chore: clean .gitignore cache

scripts/pre-commit-hooks/block-codeql-db-commits.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+staged=$(git diff --cached --name-only | tr '\r' '\n' || true)
+if [ -n "${staged}" ]; then
+  # Exclude the pre-commit-hooks directory and this script itself
+  filtered=$(echo "$staged" | grep -v '^scripts/pre-commit-hooks/' | grep -v '^data/backups/' || true)
+  if echo "$filtered" | grep -q "codeql-db"; then
+    echo "Error: Attempting to commit CodeQL database artifacts (codeql-db)." >&2
+    echo "These should not be committed. Remove them or add to .gitignore and try again." >&2
+    echo "Tip: Use 'scripts/repo_health_check.sh' to validate repository health." >&2
+    exit 1
+  fi
+fi
+exit 0

scripts/pre-commit-hooks/block-data-backups-commit.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+
+# Prevent committing any files under data/backups/ accidentally
+staged_files=$(git diff --cached --name-only || true)
+if [ -z "$staged_files" ]; then
+  exit 0
+fi
+
+for f in $staged_files; do
+  case "$f" in
+    data/backups/*)
+      echo "Error: Committing files under data/backups/ is blocked. Remove them from the commit and re-run." >&2
+      exit 1
+      ;;
+  esac
+done
+
+exit 0

scripts/pre-commit-hooks/check-lfs-for-large-files.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# pre-commit hook: ensure large files added to git are tracked by Git LFS
+MAX_BYTES=$((50 * 1024 * 1024))
+FAILED=0
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+
+while read -r f; do
+  [ -z "$f" ] && continue
+  if [ -f "$f" ]; then
+    size=$(stat -c%s "$f")
+    if [ "$size" -gt "$MAX_BYTES" ]; then
+      # check if tracked by LFS via git check-attr
+      filter_attr=$(git check-attr --stdin filter <<<"$f" | awk '{print $3}' || true)
+      if [ "$filter_attr" != "lfs" ]; then
+        echo "ERROR: Large file not tracked by Git LFS: $f ($size bytes)" >&2
+        FAILED=1
+      fi
+    fi
+  fi
+done <<<"$STAGED_FILES"
+
+if [ $FAILED -ne 0 ]; then
+  echo "You must track large files in Git LFS. Aborting commit." >&2
+  exit 1
+fi
+
+exit 0

scripts/pre-commit-hooks/codeql-check-findings.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# Check CodeQL SARIF results for HIGH/CRITICAL findings
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+FAILED=0
+
+check_sarif() {
+    local sarif_file=$1
+    local lang=$2
+
+    if [ ! -f "$sarif_file" ]; then
+        echo -e "${YELLOW}⚠️  No SARIF file found: $sarif_file${NC}"
+        echo "Run CodeQL scan first: pre-commit run codeql-$lang-scan --all-files"
+        return 0
+    fi
+
+    echo "🔍 Checking $lang findings..."
+
+    # Check for findings using jq (if available)
+    if command -v jq &> /dev/null; then
+        # Count high/critical severity findings
+        HIGH_COUNT=$(jq -r '.runs[].results[] | select(.level == "error" or .level == "warning") | .level' "$sarif_file" 2>/dev/null | wc -l || echo 0)
+
+        if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo -e "${RED}❌ Found $HIGH_COUNT potential security issues in $lang code${NC}"
+            echo ""
+            echo "Summary:"
+            jq -r '.runs[].results[] | "\(.level): \(.message.text) (\(.locations[0].physicalLocation.artifactLocation.uri):\(.locations[0].physicalLocation.region.startLine))"' "$sarif_file" 2>/dev/null | head -10
+            echo ""
+            echo "View full results: code $sarif_file"
+            FAILED=1
+        else
+            echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
+        fi
+    else
+        # Fallback: check if file has results
+        if grep -q '"results"' "$sarif_file" && ! grep -q '"results": \[\]' "$sarif_file"; then
+            echo -e "${YELLOW}⚠️  CodeQL findings detected in $lang (install jq for details)${NC}"
+            echo "View results: code $sarif_file"
+            FAILED=1
+        else
+            echo -e "${GREEN}✅ No security issues found in $lang code${NC}"
+        fi
+    fi
+}
+
+echo "🔒 Checking CodeQL findings..."
+echo ""
+
+check_sarif "codeql-results-go.sarif" "go"
+check_sarif "codeql-results-js.sarif" "js"
+
+if [ $FAILED -eq 1 ]; then
+    echo ""
+    echo -e "${RED}❌ CodeQL scan found security issues. Please fix before committing.${NC}"
+    echo ""
+    echo "To view results:"
+    echo "  - VS Code: Install SARIF Viewer extension"
+    echo "  - Command line: jq . codeql-results-*.sarif"
+    exit 1
+fi
+
+echo ""
+echo -e "${GREEN}✅ All CodeQL checks passed${NC}"

