From 86b6815d2b37c336ff7ef2af4c6287123822861f Mon Sep 17 00:00:00 2001 From: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com> Date: Fri, 29 May 2026 06:46:34 -0500 Subject: [PATCH] chore(repo): pin lefthook in mise + make banned-strings bash-3.2 compatible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two dev-tooling gaps that broke git hooks on a stock macOS box: - mise.toml [tools] didn't pin lefthook, so a stale global mise lefthook@2.1.1 shadowed the 2.1.8 devDep and failed lefthook.yml's min_version: 2.1.6 — every commit-msg/pre-push hook aborted with 'required lefthook version (2.1.6) is higher than current (2.1.1)'. Pin lefthook=2.1.8 (matches root devDep). - scripts/check-banned-strings.sh used 'declare -A' (bash 4+), but macOS ships bash 3.2, so the pre-commit banned-strings gate crashed with 'declare: -A: invalid option' instead of running. The associative array was an empty future-hook placeholder; replace with a portable 'case' function that keeps the same per-literal-allowlist extension point. Validated: banned-strings now PASSes under /bin/bash 3.2; mise resolves lefthook -> 2.1.8. --- mise.toml | 1 + scripts/check-banned-strings.sh | 15 +++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/mise.toml b/mise.toml index 9182feaa..ff3db904 100644 --- a/mise.toml +++ b/mise.toml @@ -5,6 +5,7 @@ python = "3.12" uv = "latest" "npm:node-gyp" = "latest" # fallback native build for @duckdb/node-api / onnxruntime-node when a platform prebuild is missing (parsing is WASM-only — ADR 0015) "aqua:betterleaks/betterleaks" = "1.2.0" # secret scanner — used by analyze + pre-release gate +lefthook = "2.1.8" # git hooks — must satisfy lefthook.yml min_version (2.1.6); matches root devDep so a stale global mise install can't shadow it [env] # Python venv used to be anchored at packages/eval/.venv while the eval diff --git a/scripts/check-banned-strings.sh b/scripts/check-banned-strings.sh index ddbbafa9..634fa81c 100755 --- a/scripts/check-banned-strings.sh +++ b/scripts/check-banned-strings.sh @@ -66,14 +66,21 @@ fail=0 # and a first-class product name in docs); kept as a hook for future # situational allowlists. # -# Indexed by literal. A line is only forgiven if EVERY banned-literal match -# on that line is covered by the tolerated pattern. -declare -A LITERAL_ALLOWLIST_REGEX=() +# Returns a regex of tolerated substrings for the given literal, or empty. A +# line is only forgiven if EVERY banned-literal match on it is covered. This +# is a `case` function rather than an associative array (`declare -A`) so the +# script runs on stock macOS bash 3.2; add `LITERAL) printf '' ;;` +# arms here as future allowlists arise. +literal_allowlist_regex() { + case "$1" in + *) printf '' ;; + esac +} # Literal-string sweep (case-insensitive). for pat in "${BANNED_LITERALS[@]}"; do if matches=$(git grep -I -n -i -e "$pat" --untracked -- "${EXCLUDES[@]}" 2>/dev/null); then - allow="${LITERAL_ALLOWLIST_REGEX[$pat]:-}" + allow="$(literal_allowlist_regex "$pat")" if [ -n "$allow" ]; then # Strip every allow-listed occurrence from each hit; if the line still # contains the banned literal, it's a real fail.