HYPERFLEET-1101 - chore: migrate secret scanning from rh-pre-commit to LeakTK

.bingo/Variables.mk

@@ -58,4 +58,3 @@ $(OAPI_CODEGEN): $(BINGO_DIR)/oapi-codegen.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
 	@echo "(re)installing $(GOBIN)/oapi-codegen-v2.6.0"
 	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=oapi-codegen.mod -o=$(GOBIN)/oapi-codegen-v2.6.0 "github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen"
-

.bingo/variables.env

@@ -19,4 +19,3 @@ KUBECONFORM="${GOBIN}/kubeconform-v0.7.0"
 MOCKGEN="${GOBIN}/mockgen-v0.6.0"
 
 OAPI_CODEGEN="${GOBIN}/oapi-codegen-v2.6.0"
-

.pre-commit-config.yaml

@@ -1,29 +1,26 @@
-# Pre-commit configuration for hyperfleet-api
-# Enforces Red Hat security compliance and AI-readiness best practices
-#
-# Setup:
-#   1. Run: pre-commit install
-#   2. Run: pre-commit install --hook-type pre-push
-#   3. Run: pre-commit run --all-files (to test)
-#
-# See: https://pre-commit.com/
+default_install_hook_types: [pre-commit, commit-msg]
 
 repos:
-  # Red Hat security and compliance hooks
-  # NOTE: This hook requires access to Red Hat's internal GitLab.
-  # External contributors: You can comment out this section or skip with:
-  #   SKIP=rh-pre-commit git commit -m "your message"
-  # See README.md "Pre-commit Hooks" section for more details.
-  - repo: https://gitlab.cee.redhat.com/infosec-public/developer-workbench/tools
-    rev: rh-pre-commit-2.3.2  # Use specific tag
+  # Secret scanning (VPN-free, open-source alternative to rh-pre-commit)
+  - repo: https://github.com/leaktk/leaktk
+    rev: e62a495260dc1e396fa586e51bbe1355f6fc7d9d # v0.3.3
     hooks:
-      - id: rh-pre-commit
+      - id: leaktk.git.pre-commit
 
-  # AI-readiness hooks
-  - repo: https://github.com/openshift-hyperfleet/rh-hooks-ai
-    rev: v1.0.3  # Use latest release
+  # HyperFleet code quality hooks
+  - repo: https://github.com/openshift-hyperfleet/hyperfleet-hooks
+    rev: 7d5cd98ed6a1a98c39c04b9f4ab9b0ffb0d49155 # v0.1.1
     hooks:
-      - id: check-rh-precommit
-      - id: validate-agents-md  # Runs on git push, requires AGENTS.md
-      - id: ai-attribution-reminder
-      # - id: check-version  # Optional: Checks for updates once per 24h (non-blocking)
+      - id: hyperfleet-commitlint
+        stages: [commit-msg]
+      - id: hyperfleet-gofmt
+      - id: hyperfleet-golangci-lint
+      - id: hyperfleet-go-vet
+
+  # File hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files

AGENTS.md

@@ -10,6 +10,7 @@ For Claude Code users: also see `CLAUDE.md` (auto-loaded) and `.claude/rules/` (
 ```
 make generate-all     # REQUIRED FIRST — generated code not in git
 go mod download
+make install-hooks    # Install pre-commit hooks (secret scanning, linting, etc.)
 make db/setup         # Start local PostgreSQL container
 make build            # Build binary (CGO_ENABLED=1 GOEXPERIMENT=boringcrypto)
 ./bin/hyperfleet-api migrate
@@ -143,12 +144,17 @@ Co-Authored-By: Claude <noreply@anthropic.com>
 ```
 
 ### Pre-commit Hooks
-Install: `pre-commit install && pre-commit install --hook-type pre-push`
+Install: `make install-hooks`
 
 Hooks:
-- `rh-pre-commit` — Red Hat security compliance (requires internal GitLab access; skip with `SKIP=rh-pre-commit`)
-- `validate-agents-md` — validates AGENTS.md exists (runs on push)
-- `ai-attribution-reminder` — reminds about AI co-author attribution
+- `leaktk.git.pre-commit` — secret scanning (open-source, no VPN required)
+- `hyperfleet-commitlint` — validates commit message format (commit-msg stage)
+- `hyperfleet-gofmt` — Go code formatting
+- `hyperfleet-golangci-lint` — linting
+- `hyperfleet-go-vet` — Go vet checks
+- `trailing-whitespace` — removes trailing whitespace
+- `end-of-file-fixer` — ensures files end with newline
+- `check-added-large-files` — prevents large files from being committed
 
