NodeOps-app
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 34 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.secrets.baseline‎
Lines changed: 158 additions & 0 deletions b/‎.secrets.baseline‎
Lines changed: 158 additions & 0 deletions
diff --git a/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion b/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CLAUDE.md‎
Lines changed: 23 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 27 additions & 1 deletion b/‎README.md‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎cmd/ask/ask.go‎
Lines changed: 2 additions & 2 deletions b/‎cmd/ask/ask.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cmd/deploy/deploy.go‎
Lines changed: 2 additions & 2 deletions b/‎cmd/deploy/deploy.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cmd/env/helpers.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/env/helpers.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/env/push.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/env/push.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/templates/use.go‎
Lines changed: 8 additions & 3 deletions b/‎cmd/templates/use.go‎
Lines changed: 8 additions & 3 deletions
@@ -0,0 +1,34 @@
+repos:
+  # Secret detection — Yelp detect-secrets
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args:
+          - --baseline
+          - .secrets.baseline
+
+  - repo: local
+    hooks:
+      # go vet + go build run in parallel via background jobs
+      - id: go-checks
+        name: go checks (parallel)
+        language: system
+        entry: >-
+          bash -c '
+            go vet ./... &
+            pid_vet=$!
+
+            tmp=$(mktemp -d)
+            go build -o "$tmp/createos" . && rm -rf "$tmp" &
+            pid_build=$!
+
+            wait $pid_vet; rc_vet=$?
+            wait $pid_build; rc_build=$?
+
+            [ $rc_vet -ne 0 ] && echo "go vet failed"
+            [ $rc_build -ne 0 ] && echo "go build failed"
+            exit $(( rc_vet | rc_build ))
+          '
+        pass_filenames: false
+        types: [go]
@@ -0,0 +1,158 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "cmd/env/set.go": [
+      {
+        "type": "Secret Keyword",
+        "filename": "cmd/env/set.go",
+        "hashed_secret": "ec417f567082612f8fd6afafe1abcab831fca840",
+        "is_verified": false,
+        "is_secret": false,
+        "line_number": 24
+      }
+    ],
+    "cmd/oauth/helpers.go": [
+      {
+        "type": "Secret Keyword",
+        "filename": "cmd/oauth/helpers.go",
+        "hashed_secret": "a587be0a364eab71821821cfc5226eb04853224f",
+        "is_verified": false,
+        "is_secret": false,
+        "line_number": 155
+      }
+    ],
+    "internal/api/client.go": [
+      {
+        "type": "Secret Keyword",
+        "filename": "internal/api/client.go",
+        "hashed_secret": "b19a5a3616bf8b53864ca6162b5f1f6a8c61ab94",
+        "is_verified": false,
+        "is_secret": false,
+        "line_number": 97
+      }
+    ]
+  },
+  "generated_at": "2026-04-02T07:26:00Z"
+}
@@ -1,2 +1,2 @@
-golang 1.26.0
+golang 1.26.1
 golangci-lint 2.11.3
@@ -116,6 +116,29 @@ fmt.Println("You don't have any projects yet.")
 
 Always suggest a next action in empty states where applicable.
 
+## Pre-commit Hooks
+
+The repo uses [pre-commit](https://pre-commit.com) with the following hooks:
+
+| Hook | What it does |
+|------|-------------|
+| `detect-secrets` | Scans for accidentally committed secrets (Yelp detect-secrets v1.5.0) |
+| `go-vet` | Runs `go vet ./...` on changed Go files |
+| `go-build-tmp` | Builds the binary to a temp dir and removes it on success |
+
+### First-time setup
+
+```bash
+pre-commit install
+detect-secrets scan > .secrets.baseline
+```
+
+`.secrets.baseline` must be committed. Update it when a false positive is audited:
+
+```bash
+detect-secrets audit .secrets.baseline
+```
+
 ## Adding a New Command Group
 
 1. Create `cmd/<group>/` directory
 
@@ -59,14 +59,40 @@ brew upgrade createos
 
 ### Build from source
 
-Requires Go 1.21+.
+Requires Go 1.26+.
 
 ```bash
 git clone https://github.com/NodeOps-app/createos-cli
 cd createos-cli
 go build -o createos .
 ```
 
+## Contributing
+
+### Pre-commit hooks
+
+The repo ships with [pre-commit](https://pre-commit.com) hooks for secret detection and build verification. Set them up once after cloning:
+
+```bash
+pip install pre-commit detect-secrets
+pre-commit install
+detect-secrets scan > .secrets.baseline
+```
+
+Hooks that run on every commit:
+
+| Hook | Check |
+|------|-------|
+| `detect-secrets` | Scans for accidentally committed secrets |
+| `go-vet` | Runs `go vet ./...` |
+| `go-build-tmp` | Verifies the project builds cleanly |
+
+If `detect-secrets` flags a false positive, audit and update the baseline:
+
+```bash
+detect-secrets audit .secrets.baseline
+```
+
 ## Getting started
 
