diff --git a/mise.toml b/mise.toml index 9182fea..ff3db90 100644 --- a/mise.toml +++ b/mise.toml @@ -5,6 +5,7 @@ python = "3.12" uv = "latest" "npm:node-gyp" = "latest" # fallback native build for @duckdb/node-api / onnxruntime-node when a platform prebuild is missing (parsing is WASM-only — ADR 0015) "aqua:betterleaks/betterleaks" = "1.2.0" # secret scanner — used by analyze + pre-release gate +lefthook = "2.1.8" # git hooks — must satisfy lefthook.yml min_version (2.1.6); matches root devDep so a stale global mise install can't shadow it [env] # Python venv used to be anchored at packages/eval/.venv while the eval diff --git a/scripts/check-banned-strings.sh b/scripts/check-banned-strings.sh index ddbbafa..634fa81 100755 --- a/scripts/check-banned-strings.sh +++ b/scripts/check-banned-strings.sh @@ -66,14 +66,21 @@ fail=0 # and a first-class product name in docs); kept as a hook for future # situational allowlists. # -# Indexed by literal. A line is only forgiven if EVERY banned-literal match -# on that line is covered by the tolerated pattern. -declare -A LITERAL_ALLOWLIST_REGEX=() +# Returns a regex of tolerated substrings for the given literal, or empty. A +# line is only forgiven if EVERY banned-literal match on it is covered. This +# is a `case` function rather than an associative array (`declare -A`) so the +# script runs on stock macOS bash 3.2; add `LITERAL) printf '' ;;` +# arms here as future allowlists arise. +literal_allowlist_regex() { + case "$1" in + *) printf '' ;; + esac +} # Literal-string sweep (case-insensitive). for pat in "${BANNED_LITERALS[@]}"; do if matches=$(git grep -I -n -i -e "$pat" --untracked -- "${EXCLUDES[@]}" 2>/dev/null); then - allow="${LITERAL_ALLOWLIST_REGEX[$pat]:-}" + allow="$(literal_allowlist_regex "$pat")" if [ -n "$allow" ]; then # Strip every allow-listed occurrence from each hit; if the line still # contains the banned literal, it's a real fail.