chore: Add pre-commit hooks and commit message validation

Expand pre-commit to check Rust formatting, Swift formatting, and file
hygiene (large files, merge markers, secrets). Add commit-msg hook
enforcing Conventional Commits with sentence case. Add just targets for
Swift formatting. Each check is independently skippable via SKIP_HOOKS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2witstudios

.githooks/commit-msg

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ──────────────────────────────────────────────────────────────
+# Commit-msg hook for PurePoint
+#
+# Enforces: Conventional Commits + sentence case
+# Format:   type[(scope)]: Description starting with capital
+# Skip:     SKIP_HOOKS=commit-msg git commit ...
+#           SKIP_HOOKS=all git commit ...
+# Bypass:   git commit --no-verify
+# ──────────────────────────────────────────────────────────────
+
+# Skip if requested
+if [[ "${SKIP_HOOKS:-}" == "all" ]] || echo ",${SKIP_HOOKS:-}," | grep -q ",commit-msg,"; then
+    exit 0
+fi
+
+MSG_FILE="$1"
+MSG=$(head -1 "$MSG_FILE")
+
+# Allow merge commits
+if echo "$MSG" | grep -qE '^Merge '; then
+    exit 0
+fi
+
+# Allow revert commits
+if echo "$MSG" | grep -qE '^Revert '; then
+    exit 0
+fi
+
+# Allow fixup/squash commits (with warning)
+if echo "$MSG" | grep -qE '^(fixup|squash)! '; then
+    echo "commit-msg: allowing $( echo "$MSG" | cut -d'!' -f1 )! commit (remember to autosquash)"
+    exit 0
+fi
+
+# ── Validation ───────────────────────────────────────────────
+
+TYPES="feat|fix|chore|docs|refactor|test|ci|perf|style|build"
+# Full pattern: type[(scope)]: Uppercase description
+PATTERN="^(${TYPES})(\([a-zA-Z0-9_-]+\))?: [A-Z]"
+
+ERRORS=()
+
+# Check max length
+if (( ${#MSG} > 72 )); then
+    ERRORS+=("Message is ${#MSG} chars (max 72)")
+fi
+
+# Check trailing period
+if echo "$MSG" | grep -qE '\.$'; then
+    ERRORS+=("Remove trailing period")
+fi
+
+# Check format
+if ! echo "$MSG" | grep -qE "$PATTERN"; then
+    # Diagnose specific issue
+    if ! echo "$MSG" | grep -qE "^(${TYPES})"; then
+        # Check for WIP
+        if echo "$MSG" | grep -qiE '^WIP'; then
+            BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
+            if [[ "$BRANCH" == "main" || "$BRANCH" == "master" ]]; then
+                ERRORS+=("WIP commits not allowed on $BRANCH")
+            else
+                exit 0
+            fi
+        else
+            ERRORS+=("Must start with a type: feat, fix, chore, docs, refactor, test, ci, perf, style, build")
+        fi
+    elif ! echo "$MSG" | grep -qE "^(${TYPES})(\([a-zA-Z0-9_-]+\))?: "; then
+        ERRORS+=("Missing ': ' after type/scope (use 'type: ' or 'type(scope): ')")
+    elif ! echo "$MSG" | grep -qE "^(${TYPES})(\([a-zA-Z0-9_-]+\))?: [A-Z]"; then
+        ERRORS+=("Description must start with uppercase (sentence case)")
+    fi
+fi
+
+# ── Report ───────────────────────────────────────────────────
+
+if (( ${#ERRORS[@]} > 0 )); then
+    echo ""
+    echo "commit-msg: INVALID commit message"
+    echo ""
+    echo "  Got:      $MSG"
+    echo ""
+    for err in "${ERRORS[@]}"; do
+        echo "  Error:    $err"
+    done
+    echo ""
+    echo "  Format:   type[(scope)]: Description starting with capital"
+    echo "  Types:    feat fix chore docs refactor test ci perf style build"
+    echo "  Examples: feat: Add workspace command"
+    echo "            fix(cli): Resolve manifest parsing error"
+    echo "            chore: Update dependencies"
+    echo ""
+
+    # Suggest a fix if we can detect the type
+    TYPE_MATCH=$(echo "$MSG" | grep -oE "^(${TYPES})" || true)
+    if [[ -n "$TYPE_MATCH" ]]; then
+        # Extract description after type[(scope)]:
+        DESC=$(echo "$MSG" | sed -E "s/^(${TYPES})(\([a-zA-Z0-9_-]+\))?:? *//")
+        SCOPE=$(echo "$MSG" | grep -oE '\([a-zA-Z0-9_-]+\)' || true)
+        if [[ -n "$DESC" ]]; then
+            # Capitalize first letter of description
+            FIRST=$(echo "${DESC:0:1}" | tr '[:lower:]' '[:upper:]')
+            REST="${DESC:1}"
+            # Remove trailing period
+            REST="${REST%.}"
+            SUGGESTION="${TYPE_MATCH}${SCOPE}: ${FIRST}${REST}"
+            # Truncate if needed
+            if (( ${#SUGGESTION} > 72 )); then
+                SUGGESTION="${SUGGESTION:0:69}..."
+            fi
+            echo "  Suggested: $SUGGESTION"
+            echo ""
+        fi
+    fi
+
+    echo "  Skip:     SKIP_HOOKS=commit-msg git commit ..."
+    echo "  Bypass:   git commit --no-verify"
+    exit 1
+fi

