From 2ffb960bf3c974ead894dd39481bec46980b3022 Mon Sep 17 00:00:00 2001 From: Melvin PETIT Date: Fri, 12 Jun 2026 10:51:28 +0200 Subject: [PATCH 1/3] docs(agents): align checks with CI gates --- AGENTS.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 5191550..326c75e 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -14,26 +14,41 @@ Rules for AI assistants (Claude Code, Codex, Cursor, etc.) contributing to this - No comments unless the WHY is non-obvious (hidden constraint, workaround for a specific bug, surprising invariant). - No multi-line docstrings or comment blocks. - No error handling for impossible cases. Trust framework guarantees. Validate only at system boundaries (user input, external APIs). -- No unused variables prefixed with `_` to silence linters — remove the variable. +- No unused variables prefixed with `_` to silence linters, remove the variable. +- ASCII only in source and docs. No em dash, no accented or other non-ASCII characters (CI compliance blocks them). ## Security - Never hardcode secrets, tokens, API keys, or credentials. - Never log sensitive data (passwords, tokens, PII). - If a vulnerability is introduced (XSS, SQL injection, command injection, etc.), fix it immediately before proceeding. -- If a pre-existing vulnerability is found in adjacent code (not introduced by the current change), do not touch it — emit a loud warning to the user in the chat (bold, clearly marked as a security issue) and continue with the requested scope. +- If a pre-existing vulnerability is found in adjacent code (not introduced by the current change), do not touch it, emit a loud warning to the user in the chat (bold, clearly marked as a security issue) and continue with the requested scope. ## Commits -Follow [Conventional Commits](https://www.conventionalcommits.org/) — same rules as in [CONTRIBUTING.md](CONTRIBUTING.md). +Follow [Conventional Commits](https://www.conventionalcommits.org/), same rules as in [CONTRIBUTING.md](CONTRIBUTING.md). -- Subject ≤ 50 characters. +- Subject 50 characters or fewer. - No `Co-Authored-By` lines. - Body only when the "why" is not obvious from the diff. +- The **PR title** is the gate validated by CI (squash merge uses it), so it must be a valid Conventional Commit, not just the individual commits. + +## Dependencies + +- Do not add a dependency without a clear need; prefer existing ones. +- New dependencies must not introduce high or critical advisories (`npm audit --audit-level=high` blocks CI). ## Before proposing changes -- Verify TypeScript types pass (`npm run typecheck` if available). -- Respect the existing Prettier config — do not reformat unrelated lines. +Run the same gates CI enforces, in this order: + +- Lint with zero warnings: `npm run lint -- --max-warnings 0`. +- Type check: `npx tsc --noEmit`. +- Validate the Prisma schema when `prisma/` changes: `npx prisma validate`. +- Confirm the build passes without real secrets: `npm run build`. + +Also: + +- Respect the existing Prettier config, do not reformat unrelated lines. - Do not push to remote unless explicitly asked. - Do not open, close, or comment on issues or pull requests unless explicitly asked. From 51c95a309ccc32a2bfea320de98f7d917cbdaad8 Mon Sep 17 00:00:00 2001 From: Melvin PETIT Date: Fri, 12 Jun 2026 11:03:10 +0200 Subject: [PATCH 2/3] chore(hooks): block non-ascii in added lines pre-push --- .githooks/lib/check-ascii.sh | 20 ++++++++++++++++++++ .githooks/pre-push | 14 +++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100755 .githooks/lib/check-ascii.sh diff --git a/.githooks/lib/check-ascii.sh b/.githooks/lib/check-ascii.sh new file mode 100755 index 0000000..474cebb --- /dev/null +++ b/.githooks/lib/check-ascii.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env sh +# Reject non-ASCII bytes (em dash, accented letters, smart quotes) in added +# lines. Reads "path:line:content". Stricter superset of check-english.sh. +set -eu +status=0 + +while IFS= read -r entry; do + path=${entry%%:*} + case "$path" in + *.png|*.jpg|*.jpeg|*.gif|*.ico|*.svg|*.woff|*.woff2|*.ttf) continue ;; + package-lock.json|*.lock) continue ;; + esac + rest=${entry#*:}; content=${rest#*:} + if printf '%s' "$content" | LC_ALL=C grep -q '[^[:print:][:space:]]'; then + echo "Non-ASCII character: ${path}:${rest%%:*}" + status=1 + fi +done + +exit $status diff --git a/.githooks/pre-push b/.githooks/pre-push index b7db825..8b4540c 100755 --- a/.githooks/pre-push +++ b/.githooks/pre-push @@ -1,6 +1,18 @@ #!/usr/bin/env sh -# Local gate: type-check before push to catch errors earlier than CI. +# Local gate before push: catch what CI would reject, earlier. set -eu +root="$(git rev-parse --show-toplevel)" +lib="$root/.githooks/lib" + echo "[pre-push] type-check" npx tsc --noEmit + +echo "[pre-push] ascii-only (added lines vs origin/main)" +base="$(git merge-base origin/main HEAD 2>/dev/null || git rev-parse HEAD)" +sh "$lib/added-lines.sh" range "$base" | sh "$lib/check-ascii.sh" || { + echo "" + echo "Push blocked: non-ASCII characters in added lines (em dash, accents)." + echo "CI compliance rejects these. Do not bypass with --no-verify." + exit 1 +} From d02a42974450ed6aa44906d0fa3c1fce7c1ed7ea Mon Sep 17 00:00:00 2001 From: Melvin PETIT Date: Fri, 12 Jun 2026 11:04:12 +0200 Subject: [PATCH 3/3] ci(compliance): enforce ascii-only via run-all --- .githooks/lib/run-all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.githooks/lib/run-all.sh b/.githooks/lib/run-all.sh index 3dd2f9c..5768dfa 100755 --- a/.githooks/lib/run-all.sh +++ b/.githooks/lib/run-all.sh @@ -15,6 +15,7 @@ sh "$lib/check-env-files.sh" "$@" || status=1 sh "$lib/check-ai-attribution.sh" < "$added" || status=1 sh "$lib/check-secrets.sh" < "$added" || status=1 sh "$lib/check-english.sh" < "$added" || status=1 +sh "$lib/check-ascii.sh" < "$added" || status=1 sh "$lib/check-forbidden-patterns.sh" < "$added" || status=1 exit $status