbits-sensei.devEnv;
+  user = config.lnbits-sensei.user;
 in
 {
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [
    # TODO(skeleton): wire scripts, systemd units, and the
    # /etc/dev-env/config.sh render here. See omnixy
    # modules/dev-env/config.nix for the reference shape.
-  };
+
+    # Shared pre-commit hook via core.hooksPath. Installs the
+    # secret-scanner under ~/.local/share/lnbits-sensei/git-hooks/
+    # and points the consumer's git config at that directory, so
+    # every repo on the machine picks it up automatically.
+    (mkIf cfg.gitHooks.enable {
+      home-manager.users.${user} =
+        { ... }:
+        {
+          home.file.".local/share/lnbits-sensei/git-hooks/pre-commit" = {
+            source = ./scripts/git-hooks/pre-commit;
+            executable = true;
+          };
+          programs.git.settings.core.hooksPath =
+            "/home/${user}/.local/share/lnbits-sensei/git-hooks";
+        };
+    })
+  ]);
 }