feat(flakeModules): terraform/ansible/python profile modules#34
Merged
Conversation
Each profile composes flakeModules.dev-hygiene with a small set of language-specific git-hooks.nix hooks so a consumer picks one import: imports = [ inputs.nix-devenv.flakeModules.terraform ]; Hooks enabled on top of base hygiene: terraform - terraform-format, terraform-validate, tflint ansible - ansible-lint, yamllint python - ruff, ruff-format, mypy base / nix / markdown are exposed as aliases for dev-hygiene because the base wiring already covers nix lints (deadnix/statix) and markdownlint via file-glob-filtered hooks - those run inertly when matching files are absent, so a single base profile is correct for those ecosystems. tests/profile-modules/<profile>/ houses one validator flake per profile. Running `nix flake check` in each exercises the full hook chain end-to- end; the terraform validator caught the underscore-vs-hyphen drift in git-hooks.nix hook names (terraform-format, terraform-validate) before the profile shipped to any consumer repo, and locks the names against future drift. Refs: shared pre-commit architecture rollout, Phase 1a. Assisted-by: Claude <noreply@anthropic.com>
This was referenced May 31, 2026
Merged
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
May 31, 2026
* docs(conventions): pre-commit architecture page
Document the shared pre-commit architecture as a public-facing
convention page mirroring the auto-loaded agentsmd rule.
Adds conventions/pre-commit.mdx and the corresponding entry to
docs.json's Conventions group nav.
Covers:
- Canonical homes table (Nix-path nix-devenv, non-Nix-path
dryvist/.github precommit/, lint configs in dryvist/.github)
- Six profiles (base, nix, markdown, terraform, ansible, python)
- Consumer patterns for Nix and non-Nix paths with full snippets
- The `nix flake init -t #with-hooks` scaffold
- Why one canonical home per artifact (single update propagates,
drift dies, one-line onboarding)
- What stays per-repo (checkov, bandit, detect-secrets, AWS/GCP/
Azure tflint plugins) and why
- Known limitations matching the agentsmd rule
Mirrors:
https://github.com/dryvist/ai-assistant-instructions/blob/main/agentsmd/rules/pre-commit.md
Refs: dryvist/nix-devenv#34, #35, dryvist/.github#12, dryvist/terraform-runs-on#80, dryvist/ai-assistant-instructions#661
Assisted-by: Claude <noreply@anthropic.com>
* docs(nav): wire conventions/pre-commit into docs.json sidebar
Forgot to stage the nav update in the previous commit; the page
exists but wasn't discoverable through the sidebar.
Assisted-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
flakeModules.{terraform,ansible,python}profile modules — each composesdev-hygiene(base wiring) with a small set of language-specific git-hooks.nix hooks. Consumers pick one import:Exposes
flakeModules.{base,nix,markdown}as aliases fordev-hygiene. The base wiring already covers nix lints (deadnix/statix) andmarkdownlint-cli2; file-glob filtering makes them inert when matching files are absent, so a base profile is correct for those ecosystems.Adds
tests/profile-modules/<profile>/validator flakes — one per profile, eachnix flake check-able. They exercise the full hook chain and lock the git-hooks.nix attribute names against future drift. The terraform validator caught the underscore-vs-hyphen drift (terraform-format,terraform-validate) before this PR shipped.Hooks enabled per profile (on top of base)
terraformterraform-format,terraform-validate,tflintansibleansible-lint,yamllintpythonruff,ruff-format,mypycheckov(3 inventory repos),bandit/detect-secrets(1 each) stay opt-in per repo to keep the profile fast — consumers enable them locally.Architecture context
This is Phase 1a of the shared pre-commit rollout. Phase 1b lands the canonical shared lint configs (
.markdownlint,.tflint.hcl,.ansible-lint,.yamllint.yml) indryvist/.github/precommit/configs/. After Phase 1b lands, a follow-up to this work wireslib.fetch-shared-configs.nixso the profiles pass--config <nix-store-path>and consumer repos can delete their copies. Phase 2 migrates 16+ Nix-flake repos to a one-lineimports = [ ... ].Background and full plan: the architecture was decided in the user's planning session —
dryvist/.githubis the single canonical home for shared configs (Biome / markdownlint precedent),nix-devenvis the canonical home for the Nix-side hook module.Test plan
cd tests/profile-modules/terraform && nix flake checksucceeds locally (verified)cd tests/profile-modules/ansible && nix flake checksucceeds locally (verified)cd tests/profile-modules/python && nix flake checksucceeds locally (verified)flakeModules.terraforminterraform-runs-onas a Phase 2 trial migration (separate PR)Assisted-by: Claude noreply@anthropic.com