OpenSPP2/.pre-commit-config.yaml at cd896b3c7e39a0c39fc0b5aa1bc5ec1e99d5d00a · OpenSPP/OpenSPP2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
exclude: |
  (?x)
  # NOT INSTALLABLE ADDONS
  ^spp_programs_approval/|
  # END NOT INSTALLABLE ADDONS
  # Files and folders generated by bots, to avoid loops
  ^setup/|/static/description/index\.html$|
  # We don't want to mess with tool-generated files
  .svg$|/tests/([^/]+/)?cassettes/|^.copier-answers.yml$|^.github/|^eslint.config.cjs|^prettier.config.cjs|
  # Library files can have extraneous formatting (even minimized)
  /static/(src/)?lib/|
  # Repos using Sphinx to generate docs don't need prettying
  ^docs/_templates/.*\.html$|
  # Don't bother non-technical authors with formatting issues in docs
  readme/.*\.(rst|md)$|
  # Ignore build and dist directories in addons
  /build/|/dist/|
  # Ignore test files in addons
  /tests/samples/.*|
  # You don't usually want a bot to modify your legal texts
  (LICENSE.*|COPYING.*)|
  # Exclude full docs tree and archived modules from all hooks
  ^docs/|^archived_modules/
default_language_version:
  python: python3
  node: "22.9.0"
repos:
  - repo: local
    hooks:
      # These files are most likely copier diff rejection junks; if found,
      # review them manually, fix the problem (if needed) and remove them
      - id: forbidden-files
        name: forbidden files
        entry: found forbidden files; remove them
        language: fail
        files: "\\.rej$"
      - id: en-po-files
        name: en.po files cannot exist
        entry: found a en.po file
        language: fail
        files: '[a-zA-Z0-9_]*/i18n/en\.po$'
  - repo: https://github.com/sbidoul/whool
    rev: v1.3
    hooks:
      - id: whool-init
  - repo: https://github.com/oca/maintainer-tools
    rev: 71aa4caec15e8c1456b4da19e9f39aa0aa7377a9
    hooks:
      # update the NOT INSTALLABLE ADDONS section above
      - id: oca-update-pre-commit-excluded-addons
      - id: oca-fix-manifest-website
        args: ["https://github.com/OpenSPP/OpenSPP2"]
      - id: oca-gen-addon-readme
        args:
          - --addons-dir=.
          - --branch=19.0
          - --org-name=OpenSPP
          - --repo-name=OpenSPP2
          - --template-filename=tools/readme_template.rst.jinja
          - --if-source-changed
          - --keep-source-digest
          - --convert-fragments-to-markdown
        manual: true
      - id: oca-gen-external-dependencies
        manual: true
      - id: oca-gen-addons-table
  - repo: https://github.com/OCA/odoo-pre-commit-hooks
    rev: v0.1.7
    hooks:
      - id: oca-checks-odoo-module
      - id: oca-checks-po
        args:
          - --disable=po-pretty-format
  - repo: local
    hooks:
      - id: prettier
        name: prettier (with plugin-xml)
        entry: prettier
        args:
          - --write
          - --list-different
          - --ignore-unknown
        types: [text]
        files: \.(css|htm|html|js|json|jsx|less|md|scss|toml|ts|xml|yaml|yml)$
        language: node
        additional_dependencies:
          - "prettier@3.6.2"
          - "@prettier/plugin-xml@3.4.2"
  - repo: local
    hooks:
      - id: eslint
        name: eslint
        entry: eslint
        args:
          - --color
          - --fix
        verbose: true
        types: [javascript]
        language: node
        additional_dependencies:
          - "eslint@9.35.0"
          - "eslint-plugin-jsdoc@57.0.8"
          - "globals@16.0.0"
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
        # exclude autogenerated files
        exclude: /README\.rst$|\.pot?$
      - id: end-of-file-fixer
        # exclude autogenerated files
        exclude: /README\.rst$|\.pot?$
      - id: debug-statements
      - id: check-case-conflict
      - id: check-docstring-first
      - id: check-executables-have-shebangs
      - id: check-merge-conflict
        # exclude files where underlines are not distinguishable from merge conflicts
        exclude: /README\.rst$|^docs/.*\.rst$
      - id: check-symlinks
      - id: check-xml
      - id: mixed-line-ending
        args: ["--fix=lf"]
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.13.0
    hooks:
      - id: ruff
        args: [--fix, --exit-non-zero-on-fix]
      - id: ruff-format
  - repo: https://github.com/OCA/pylint-odoo
    rev: v9.3.15
    hooks:
      - id: pylint_odoo
        name: pylint with optional checks
        args:
          - --rcfile=.pylintrc
          - --exit-zero
        verbose: true
      - id: pylint_odoo
        args:
          - --rcfile=.pylintrc-mandatory
        exclude: ^spp$|^scripts/|^(base_user_role|endpoint_route_handler|extendable|extendable_fastapi|fastapi|openspp-vocabularies|openspp|theme_openspp_muk|queue_job)/
  # ============================================================================
  # OpenSPP Custom Linting Rules
  # Based on docs/principles/ - see scripts/lint/README.md for details
  # ============================================================================
  - repo: local
    hooks:
      # Phase 1: Simple pattern-based checks (pygrep)
      - id: openspp-no-assertraises-tuple
        name: "OpenSPP: No tuple in assertRaises"
        description:
          "Odoo's assertRaises doesn't support tuple of exceptions like stdlib unittest"
        entry: 'self\.assertRaises\s*\(\s*\('
        language: pygrep
        types: [python]
        files: /tests/
      - id: openspp-no-pii-in-logs
        name: "OpenSPP: No PII in log messages"
        description: "Detect potential PII (name, phone, email, etc.) in log statements"
        entry: '_logger\.(debug|info|warning|error|critical)\([^)]*\.(name|national_id|phone|mobile|email|address|birth_date|tax_id|bank_account)\b'
        language: pygrep
        types: [python]
        exclude: ^scripts/|/tests/
      - id: openspp-no-g2p-namespace
        name: "OpenSPP: No deprecated g2p.* namespace"
        description: "Detect deprecated g2p.* model names (should be spp.*)"
        entry: '["'']g2p\.'
