aws-samples · krokoko · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
@@ -4,4 +4,4 @@
       "code-review@claude-plugins-official": true,
       "pr-review-toolkit@claude-plugins-official": true
   }
-}
+}
@@ -6,4 +6,4 @@
 
 ## File must end with CODEOWNERS file
 
-.github/CODEOWNERS                  @aws-samples/coding-agents-admin
+.github/CODEOWNERS                  @aws-samples/coding-agents-admin
@@ -34,7 +34,7 @@ body:
     id: use-case
     attributes:
       label: Use case
-      description: Why do you need this? For example: "I'm always frustrated when..."
+      description: "Why do you need this? For example: I'm always frustrated when..."
     validations:
       required: true
   - type: textarea

@@ -3,4 +3,4 @@
 If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com.
 
 > [!IMPORTANT]
-> Please do not create a GitHub issue, pull request, or other public announcements.
+> Please do not create a GitHub issue, pull request, or other public announcements.
@@ -0,0 +1,78 @@
+# Git hooks via https://github.com/j178/prek (installed by `mise run install` in a Git checkout; re-run `mise run hooks:install` after edits).
+# Config format matches pre-commit; run hooks with `prek` from mise (`mise.toml` [tools]).
+
+default_install_hook_types: [pre-commit, pre-push]
+fail_fast: false
+exclude: ^\.threat-composer/
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+        # Skip generated trees and paths often checked in read-only (0444); mutating hooks must not touch them.
+        exclude: (cdk/cdk\.out/|node_modules/|^docs/src/content/docs/.*\.md$|(^|/)LICENSE$|(^|/)\.gitattributes$|(^|/)\.npmignore$|(^|/)\.gitignore$|^cli/header\.js$|^docs/astro\.config\.mjs$|^docs/tsconfig\.json$|^docs/src/content\.config\.ts$|\.(snap|lock)$)
+      - id: end-of-file-fixer
+        exclude: (cdk/cdk\.out/|node_modules/|^docs/src/content/docs/.*\.md$|(^|/)LICENSE$|(^|/)\.gitattributes$|(^|/)\.npmignore$|(^|/)\.gitignore$|^cli/header\.js$|^docs/astro\.config\.mjs$|^docs/tsconfig\.json$|^docs/src/content\.config\.ts$)
+      - id: check-merge-conflict
+      - id: check-yaml
+        exclude: ^(cdk/cdk\.out/|cdk\.out/|node_modules/|agent/\.venv/)
+      - id: check-json
+        exclude: ^(cdk/cdk\.out/|node_modules/)
+
+  - repo: local
+    hooks:
+      - id: gitleaks-staged
+        name: gitleaks (staged)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && mise run security:secrets:staged'
+        language: system
+        pass_filenames: false
+        stages: [pre-commit]
+
+      - id: cdk-eslint
+        name: eslint (cdk)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && export MISE_EXPERIMENTAL=1 && mise //cdk:eslint'
+        language: system
+        pass_filenames: false
+        files: ^cdk/.*\.(ts|tsx|cjs|mjs|js)$
+        exclude: ^cdk/cdk\.out/
+        stages: [pre-commit]
+
+      - id: cli-eslint
+        name: eslint (cli)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && export MISE_EXPERIMENTAL=1 && mise //cli:eslint'
+        language: system
+        pass_filenames: false
+        files: ^cli/.*\.(ts|tsx|cjs|mjs|js)$
+        stages: [pre-commit]
+
+      - id: agent-quality
+        name: quality (agent)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)/agent" && mise run quality'
+        language: system
+        pass_filenames: false
+        files: ^agent/.*\.py$
+        stages: [pre-commit]
+
+      - id: docs-astro-check
+        name: astro check (docs)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)/docs" && ./node_modules/.bin/astro check'
+        language: system
+        pass_filenames: false
+        files: ^docs/
+        exclude: ^docs/node_modules/
+        stages: [pre-commit]
+
+      - id: monorepo-security-pre-push
+        name: security scans (pre-push)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && mise run hooks:pre-push:security'
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
+
+      - id: monorepo-tests-pre-push
+        name: package tests (pre-push)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && mise run hooks:pre-push:tests'
+        language: system
+        pass_filenames: false
+        stages: [pre-push]
@@ -92,4 +92,4 @@
   "threats": [],
   "mitigations": [],
   "mitigationLinks": []
-}
+}
@@ -123,4 +123,4 @@
   "threats": [],
   "mitigations": [],
   "mitigationLinks": []
-}
+}
@@ -123,4 +123,4 @@
   "threats": [],
   "mitigations": [],
   "mitigationLinks": []
-}
+}
@@ -450,4 +450,4 @@
       "linkedId": "30b38afc-9930-4602-8637-56ddb166d2a5"
     }
   ]
-}
+}
@@ -741,4 +741,4 @@
   ],
   "mitigations": [],
   "mitigationLinks": []
-}
+}
@@ -18,4 +18,4 @@
     "show_tool_use": true,
     "agent_auto_context": true
   }
-}
+}
@@ -14,4 +14,4 @@
     "THREAT_COMPOSER_AI_GENERATED_TAG": null
   },
   "note": "Only non-sensitive environment variables are logged. Credentials and secrets are never exported."
-}
+}
@@ -34,4 +34,4 @@
     "output_tokens": 26992,
     "total_tokens": 1254413
   }
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:8e04446db0fa8d5b2691dac847b5f154dd190b6ef6d9cebbba72f2bf46baf02d",
   "timestamp": "2026-03-31T18:36:37.928352Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:b771f3e8d9a92e49a20ccc5d927ce42c87a520a65bfbb5bdbd7f0580b310fe34",
   "timestamp": "2026-03-31T18:39:40.535180Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:83fe0f76a33b1d0a4f1d0b4077e444f184873432c996fa947f654b9c7b037aeb",
   "timestamp": "2026-03-31T18:40:29.327880Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:4c8d99ef15fbfa1ebad8fcff8de40d48899924259f5b663fefd242d80b1aa939",
   "timestamp": "2026-03-31T18:42:33.090247Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:7ad487991f9f3486f5cc86a4919f22b2c6d9e3b9947ade2756c2baac6e023401",
   "timestamp": "2026-03-31T18:43:01.992971Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:d8861d31dbabf23236dd0b86b2eb8cf27f567c60a2f31076750249f1c1fdc5d6",
   "timestamp": "2026-03-31T18:48:46.207662Z"
-}
+}
@@ -1,4 +1,4 @@
 {
   "hash": "sha256:4a3e44367ba33cefafd2fe22c44b2db73abd9bb839746014dd1f64bd57c4061e",
   "timestamp": "2026-03-31T18:45:20.201511Z"
-}
+}
@@ -259,4 +259,4 @@
       "activated": false
     }
   }
-}
+}
@@ -3,4 +3,4 @@
   "session_type": "AGENT",
   "created_at": "2026-03-31T18:34:16.261021+00:00",
   "updated_at": "2026-03-31T18:34:16.261028+00:00"
-}
+}
@@ -1990,4 +1990,4 @@
       ]
     }
   ]
-}
+}
@@ -42,6 +42,7 @@ Handler entry tests: `cdk/test/handlers/orchestrate-task.test.ts`, `create-task.
 - Running raw **`jest`/`tsc`/`cdk`** from muscle memory — prefer **`mise //cdk:test`**, **`mise //cdk:compile`**, **`mise //cdk:synth`** (see [Commands you can use](#commands-you-can-use)).
 - **`MISE_EXPERIMENTAL=1`** — required for namespaced tasks like **`mise //cdk:build`** (see [CONTRIBUTING.md](./CONTRIBUTING.md)).
 - **`mise run build`** runs **`//agent:quality`** before CDK — the deployed image bundles **`agent/`**; agent changes belong in that tree.
+- **`prek install`** fails if Git **`core.hooksPath`** is set — another hook manager owns hooks; see [CONTRIBUTING.md](./CONTRIBUTING.md).
 