 ### Branching
 Create feature branches from `main`. PRs target `main`.

Makefile

@@ -84,6 +84,10 @@ help: ## Display this help
 
 ##@ Code Quality
 
+.PHONY: install-hooks
+install-hooks: ## Install pre-commit hooks
+	pre-commit install
+
 .PHONY: verify
 verify: ## Verify source passes standard checks
 	${GO} vet \
@@ -101,6 +105,16 @@ verify: ## Verify source passes standard checks
 			printf '\033[0m'; \
 		)
 
+.PHONY: gofmt
+gofmt: ## Format Go code
+	! gofmt -l cmd pkg test |\
+		sed 's/^/Unformatted file: /' |\
+		grep .
+
+.PHONY: go-vet
+go-vet: ## Run go vet
+	${GO} vet ./cmd/... ./pkg/...
+
 .PHONY: lint
 lint: generate-all $(GOLANGCI_LINT) ## Run golangci-lint
 	$(GOLANGCI_LINT) run ./cmd/... ./pkg/... ./test/...

charts/templates/_helpers.tpl

@@ -133,4 +133,3 @@ Database environment variables (using secretKeyRef - Kubernetes best practice)
       key: db.password
 {{- end }}
 {{- end }}
-

docs/config.md

@@ -647,4 +647,3 @@ Before deploying to production, verify:
 - ✅ Configuration files (YAML snake_case)
 - ✅ Default values
 - ✅ OpenTelemetry tracing variables (HYPERFLEET_TRACING_ENABLED, OTEL_*) if tracing is enabled
-

docs/database.md

@@ -69,7 +69,7 @@ Generic resources (the `resources` table) use delete policies to control child b
 | `restrict` | Parent delete is rejected with `409 Conflict` if active children exist |
 | `cascade`  | All children are soft-deleted (marked Finalizing) along with the parent |
 
-Policies are enforced recursively — a cascade on a parent triggers policy checks on children. For clusters and nodepools, the cascade is built-in: deleting a cluster cascades to all its nodepools — those with required adapters are soft-deleted (entering Finalizing), while those without are hard-deleted immediately.  
+Policies are enforced recursively — a cascade on a parent triggers policy checks on children. For clusters and nodepools, the cascade is built-in: deleting a cluster cascades to all its nodepools — those with required adapters are soft-deleted (entering Finalizing), while those without are hard-deleted immediately.
 
 Resources without required adapters skip the Finalizing phase entirely — they are hard-deleted immediately on `DELETE`.
 

docs/deployment.md

@@ -10,7 +10,7 @@ For running the binary directly on your machine (development, debugging), see th
 
 Before deploying, ensure you have:
 
-- **Kubernetes cluster** (1.25+) 
+- **Kubernetes cluster** (1.25+)
 - **Helm 3** CLI
 - **PostgreSQL database** — either:
   - An external managed instance (Cloud SQL, RDS, Azure Database) for production, or

docs/development.md

@@ -325,9 +325,9 @@ bingo list
 Tool versions are tracked in `.bingo/*.mod` files and loaded automatically via `include .bingo/Variables.mk` in the Makefile.
 
 
-### Pre-commit Hooks (Optional)
+### Pre-commit Hooks
 
-This project uses pre-commit hooks for code quality and security checks.
+This project uses pre-commit hooks for code quality and secret scanning.
 
 #### Setup
 
@@ -338,23 +338,13 @@ brew install pre-commit  # macOS
 pip install pre-commit
 
 # Install hooks
-pre-commit install
-pre-commit install --hook-type pre-push
+make install-hooks
 
 # Test
 pre-commit run --all-files
 ```
 
-#### For External Contributors
-
-The `.pre-commit-config.yaml` includes `rh-pre-commit` which requires access to Red Hat's internal GitLab. External contributors can skip it:
-
-```bash
-# Skip internal hook when committing
-SKIP=rh-pre-commit git commit -m "your message"
-```
-
-Or comment out the internal hook in `.pre-commit-config.yaml`.
+The first run takes 3-5 minutes while LeakTK compiles (one-time), then it's instant.
 
 #### Update Hooks