scripts/pre-commit-hooks/codeql-go-scan.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# Pre-commit CodeQL Go scan - CI-aligned
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}🔍 Running CodeQL Go scan (CI-aligned)...${NC}"
+echo ""
+
+# Clean previous database
+rm -rf codeql-db-go
+
+# Create database
+echo "📦 Creating CodeQL database..."
+codeql database create codeql-db-go \
+  --language=go \
+  --source-root=backend \
+  --threads=0 \
+  --overwrite
+
+echo ""
+echo "📊 Analyzing with security-and-quality suite..."
+# Analyze with CI-aligned suite
+codeql database analyze codeql-db-go \
+  codeql/go-queries:codeql-suites/go-security-and-quality.qls \
+  --format=sarif-latest \
+  --output=codeql-results-go.sarif \
+  --sarif-add-baseline-file-info \
+  --threads=0
+
+echo -e "${GREEN}✅ CodeQL Go scan complete${NC}"
+echo "Results saved to: codeql-results-go.sarif"
+echo ""
+echo "Run 'pre-commit run codeql-check-findings' to validate findings"

scripts/pre-commit-hooks/codeql-js-scan.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Pre-commit CodeQL JavaScript/TypeScript scan - CI-aligned
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}🔍 Running CodeQL JavaScript/TypeScript scan (CI-aligned)...${NC}"
+echo ""
+
+# Remove generated artifacts that can create noisy/false findings during CodeQL analysis
+rm -rf frontend/coverage frontend/dist playwright-report test-results coverage
+
+# Clean previous database
+rm -rf codeql-db-js
+
+# Create database
+echo "📦 Creating CodeQL database..."
+codeql database create codeql-db-js \
+  --language=javascript \
+  --build-mode=none \
+  --source-root=frontend \
+  --threads=0 \
+  --overwrite
+
+echo ""
+echo "📊 Analyzing with security-and-quality suite..."
+# Analyze with CI-aligned suite
+codeql database analyze codeql-db-js \
+  codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
+  --format=sarif-latest \
+  --output=codeql-results-js.sarif \
+  --sarif-add-baseline-file-info \
+  --threads=0
+
+echo -e "${GREEN}✅ CodeQL JavaScript/TypeScript scan complete${NC}"
+echo "Results saved to: codeql-results-js.sarif"
+echo ""
+echo "Run 'pre-commit run codeql-check-findings' to validate findings"

scripts/pre-commit-hooks/golangci-lint-fast.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper script for golangci-lint fast linters in pre-commit
+# This ensures golangci-lint works in both terminal and VS Code pre-commit integration
+
+# Find golangci-lint in common locations
+GOLANGCI_LINT=""
+
+# Check if already in PATH
+if command -v golangci-lint >/dev/null 2>&1; then
+    GOLANGCI_LINT="golangci-lint"
+else
+    # Check common installation locations
+    COMMON_PATHS=(
+        "$HOME/go/bin/golangci-lint"
+        "/usr/local/bin/golangci-lint"
+        "/usr/bin/golangci-lint"
+        "${GOPATH:-$HOME/go}/bin/golangci-lint"
+    )
+
+    for path in "${COMMON_PATHS[@]}"; do
+        if [[ -x "$path" ]]; then
+            GOLANGCI_LINT="$path"
+            break
+        fi
+    done
+fi
+
+# Exit if not found
+if [[ -z "$GOLANGCI_LINT" ]]; then
+    echo "ERROR: golangci-lint not found in PATH or common locations"
+    echo "Searched:"
+    echo "  - PATH: $PATH"
+    echo "  - $HOME/go/bin/golangci-lint"
+    echo "  - /usr/local/bin/golangci-lint"
+    echo "  - /usr/bin/golangci-lint"
+    echo ""
+    echo "Install from: https://golangci-lint.run/usage/install/"
+    exit 1
+fi
+
+# Change to backend directory and run golangci-lint
+cd "$(dirname "$0")/../../backend" || exit 1
+exec "$GOLANGCI_LINT" run --config .golangci-fast.yml ./...

scripts/pre-commit-hooks/golangci-lint-full.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper script for golangci-lint full linters in pre-commit
+# This ensures golangci-lint works in both terminal and VS Code pre-commit integration
+
+# Find golangci-lint in common locations
+GOLANGCI_LINT=""
+
+# Check if already in PATH
+if command -v golangci-lint >/dev/null 2>&1; then
+    GOLANGCI_LINT="golangci-lint"
+else
+    # Check common installation locations
+    COMMON_PATHS=(
+        "$HOME/go/bin/golangci-lint"
+        "/usr/local/bin/golangci-lint"
+        "/usr/bin/golangci-lint"
+        "${GOPATH:-$HOME/go}/bin/golangci-lint"
+    )
+
+    for path in "${COMMON_PATHS[@]}"; do
+        if [[ -x "$path" ]]; then
+            GOLANGCI_LINT="$path"
+            break
+        fi
+    done
+fi
+
+# Exit if not found
+if [[ -z "$GOLANGCI_LINT" ]]; then
+    echo "ERROR: golangci-lint not found in PATH or common locations"
+    echo "Searched:"
+    echo "  - PATH: $PATH"
+    echo "  - $HOME/go/bin/golangci-lint"
+    echo "  - /usr/local/bin/golangci-lint"
+    echo "  - /usr/bin/golangci-lint"
+    echo ""
+    echo "Install from: https://golangci-lint.run/usage/install/"
+    exit 1
+fi
+
+# Change to backend directory and run golangci-lint
+cd "$(dirname "$0")/../../backend" || exit 1
+exec "$GOLANGCI_LINT" run -v ./...