chore: add pre-commit hook to prevent committing sensitive files

OpenClaw Subagent · OpenClaw Subagent · commit 52af5796d3b4 · 2026-02-14T20:41:45.000Z
diff --git a/HOOKS.md b/HOOKS.md
@@ -0,0 +1,36 @@
+# Git Hooks
+
+## Pre-commit Hook
+
+This repository uses a pre-commit hook to prevent committing sensitive files like `.env` files, secrets, and config files with sensitive data.
+
+### Installing the Hook
+
+Run the following command to install the hook:
+
+```bash
+cp scripts/pre-commit-hook.sh .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+Or use the setup script:
+
+```bash
+./scripts/setup-hooks.sh
+```
+
+### What It Blocks
+
+The pre-commit hook prevents commits containing files matching these patterns:
+- `.env*` (any file starting with .env)
+- `*.env` (any file ending with .env)
+- `env.*` (any file starting with env.)
+- `secrets.*` (any file starting with secrets.)
+- `config.*` (any file starting with config.)
+
+### Best Practices
+
+- Use `.env.example` for non-sensitive default values
+- Add sensitive files to `.gitignore` before creating them
+- Use environment-specific config files that are gitignored
+- Never commit actual API keys, passwords, or tokens
diff --git a/scripts/pre-commit-hook.sh b/scripts/pre-commit-hook.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# .env File Gatekeeper - Because developers are sneaky little hobbitses
+
+# Colors for our dramatic warnings
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# The forbidden patterns - we know your tricks!
+FORBIDDEN_PATTERNS=(".env*" "*.env" "env.*" "secrets.*" "config.*")
+
+# Check if we're in a git repo (because why else would you run this?)
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+    echo -e "${RED}Not in a git repository. Are you lost?${NC}"
+    exit 1
+fi
+
+# Look for sneaky files
+FOUND_FILES=()
+for pattern in "${FORBIDDEN_PATTERNS[@]}"; do
+    while IFS= read -r -d '' file; do
+        # Skip .gitignore because we're not monsters
+        if [[ "$file" != *".gitignore" ]]; then
+            FOUND_FILES+=("$file")
+        fi
+    done < <(find . -name "$pattern" -type f -print0 2>/dev/null)
+done
+
+# The moment of truth
+if [ ${#FOUND_FILES[@]} -eq 0 ]; then
+    echo -e "${GREEN}✓ No forbidden files found. You're a good developer!${NC}"
+    exit 0
+fi
+
+# Oh dear...
+echo -e "${RED}⚠ DANGER WILL ROBINSON! Found forbidden files:${NC}"
+for file in "${FOUND_FILES[@]}"; do
+    echo -e "${YELLOW} • $file${NC}"
+    # Check if it's in .gitignore (common rookie mistake)
+    if grep -q "$(basename "$file")" .gitignore 2>/dev/null; then
+        echo -e " ${RED}But wait... it's in .gitignore! Classic misdirection.${NC}"
+    fi
+    # Check if it's already tracked (oh no)
+    if git ls-files --error-unmatch "$file" > /dev/null 2>&1; then
+        echo -e " ${RED}AND IT'S ALREADY TRACKED! PANIC!${NC}"
+    fi
+done
+
+echo -e " ${RED}🚫 These files should NOT be committed. Add them to .gitignore!${NC}"
+echo -e "${YELLOW}💡 Pro tip: Use .env.example for non-sensitive defaults${NC}"
+exit 1
