chore: add security validation pre-commit hooks

Adds validation hooks for:
- SHA-pinned GitHub Actions
- SPDX license headers
- Workflow permissions declarations
- CodeQL language matrix validation

Configure with: git config core.hooksPath hooks

Author: Jonathan D.A. Jewell

hooks/validate-codeql.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Pre-commit hook: Validate CodeQL language matrix matches repo
+set -euo pipefail
+
+CODEQL_FILE=".github/workflows/codeql.yml"
+[ -f "$CODEQL_FILE" ] || exit 0
+
+# Detect languages in repo
+HAS_JS=$(find . -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" 2>/dev/null | grep -v node_modules | head -1)
+HAS_PY=$(find . -name "*.py" 2>/dev/null | grep -v __pycache__ | head -1)
+HAS_GO=$(find . -name "*.go" 2>/dev/null | head -1)
+HAS_RS=$(find . -name "*.rs" 2>/dev/null | head -1)
+
+# Check if matrix includes unsupported languages
+if grep -q "language:.*python" "$CODEQL_FILE" && [ -z "$HAS_PY" ]; then
+    echo "WARNING: CodeQL configured for Python but no .py files found"
+fi
+if grep -q "language:.*go" "$CODEQL_FILE" && [ -z "$HAS_GO" ]; then
+    echo "WARNING: CodeQL configured for Go but no .go files found"
+fi
+if grep -q "language:.*javascript" "$CODEQL_FILE" && [ -z "$HAS_JS" ]; then
+    echo "WARNING: CodeQL configured for JavaScript but no JS/TS files found"
+fi
+
+# Rust/OCaml are not supported - should use 'actions' only
+if [ -n "$HAS_RS" ]; then
+    if grep -q "language:.*rust" "$CODEQL_FILE"; then
+        echo "ERROR: CodeQL does not support Rust - use ['actions'] instead"
+        exit 1
+    fi
+fi
+
+exit 0

hooks/validate-permissions.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Pre-commit hook: Validate workflow permissions declarations
+set -euo pipefail
+ERRORS=0
+for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
+    [ -f "$workflow" ] || continue
+    if ! grep -qE '^permissions:' "$workflow"; then
+        echo "ERROR: Missing top-level permissions in $workflow"
+        ERRORS=$((ERRORS + 1))
+    fi
+done
+[ $ERRORS -gt 0 ] && exit 1
+exit 0

hooks/validate-sha-pins.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Pre-commit hook: Validate GitHub Actions are SHA-pinned
+
+set -euo pipefail
+
+ERRORS=0
+
+for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
+    [ -f "$workflow" ] || continue
+    
+    # Find uses: lines that aren't SHA-pinned
+    while IFS= read -r line; do
+        if [[ "$line" =~ uses:.*@ ]]; then
+            # Check if it has a SHA (40 hex chars)
+            if ! echo "$line" | grep -qE '@[a-f0-9]{40}'; then
+                echo "ERROR: Unpinned action in $workflow"
+                echo "  $line"
+                echo "  Actions must use SHA pins: uses: action/name@SHA # version"
+                ERRORS=$((ERRORS + 1))
+            fi
+        fi
+    done < "$workflow"
+done
+
+if [ $ERRORS -gt 0 ]; then
+    echo ""
+    echo "Found $ERRORS unpinned actions. Please SHA-pin all GitHub Actions."
+    echo "Use: gh api repos/OWNER/REPO/git/matching-refs/tags/VERSION to find SHAs"
+    exit 1
+fi
+
+exit 0

hooks/validate-spdx.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Pre-commit hook: Validate SPDX headers in workflow files
+
+set -euo pipefail
+
+ERRORS=0
+SPDX_PATTERN="^# SPDX-License-Identifier:"
+
+for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
+    [ -f "$workflow" ] || continue
+    
+    first_line=$(head -n1 "$workflow")
+    if ! echo "$first_line" | grep -qE "$SPDX_PATTERN"; then
+        echo "ERROR: Missing SPDX header in $workflow"
+        echo "  First line should be: # SPDX-License-Identifier: AGPL-3.0-or-later"
+        ERRORS=$((ERRORS + 1))
+    fi
+done
+
+if [ $ERRORS -gt 0 ]; then
+    exit 1
+fi
+
+exit 0