ci: run fallow audit in lefthook pre-commit

Mirrors the same `fallow audit --base ... --fail-on-issues` check that
runs in CI, but locally against HEAD so issues surface at commit time
instead of after the push round-trip.

Scoped to `packages/**` source files via the glob — non-code edits
(README, docs, top-level configs) skip the hook entirely.

Measured locally: ~5s in parallel with the existing lint/format/typecheck
checks. Doesn't extend wall-clock time because typecheck (~11s) is the
long pole, and lefthook runs commands in parallel.

The default `--gate new-only` means inherited findings don't block the
commit — same gate behavior as CI, so local pre-commit and PR audit
agree.

Author: jrusso1020

bun.lock

@@ -12,6 +12,14 @@ pre-commit:
     typecheck:
       glob: "*.{ts,tsx}"
       run: cd packages/core && bunx tsc --noEmit && cd ../studio && bunx tsc --noEmit
+    # Mirrors the CI gate (same `--base origin/main` so the local hook can't
+    # pass on a branch CI would fail). Audits the working tree, which means
+    # unstaged WIP in `packages/**` is part of the diff — stash before
+    # committing if that surprises you. `--gate new-only` (the default) only
+    # fails on issues introduced by the branch, not inherited findings.
+    fallow:
+      glob: "packages/**/*.{ts,tsx,mts,cts,js,jsx,mjs,cjs}"
+      run: bunx fallow audit --base origin/main --fail-on-issues
     filesize:
       # Scoped to packages/studio — the 500 LOC limit is a studio architecture
       # standard enforced as part of the App.tsx decomposition work. Player and

lefthook.yml

@@ -40,6 +40,7 @@
     "@hyperframes/player": "workspace:*",
     "@types/node": "^25.0.10",
     "concurrently": "^8.2.0",
+    "fallow": "^2.75.0",
     "happy-dom": "^20.9.0",
     "knip": "^6.0.3",
     "lefthook": "^2.1.4",