 **1. Sign in**
 
@@ -26,7 +26,7 @@ func installAgent() error {
 	}
 
 	agentsDir := filepath.Join(home, ".opencode", "agents")
-	if err := os.MkdirAll(agentsDir, 0750); err != nil { //nolint:gosec // user-owned directory
+	if err := os.MkdirAll(agentsDir, 0750); err != nil {
 		return fmt.Errorf("could not create agents directory: %w", err)
 	}
 
@@ -69,7 +69,7 @@ func NewAskCommand() *cli.Command {
 				args = []string{"--agent", agentName}
 			}
 
-			cmd := exec.CommandContext(context.Background(), opencodeBin, args...) //nolint:gosec
+			cmd := exec.CommandContext(context.Background(), opencodeBin, args...) // #nosec G204 -- opencodeBin is from exec.LookPath, args are hardcoded
 			cmd.Stdin = os.Stdin
 			cmd.Stdout = os.Stdout
 			cmd.Stderr = os.Stderr
 
@@ -351,7 +351,7 @@ func streamRuntimeLogs(client *api.APIClient, projectID, deploymentID string) {
 
 // loadGitignorePatterns reads .gitignore from srcDir and returns usable patterns.
 func loadGitignorePatterns(srcDir string) []string {
-	data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) //nolint:gosec
+	data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) // #nosec G304 -- srcDir is from filepath.Abs, filename is a constant
 	if err != nil {
 		return nil
 	}
@@ -438,7 +438,7 @@ func createZip(w io.Writer, srcDir string) error {
 			return err
 		}
 
-		f, err := os.Open(path) //nolint:gosec
+		f, err := os.Open(path) // #nosec G304,G122 -- path comes from filepath.Walk on a local directory
 		if err != nil {
 			return err
 		}
 
@@ -104,7 +104,7 @@ func ensureEnvGitignored() {
 		content = pattern + "\n"
 	}
 
-	f, err := os.OpenFile(gitignore, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) //nolint:gosec
+	f, err := os.OpenFile(gitignore, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) // #nosec G302 -- .gitignore must be world-readable (0644)
 	if err != nil {
 		return
 	}
 
@@ -43,7 +43,7 @@ func newEnvPushCommand() *cli.Command {
 				return fmt.Errorf("--file must be a relative path without '..' (got %q)", filePath)
 			}
 
-			data, err := os.ReadFile(filePath) //nolint:gosec
+			data, err := os.ReadFile(filePath) // #nosec G304 -- filePath is validated above (relative, no ..)
 			if err != nil {
 				return fmt.Errorf("could not read %s: %w", filePath, err)
 			}
 
@@ -1,6 +1,7 @@
 package templates
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -103,11 +104,15 @@ func newTemplatesUseCommand() *cli.Command {
 				return err
 			}
 
-			if err := os.MkdirAll(absDir, 0750); err != nil { //nolint:gosec
+			if err := os.MkdirAll(absDir, 0750); err != nil {
 				return fmt.Errorf("could not create directory %s: %w", dir, err)
 			}
 
-			resp, err := http.Get(downloadURL) //nolint:gosec,noctx
+			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, downloadURL, nil)
+			if err != nil {
+				return fmt.Errorf("could not create download request: %w", err)
+			}
+			resp, err := http.DefaultClient.Do(req)
 			if err != nil {
 				return fmt.Errorf("could not download template: %w", err)
 			}
@@ -130,7 +135,7 @@ func newTemplatesUseCommand() *cli.Command {
 }
 