.githooks/pre-commit

@@ -1,8 +1,196 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Only check formatting when Rust files are staged
-if git diff --cached --name-only --diff-filter=ACM | grep -q '\.rs$'; then
-  echo "pre-commit: checking Rust formatting..."
-  cargo fmt --all -- --check
+# ──────────────────────────────────────────────────────────────
+# Pre-commit hook for PurePoint
+#
+# Checks: rust-fmt, swift-fmt, hygiene
+# Skip individual:  SKIP_HOOKS=rust-fmt,hygiene git commit ...
+# Skip all:         SKIP_HOOKS=all git commit ...
+# Bypass entirely:  git commit --no-verify
+# ──────────────────────────────────────────────────────────────
+
+FAILED=0
+
+# Helpers ─────────────────────────────────────────────────────
+
+skip_check() {
+    local name="$1"
+    [[ "${SKIP_HOOKS:-}" == "all" ]] && return 0
+    echo ",${SKIP_HOOKS:-}," | grep -q ",$name," && return 0
+    return 1
+}
+
+now_ms() {
+    perl -MTime::HiRes=time -e 'printf "%.0f\n", time * 1000'
+}
+
+print_timing() {
+    local label="$1" start="$2" end="$3"
+    local elapsed=$(( end - start ))
+    if (( elapsed >= 1000 )); then
+        printf "  [%s: %d.%03ds]\n" "$label" $((elapsed / 1000)) $((elapsed % 1000))
+    else
+        printf "  [%s: %dms]\n" "$label" "$elapsed"
+    fi
+}
+
+# Staged files (cached once) ──────────────────────────────────
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+has_staged() {
+    echo "$STAGED_FILES" | grep -q "$1"
+}
+
+# ══════════════════════════════════════════════════════════════
+# Check: Rust formatting
+# ══════════════════════════════════════════════════════════════
+
+if ! skip_check "rust-fmt" && has_staged '\.rs$'; then
+    echo "pre-commit: checking Rust formatting..."
+    start=$(now_ms)
+
+    if ! cargo fmt --all -- --check; then
+        echo ""
+        echo "  FAILED: Rust formatting"
+        echo "  Fix:    cargo fmt --all"
+        echo ""
+        FAILED=1
+    fi
+
+    end=$(now_ms)
+    print_timing "rust-fmt" "$start" "$end"
+fi
+
+# ══════════════════════════════════════════════════════════════
+# Check: Swift formatting
+# ══════════════════════════════════════════════════════════════
+
+if ! skip_check "swift-fmt" && has_staged '\.swift$'; then
+    SWIFT_FORMAT=""
+
+    if command -v swift-format &>/dev/null; then
+        SWIFT_FORMAT="swift-format"
+    elif xcrun --find swift-format &>/dev/null 2>&1; then
+        SWIFT_FORMAT="$(xcrun --find swift-format)"
+    fi
+
+    if [[ -z "$SWIFT_FORMAT" ]]; then
+        echo "pre-commit: swift-format not found, skipping Swift format check"
+        echo "  Install: brew install swift-format"
+    else
+        echo "pre-commit: checking Swift formatting..."
+        start=$(now_ms)
+
+        SWIFT_STAGED=$(echo "$STAGED_FILES" | grep '\.swift$' || true)
+        SWIFT_FAILED=0
+
+        while IFS= read -r file; do
+            [[ -z "$file" ]] && continue
+            if ! "$SWIFT_FORMAT" lint --strict "$file" 2>&1; then
+                SWIFT_FAILED=1
+            fi
+        done <<< "$SWIFT_STAGED"
+
+        if (( SWIFT_FAILED )); then
+            echo ""
+            echo "  FAILED: Swift formatting"
+            echo "  Fix:    just fmt-swift"
+            echo ""
+            FAILED=1
+        fi
+
+        end=$(now_ms)
+        print_timing "swift-fmt" "$start" "$end"
+    fi
+fi
+
+# ══════════════════════════════════════════════════════════════
+# Check: File hygiene
+# ══════════════════════════════════════════════════════════════
+
+if ! skip_check "hygiene" && [[ -n "$STAGED_FILES" ]]; then
+    echo "pre-commit: checking file hygiene..."
+    start=$(now_ms)
+    HYGIENE_FAILED=0
+
+    # --- Large files (>1MB) ---
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+        [[ ! -f "$file" ]] && continue
+        size=$(wc -c < "$file" | tr -d ' ')
+        if (( size > 1048576 )); then
+            size_mb=$(echo "scale=1; $size / 1048576" | bc)
+            echo "  BLOCKED: $file is ${size_mb}MB (limit: 1MB)"
+            HYGIENE_FAILED=1
+        fi
+    done <<< "$STAGED_FILES"
+
+    # --- Merge conflict markers (text files only) ---
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+        [[ ! -f "$file" ]] && continue
+        # Skip binary files
+        if file --brief --mime "$file" | grep -q 'charset=binary'; then
+            continue
+        fi
+        if grep -nE '^(<{7}|>{7}|={7})( |$)' "$file" > /dev/null 2>&1; then
+            echo "  BLOCKED: $file contains merge conflict markers"
+            HYGIENE_FAILED=1
+        fi
+    done <<< "$STAGED_FILES"
+
+    # --- Secret patterns ---
+    SECRET_PATTERNS=(
+        'AKIA[0-9A-Z]{16}'                          # AWS access key
+        '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'  # Private keys
+        'ghp_[0-9a-zA-Z]{36}'                       # GitHub PAT
+        'gho_[0-9a-zA-Z]{36}'                       # GitHub OAuth
+        'ghu_[0-9a-zA-Z]{36}'                       # GitHub user token
+        'ghs_[0-9a-zA-Z]{36}'                       # GitHub server token
+        'xoxb-[0-9a-zA-Z-]+'                        # Slack bot token
+        'xoxp-[0-9a-zA-Z-]+'                        # Slack user token
+        'xoxa-[0-9a-zA-Z-]+'                        # Slack app token
+        'sk-[0-9a-zA-Z]{20,}'                       # API keys (OpenAI, etc.)
+        'password\s*=\s*["\x27][^"\x27]{4,}'        # password assignments
+        'api[_-]?key\s*=\s*["\x27][^"\x27]{8,}'     # api key assignments
+    )
+
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+        [[ ! -f "$file" ]] && continue
+        # Skip binary files
+        if file --brief --mime "$file" | grep -q 'charset=binary'; then
+            continue
+        fi
+        for pattern in "${SECRET_PATTERNS[@]}"; do
+            if grep -nEi "$pattern" "$file" > /dev/null 2>&1; then
+                echo "  BLOCKED: $file may contain secrets (matched: ${pattern:0:30}...)"
+                HYGIENE_FAILED=1
+                break
+            fi
+        done
+    done <<< "$STAGED_FILES"
+
+    if (( HYGIENE_FAILED )); then
+        echo ""
+        echo "  FAILED: File hygiene checks"
+        echo "  Skip:   SKIP_HOOKS=hygiene git commit ..."
+        echo ""
+        FAILED=1
+    fi
+
+    end=$(now_ms)
+    print_timing "hygiene" "$start" "$end"
+fi
+
+# ══════════════════════════════════════════════════════════════
+
+if (( FAILED )); then
+    echo "pre-commit: BLOCKED (see above)"
+    echo "  Skip individual checks: SKIP_HOOKS=<name>[,<name>] git commit ..."
+    echo "  Skip all pre-commit:    SKIP_HOOKS=all git commit ..."
+    echo "  Bypass entirely:        git commit --no-verify"
+    exit 1
 fi

