chore: git cache cleanup

scripts/pre-commit-hooks/gitleaks-tuned-scan.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly SCRIPT_DIR
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+readonly REPO_ROOT
+readonly DEFAULT_REPORT_PATH="${REPO_ROOT}/test-results/security/gitleaks-tuned-precommit.json"
+readonly REPORT_PATH="${GITLEAKS_REPORT_PATH:-${DEFAULT_REPORT_PATH}}"
+
+if ! command -v rsync >/dev/null 2>&1; then
+  echo "Error: rsync is not installed or not in PATH" >&2
+  exit 127
+fi
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH" >&2
+  echo "Install: https://github.com/gitleaks/gitleaks" >&2
+  exit 127
+fi
+
+TEMP_ROOT="$(mktemp -d -t gitleaks-tuned-XXXXXX)"
+cleanup() {
+  rm -rf "${TEMP_ROOT}"
+}
+trap cleanup EXIT
+
+readonly FILTERED_SOURCE="${TEMP_ROOT}/source-filtered"
+mkdir -p "${FILTERED_SOURCE}"
+mkdir -p "$(dirname "${REPORT_PATH}")"
+
+cd "${REPO_ROOT}"
+
+echo "Preparing filtered source tree for tuned gitleaks scan"
+rsync -a --delete \
+  --exclude='.cache/' \
+  --exclude='node_modules/' \
+  --exclude='frontend/node_modules/' \
+  --exclude='backend/.venv/' \
+  --exclude='dist/' \
+  --exclude='build/' \
+  --exclude='coverage/' \
+  --exclude='test-results/' \
+  ./ "${FILTERED_SOURCE}/"
+
+echo "Running gitleaks tuned scan (no-git mode)"
+gitleaks detect \
+  --source "${FILTERED_SOURCE}" \
+  --no-git \
+  --report-format json \
+  --report-path "${REPORT_PATH}" \
+  --exit-code 1 \
+  --no-banner
+
+echo "Gitleaks report: ${REPORT_PATH}"