        language: pygrep
        types: [python]
        exclude: ^scripts/|/tests/|migrations/
      # Phase 2: OpenSPP naming conventions (mandatory)
      - id: openspp-check-naming
        name: "OpenSPP: Naming conventions"
        description: "Check model and field naming conventions"
        entry: python scripts/lint/check_naming.py
        language: python
        additional_dependencies:
          - PyYAML
        types: [python]
        # Exclude: scripts, tests, migrations, and third-party modules
        exclude: ^scripts/|/tests/|migrations/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      - id: openspp-check-xml-ids
        name: "OpenSPP: XML ID naming conventions"
        description: "Check XML ID naming patterns for views, actions, menus, groups"
        entry: python scripts/lint/check_xml_ids.py
        language: python
        additional_dependencies:
          - PyYAML
        types: [xml]
        # Exclude: scripts, tests, data, demo, and third-party modules
        exclude: ^scripts/|/tests/|/data/|/demo/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      # Phase 2: ACL check (warning only, runs on all files)
      - id: openspp-check-acl
        name: "OpenSPP: ACL files exist"
        description: "Check that modules have ir.model.access.csv"
        entry: python scripts/lint/check_acl.py --check-only
        language: python
        additional_dependencies:
          - PyYAML
        pass_filenames: false
        always_run: true
      # Phase 2: Compliance check (security spec validation)
      - id: openspp-compliance-check
        name: "OpenSPP: Security compliance check"
        description:
          "Validate modules with compliance.yaml against actual security config"
        entry: python -m scripts.compliance.checker --all
        language: python
        additional_dependencies:
          - PyYAML
        pass_filenames: false
        always_run: true
      # Phase 3: Performance checks (warning only)
      - id: openspp-check-performance
        name: "OpenSPP: Performance anti-patterns"
        description: "Check for offset pagination, cr.commit() in loops, N+1 queries"
        entry: python scripts/lint/check_performance.py --check-only
        language: python
        additional_dependencies:
          - PyYAML
        types: [python]
        # Exclude: scripts, tests, migrations, and third-party modules
        exclude: ^scripts/|/tests/|migrations/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      # Phase 3: Logger setup check (warning only)
      - id: openspp-check-logger
        name: "OpenSPP: Logger setup and PII"
        description: "Check logger setup pattern and potential PII in logs"
        entry: python scripts/lint/check_logger.py
        language: python
        additional_dependencies:
          - PyYAML
        types: [python]
        # Exclude: scripts, tests, manifests, inits, and third-party modules
        exclude: ^scripts/|/tests/|__manifest__|__init__|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      # Phase 3: UI patterns check (warning only)
      - id: openspp-check-ui
        name: "OpenSPP: UI patterns"
        description:
          "Check list limits, sample data, XPath syntax, statusbar location, extension
          points"
        entry: python scripts/lint/check_ui_patterns.py
        language: python
        additional_dependencies:
          - PyYAML
        types: [xml]
        # Exclude: scripts, tests, data, demo, and third-party modules
        exclude: ^scripts/|/tests/|/data/|/demo/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      # Odoo 19 Compatibility Checks
      - id: openspp-check-odoo19-python
        name: "OpenSPP: Odoo 19 compatibility (Python)"
        description: "Check Command API tuples, group_expand signature"
        entry: python scripts/lint/check_odoo19.py
        language: python
        additional_dependencies:
          - PyYAML
        types: [python]
        # Exclude: scripts, tests, migrations, and third-party modules
        exclude: ^scripts/|/tests/|migrations/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      - id: openspp-check-odoo19-xml
        name: "OpenSPP: Odoo 19 compatibility (XML)"
        description: "Check search view group attrs, XPath @title"
        entry: python scripts/lint/check_odoo19.py --xml
        language: python
        additional_dependencies:
          - PyYAML
          - lxml
        types: [xml]
        # Exclude: scripts, tests, data, demo, and third-party modules
        exclude: ^scripts/|/tests/|/data/|/demo/|^(fastapi|queue_job|base_user_role|extendable|extendable_fastapi|endpoint_route_handler)/
        pass_filenames: true
      # API authentication enforcement
      - id: openspp-check-api-auth
        name: "OpenSPP: API endpoint authentication"
        description:
          "Verify all API endpoints require authentication (allowlist for public)"
        entry: python scripts/audit-api-auth.py --strict
        language: python
        pass_filenames: false
        always_run: false
        files: .*/routers/.*\.py$
  - repo: https://github.com/zricethezav/gitleaks
    rev: v8.28.0
    hooks:
      - id: gitleaks
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.10
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml", "-r", "-ll"]
        exclude: ^(tests/|scripts/tests/|.*_test\.py$|test_.*\.py$)
  - repo: https://github.com/semgrep/semgrep
    rev: v1.90.0
    hooks:
      - id: semgrep
        args: ["--config", ".semgrep/", "--error", "--quiet"]
        additional_dependencies: ["setuptools<82"]
        # Only scan OpenSPP spp_* modules (not scripts, endpoint handlers, etc.)
        files: ^spp_
        # Exclude test files, migrations, and demo-only modules
        exclude: ^(tests/|scripts/tests/|.*/tests/.*|.*/migrations/.*|spp_4ps_demo/|spp_case_demo/|spp_grm_demo/)