chore: prep pre-commit runner

.detect-secrets.cfg

@@ -7,6 +7,10 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
+# Generated output and vendored assets.
+pattern = (^|/)(dist|vendor)/
+# Local config file with allowlist patterns.
+pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.

.pre-commit-config.yaml

@@ -24,7 +24,27 @@ repos:
     rev: v1.5.0
     hooks:
       - id: detect-secrets
-        args: [--baseline, .secrets.baseline]
+        args:
+          - --baseline
+          - .secrets.baseline
+          - --exclude-files
+          - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)'
+          - --exclude-lines
+          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
+          - --exclude-lines
+          - 'case \.apiKeyEnv: "API key \(env var\)"'
+          - --exclude-lines
+          - 'case apikey = "apiKey"'
+          - --exclude-lines
+          - '"gateway\.remote\.password"'
+          - --exclude-lines
+          - '"gateway\.auth\.password"'
+          - --exclude-lines
+          - '"talk\.apiKey"'
+          - --exclude-lines
+          - '=== "string"'
+          - --exclude-lines
+          - 'typeof remote\?\.password === "string"'
 
   # Shell script linting
   - repo: https://github.com/koalaman/shellcheck-precommit
@@ -55,7 +75,7 @@ repos:
       # oxlint --type-aware src test
       - id: oxlint
         name: oxlint
-        entry: npx oxlint --type-aware src test
+        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
         language: system
         pass_filenames: false
         types_or: [javascript, jsx, ts, tsx]
@@ -63,7 +83,7 @@ repos:
       # oxfmt --check src test
       - id: oxfmt
         name: oxfmt
-        entry: npx oxfmt --check src test
+        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
         language: system
         pass_filenames: false
         types_or: [javascript, jsx, ts, tsx]

.secrets.baseline

@@ -2210,16 +2210,7 @@
         "is_verified": false,
         "line_number": 182
       }
-    ],
-    "vendor/a2ui/README.md": [
-      {
-        "type": "Secret Keyword",
-        "filename": "vendor/a2ui/README.md",
-        "hashed_secret": "2619a5397a5d054dab3fe24e6a8da1fbd76ec3a6",
-        "is_verified": false,
-        "line_number": 123
-      }
     ]
   },
-  "generated_at": "2026-01-25T06:57:20Z"
+  "generated_at": "2026-01-25T10:46:40Z"
 }

scripts/pre-commit/run-node-tool.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+if [[ $# -lt 1 ]]; then
+  echo "usage: run-node-tool.sh <tool> [args...]" >&2
+  exit 2
+fi
+
+tool="$1"
+shift
+
+if [[ -f "$ROOT_DIR/pnpm-lock.yaml" ]] && command -v pnpm >/dev/null 2>&1; then
+  exec pnpm exec "$tool" "$@"
+fi
+
+if { [[ -f "$ROOT_DIR/bun.lockb" ]] || [[ -f "$ROOT_DIR/bun.lock" ]]; } && command -v bun >/dev/null 2>&1; then
+  exec bunx --bun "$tool" "$@"
+fi
+
+if command -v npm >/dev/null 2>&1; then
+  exec npm exec -- "$tool" "$@"
+fi
+
+if command -v npx >/dev/null 2>&1; then
+  exec npx "$tool" "$@"
+fi
+
+echo "Missing package manager: pnpm, bun, or npm required." >&2
+exit 1