fix(hooks): use printf instead of echo for ANSI colors

jdalton · jdalton · commit cd0fb50ae041 · 2025-11-07T18:18:00.000-05:00
Replace echo with printf in git hooks for consistent ANSI color
rendering across platforms. The echo command behavior varies between
shells (some require -e, others don't support it), while printf
consistently interprets escape sequences on all platforms.
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
@@ -11,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo "${GREEN}Running mandatory pre-push validation...${NC}"
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -38,60 +38,60 @@ while read local_ref local_sha remote_ref remote_sha; do
   # ============================================================================
   # CHECK 1: Scan commit messages for AI attribution
   # ============================================================================
-  echo "Checking commit messages for AI attribution..."
+  printf "Checking commit messages for AI attribution...\n"
 
   # Check each commit in the range for AI patterns.
   while IFS= read -r commit_sha; do
     full_msg=$(git log -1 --format='%B' "$commit_sha")
 
     if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
       if [ $ERRORS -eq 0 ]; then
-        echo "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}"
-        echo "Commits with AI attribution:"
+        printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
+        printf "Commits with AI attribution:\n"
       fi
-      echo "  - $(git log -1 --oneline "$commit_sha")"
+      printf "  - $(git log -1 --oneline "$commit_sha")\n"
       ERRORS=$((ERRORS + 1))
     fi
   done < <(git rev-list "$range")
 
   if [ $ERRORS -gt 0 ]; then
-    echo ""
-    echo "These commits were likely created with --no-verify, bypassing the"
-    echo "commit-msg hook that strips AI attribution."
-    echo ""
-    echo "To fix:"
-    echo "  git rebase -i $remote_sha"
-    echo "  Mark commits as 'reword', remove AI attribution, save"
-    echo "  git push"
+    printf "\n"
+    printf "These commits were likely created with --no-verify, bypassing the\n"
+    printf "commit-msg hook that strips AI attribution.\n"
+    printf "\n"
+    printf "To fix:\n"
+    printf "  git rebase -i $remote_sha\n"
+    printf "  Mark commits as 'reword', remove AI attribution, save\n"
+    printf "  git push\n"
   fi
 
   # ============================================================================
   # CHECK 2: File content security checks
   # ============================================================================
-  echo "Checking files for security issues..."
+  printf "Checking files for security issues...\n"
 
   # Get all files changed in these commits.
   CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
 
   if [ -n "$CHANGED_FILES" ]; then
     # Check for sensitive files.
     if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-      echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
-      echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+      printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
+      printf "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')\n"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for .DS_Store.
     if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-      echo "${RED}✗ BLOCKED: .DS_Store file in push!${NC}"
-      echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+      printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
+      printf "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')\n"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for log files.
     if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
-      echo "${RED}✗ BLOCKED: Log file in push!${NC}"
-      echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+      printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
+      printf "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')\n"
       ERRORS=$((ERRORS + 1))
     fi
 
@@ -105,35 +105,35 @@ while read local_ref local_sha remote_ref remote_sha; do
 
         # Check for hardcoded user paths.
         if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
           grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for Socket API keys.
         if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-          echo "${RED}✗ BLOCKED: Real API key detected in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
           grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for AWS keys.
         if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
           grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for GitHub tokens.
         if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
           grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for private keys.
         if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Private key found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
           ERRORS=$((ERRORS + 1))
         fi
       fi
@@ -144,11 +144,11 @@ while read local_ref local_sha remote_ref remote_sha; do
 done
 
 if [ $TOTAL_ERRORS -gt 0 ]; then
-  echo ""
-  echo "${RED}✗ Push blocked by mandatory validation!${NC}"
-  echo "Fix the issues above before pushing."
+  printf "\n"
+  printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
+  printf "Fix the issues above before pushing.\n"
   exit 1
 fi
 
-echo "${GREEN}✓ All mandatory validation passed!${NC}"
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
 exit 0
diff --git a/.husky/security-checks.sh b/.husky/security-checks.sh
@@ -15,45 +15,45 @@ NC='\033[0m'
 # NOTE: This value is intentionally identical across all Socket repos.
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
 ERRORS=0
 
 # Check for .DS_Store files.
-echo "Checking for .DS_Store files..."
+printf "Checking for .DS_Store files...\n"
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
-echo "Checking for log files..."
+printf "Checking for log files...\n"
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
-echo "Checking for .env files..."
+printf "Checking for .env files...\n"
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
-  echo "These files should never be committed. Use .env.example instead."
+  printf "These files should never be committed. Use .env.example instead.\n"
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for hardcoded user paths (generic detection).
-echo "Checking for hardcoded personal paths..."
+printf "Checking for hardcoded personal paths...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
@@ -63,28 +63,28 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
-      echo "Replace with relative paths or environment variables."
+      printf "Replace with relative paths or environment variables.\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 # Check for Socket API keys.
-echo "Checking for API keys..."
+printf "Checking for API keys...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-      echo "If this is a real API key, DO NOT COMMIT IT."
+      printf "If this is a real API key, DO NOT COMMIT IT.\n"
     fi
   fi
 done
 
 # Check for common secret patterns.
-echo "Checking for potential secrets..."
+printf "Checking for potential secrets...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
@@ -94,32 +94,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
-  echo ""
-  echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
-  echo "Fix the issues above and try again."
+  printf "\n"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
+  printf "Fix the issues above and try again.\n"
   exit 1
 fi
 
-echo "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0
