django-admin-react/.pre-commit-config.yaml at 7dd8f51671bf49d14ecc39e041bfc367f9f2af8d · MartinCastroAlvarez/django-admin-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Pre-commit hook configuration for django-admin-react.
#
# Install once:
#   poetry run pip install pre-commit
#   pre-commit install
#
# Then every `git commit` runs these hooks against the staged diff.
# Anything below the [BLOCK] threshold in
# `docs/agents/security-expert/REVIEW_CHECKLIST.md` §1 aborts the commit.
#
# This file is the commit-time half of the quality gate, run together
# with `scripts/lint.sh` before a PR. CI (`.github/workflows/ci.yml`)
# currently runs the test suites, not these hooks; wiring the lint/security
# hooks into CI is a follow-up (#452).

repos:
  # -------------------------------------------------------------------
  # Secret scanning — fail commit if a token-shaped string is added.
  # -------------------------------------------------------------------
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks
        args: ["protect", "--staged", "--no-banner", "--redact"]

  # -------------------------------------------------------------------
  # Python formatting + linting (same tools scripts/lint.sh uses).
  # -------------------------------------------------------------------
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.6.9
    hooks:
      - id: ruff
        args: ["--fix", "--exit-non-zero-on-fix"]
        files: ^(django_admin_react|tests|examples)/
      - id: ruff-format
        files: ^(django_admin_react|tests|examples)/

  - repo: https://github.com/psf/black-pre-commit-mirror
    rev: 24.8.0
    hooks:
      - id: black
        files: ^(django_admin_react|tests|examples)/

  - repo: https://github.com/pycqa/isort
    rev: 5.13.2
    hooks:
      - id: isort
        files: ^(django_admin_react|tests|examples)/

  # -------------------------------------------------------------------
  # Python security lint (bandit). Runs only over the package, not tests
  # (asserts in tests are fine and would otherwise be noisy).
  # -------------------------------------------------------------------
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.10
    hooks:
      - id: bandit
        # Read scope from pyproject [tool.bandit]; the `toml` extra lets
        # the isolated hook env parse it.
        args: ["-c", "pyproject.toml", "-q", "-r", "django_admin_react"]
        additional_dependencies: ["bandit[toml]"]
        pass_filenames: false

  # -------------------------------------------------------------------
  # House rules — local hooks that enforce package-specific invariants
  # from docs/agents/security-expert/REVIEW_CHECKLIST.md.
  # -------------------------------------------------------------------
  - repo: local
    hooks:
      # No partial / redacted token references anywhere in the diff.
      #
      # The `exclude` list covers the small set of files that
      # legitimately *document* the forbidden patterns (e.g., the
      # rule itself in SECURITY.md / ACCEPTANCE.md, the review
      # checklist, the security test that scans for them, and forum
      # review files that quote the rule when reviewing it). All
      # other files in the repo MUST be free of these substrings.
      - id: no-partial-tokens
        name: No partial token redactions (e.g., ghp_…XYZ)
        language: pygrep
        entry: '(ghp_|gho_|ghs_|github_pat_|aws_secret_access_key|AKIA[0-9A-Z]{16}|BEGIN (RSA|EC|OPENSSH) PRIVATE)'
        types_or: [text]
        exclude: |
          (?x)^(
            SECURITY\.md
            |ACCEPTANCE\.md
            |\.pre-commit-config\.yaml
            |docs/threat-model\.md
            |docs/agents/security-expert/.*
            |tests/test_security\.py
            |scripts/README\.md
          )$

      # No Model.objects.all|filter in django_admin_react/api/.
      - id: no-objects-all-in-api
        name: No Model.objects.all/filter in django_admin_react/api/
        language: pygrep
        entry: 'objects\.(all|filter)\('
        files: '^django_admin_react/api/.*\.py$'

      # No csrf_exempt anywhere in the package.
      - id: no-csrf-exempt
        name: No @csrf_exempt in django_admin_react/
        language: pygrep
        entry: 'csrf_exempt'
        files: '^django_admin_react/.*\.py$'

      # No user.has_perm direct calls (everything goes through ModelAdmin).
      - id: no-user-has-perm
        name: No user.has_perm in django_admin_react/api/
        language: pygrep
        entry: 'user\.has_perm\('
        files: '^django_admin_react/api/.*\.py$'

      # No frontend page packages importing @dar/api directly.
      - id: no-dar-api-from-pages
        name: '@dar/list|details|models|shell must not import @dar/api'
        language: pygrep
        entry: "from ['\"]@dar/api['\"]"
        files: '^frontend/packages/(list|details|models|shell)/'