justfile

@@ -5,7 +5,13 @@ destination := "platform=macOS"
 # One-time post-clone setup
 setup:
     git config core.hooksPath .githooks
+    chmod +x .githooks/*
     rustup show
+    @if command -v swift-format &>/dev/null || xcrun --find swift-format &>/dev/null 2>&1; then \
+        echo "swift-format: found"; \
+    else \
+        echo "swift-format: not found (optional — install with: brew install swift-format)"; \
+    fi
 
 # Format Rust code
 fmt:
@@ -15,6 +21,32 @@ fmt:
 fmt-check:
     cargo fmt --all -- --check
 
+# Format Swift code
+fmt-swift:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    if command -v swift-format &>/dev/null; then
+        SF="swift-format"
+    elif xcrun --find swift-format &>/dev/null 2>&1; then
+        SF="$(xcrun --find swift-format)"
+    else
+        echo "swift-format not found. Install: brew install swift-format" && exit 1
+    fi
+    find apps/ -name '*.swift' -print0 | xargs -0 "$SF" format -i
+
+# Check Swift formatting (CI)
+fmt-swift-check:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    if command -v swift-format &>/dev/null; then
+        SF="swift-format"
+    elif xcrun --find swift-format &>/dev/null 2>&1; then
+        SF="$(xcrun --find swift-format)"
+    else
+        echo "swift-format not found. Install: brew install swift-format" && exit 1
+    fi
+    find apps/ -name '*.swift' -print0 | xargs -0 "$SF" lint --strict
+
 # Run clippy lints
 lint:
     RUSTFLAGS="-D warnings" cargo clippy --all-targets