 func downloadToFile(path string, src io.Reader) error {
-	out, err := os.Create(path) //nolint:gosec
+	out, err := os.Create(path) // #nosec G304 -- path is constructed from filepath.Join(absDir, "template.zip")
 	if err != nil {
 		return fmt.Errorf("could not create file: %w", err)
 	}
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-golang 1.26.0`
	`1`	`+golang 1.26.1`
`2`	`2`	`golangci-lint 2.11.3`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func installAgent() error {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`agentsDir := filepath.Join(home, ".opencode", "agents")`
`29`		`- if err := os.MkdirAll(agentsDir, 0750); err != nil { //nolint:gosec // user-owned directory`
	`29`	`+ if err := os.MkdirAll(agentsDir, 0750); err != nil {`
`30`	`30`	`return fmt.Errorf("could not create agents directory: %w", err)`
`31`	`31`	`}`
`32`	`32`
`@@ -69,7 +69,7 @@ func NewAskCommand() *cli.Command {`
`69`	`69`	`args = []string{"--agent", agentName}`
`70`	`70`	`}`
`71`	`71`
`72`		`- cmd := exec.CommandContext(context.Background(), opencodeBin, args...) //nolint:gosec`
	`72`	`+ cmd := exec.CommandContext(context.Background(), opencodeBin, args...) // #nosec G204 -- opencodeBin is from exec.LookPath, args are hardcoded`
`73`	`73`	`cmd.Stdin = os.Stdin`
`74`	`74`	`cmd.Stdout = os.Stdout`
`75`	`75`	`cmd.Stderr = os.Stderr`
Original file line number	Diff line number	Diff line change
`@@ -351,7 +351,7 @@ func streamRuntimeLogs(client *api.APIClient, projectID, deploymentID string) {`
`351`	`351`
`352`	`352`	`// loadGitignorePatterns reads .gitignore from srcDir and returns usable patterns.`
`353`	`353`	`func loadGitignorePatterns(srcDir string) []string {`
`354`		`- data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) //nolint:gosec`
	`354`	`+ data, err := os.ReadFile(filepath.Join(srcDir, ".gitignore")) // #nosec G304 -- srcDir is from filepath.Abs, filename is a constant`
`355`	`355`	`if err != nil {`
`356`	`356`	`return nil`
`357`	`357`	`}`
`@@ -438,7 +438,7 @@ func createZip(w io.Writer, srcDir string) error {`
`438`	`438`	`return err`
`439`	`439`	`}`
`440`	`440`
`441`		`- f, err := os.Open(path) //nolint:gosec`
	`441`	`+ f, err := os.Open(path) // #nosec G304,G122 -- path comes from filepath.Walk on a local directory`
`442`	`442`	`if err != nil {`
`443`	`443`	`return err`
`444`	`444`	`}`
Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ func ensureEnvGitignored() {`
`104`	`104`	`content = pattern + "\n"`
`105`	`105`	`}`
`106`	`106`
`107`		`- f, err := os.OpenFile(gitignore, os.O_APPEND\|os.O_CREATE\|os.O_WRONLY, 0644) //nolint:gosec`
	`107`	`+ f, err := os.OpenFile(gitignore, os.O_APPEND\|os.O_CREATE\|os.O_WRONLY, 0644) // #nosec G302 -- .gitignore must be world-readable (0644)`
`108`	`108`	`if err != nil {`
`109`	`109`	`return`
`110`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func newEnvPushCommand() *cli.Command {`
`43`	`43`	`return fmt.Errorf("--file must be a relative path without '..' (got %q)", filePath)`
`44`	`44`	`}`
`45`	`45`
`46`		`- data, err := os.ReadFile(filePath) //nolint:gosec`
	`46`	`+ data, err := os.ReadFile(filePath) // #nosec G304 -- filePath is validated above (relative, no ..)`
`47`	`47`	`if err != nil {`
`48`	`48`	`return fmt.Errorf("could not read %s: %w", filePath, err)`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package templates`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "context"`
`4`	`5`	`"fmt"`
`5`	`6`	`"io"`
`6`	`7`	`"net/http"`
`@@ -103,11 +104,15 @@ func newTemplatesUseCommand() *cli.Command {`
`103`	`104`	`return err`
`104`	`105`	`}`
`105`	`106`
`106`		`- if err := os.MkdirAll(absDir, 0750); err != nil { //nolint:gosec`
	`107`	`+ if err := os.MkdirAll(absDir, 0750); err != nil {`
`107`	`108`	`return fmt.Errorf("could not create directory %s: %w", dir, err)`
`108`	`109`	`}`
`109`	`110`
`110`		`- resp, err := http.Get(downloadURL) //nolint:gosec,noctx`
	`111`	`+ req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, downloadURL, nil)`
	`112`	`+ if err != nil {`
	`113`	`+ return fmt.Errorf("could not create download request: %w", err)`
	`114`	`+ }`
	`115`	`+ resp, err := http.DefaultClient.Do(req)`
`111`	`116`	`if err != nil {`
`112`	`117`	`return fmt.Errorf("could not download template: %w", err)`
`113`	`118`	`}`
`@@ -130,7 +135,7 @@ func newTemplatesUseCommand() *cli.Command {`
`130`	`135`	`}`
`131`	`136`
`132`	`137`	`func downloadToFile(path string, src io.Reader) error {`
`133`		`- out, err := os.Create(path) //nolint:gosec`
	`138`	`+ out, err := os.Create(path) // #nosec G304 -- path is constructed from filepath.Join(absDir, "template.zip")`
`134`	`139`	`if err != nil {`
`135`	`140`	`return fmt.Errorf("could not create file: %w", err)`
`136`	`141`	`}`