 ### Tech stack
 
@@ -105,6 +106,8 @@ Run `mise tasks --all` (with `MISE_EXPERIMENTAL=1`) for the full list. Common co
 - **`mise run security:deps`** — OSV Scanner on **`yarn.lock`** (all JS workspaces) and **`agent/uv.lock`**.
 - **`mise run security`** — Runs **`security:secrets`** then **`security:sast`**.
 - **`mise run security:retire`** — Retire.js on CDK, CLI, and docs packages.
+- **`mise run hooks:install`** — Re-install **[prek](https://github.com/j178/prek)** git hooks (also run automatically at the end of **`mise run install`** inside a Git checkout). See [CONTRIBUTING.md](./CONTRIBUTING.md) if `core.hooksPath` blocks install.
+- **`mise run hooks:run`** — Run the same **pre-commit** and **pre-push** hook stages on all files (local verification).
 
 Use these instead of running `tsc`, `jest`, or `cdk` directly when possible, so the project's scripts and config stay consistent.
 

@@ -50,6 +50,33 @@ This repository uses [mise](https://mise.jdx.dev/) for tool versions and tasks.
 
 Project configuration is hand-owned in this repository. Prefer `mise` tasks from the repo root (`mise run install`, `mise run build`) or package-level tasks (`mise //cdk:build`, `mise //cli:build`, `mise //docs:build`).
 
+### Git hooks ([prek](https://github.com/j178/prek))
+
+**`mise run install`** already runs **`prek install --prepare-hooks`** when the current directory is inside a **Git** working tree (it is skipped if there is no `.git`, e.g. a source tarball). [`prek`](https://github.com/j178/prek) is pinned in the root **`mise.toml`** and reads **`.pre-commit-config.yaml`**.
+
+Re-apply hook shims after you change hook config or if install was skipped:
+
+```bash
+mise run hooks:install
+```
+
+| Stage | What runs |
+|-------|-----------|
+| **pre-commit** | Trailing whitespace / EOF / merge-conflict / YAML+JSON checks; **gitleaks** on **staged** changes only; **eslint** (cdk, cli), **ruff** (agent), **astro check** (docs) when matching paths are touched. |
+| **pre-push** | Two pre-push hooks run in order:
+1. **`mise run hooks:pre-push:security`** — root security scans.
+2. **`mise run hooks:pre-push:tests`** — tests in `cdk`, `cli`, and `agent` packages.
+
+For convenience, **`mise run hooks:pre-push`** runs both steps sequentially. |
+
+Dry-run or reproduce locally without committing:
+
+```bash
+mise run hooks:run
+```
+
+If **`prek install`** exits with *refusing to install hooks with `core.hooksPath` set* — another tool owns your hooks. Either unset it (`git config --unset-all core.hooksPath` for **local** and/or **global**) or integrate these checks into that hook manager instead.
+
 ### Step 1: Open Issue
 
 If there isn't one already, open an issue describing what you intend to contribute. It's useful to communicate in advance, because sometimes, someone is already working in this space, so maybe it's worth collaborating with them instead of duplicating the efforts.

@@ -8,7 +8,7 @@
   <strong>
     Autonomous Background Coding Agents on AWS
   </strong>
- 
+
   <br />
   <br />
   <p align="center">

@@ -1 +1 @@
-3.13
+3.13
@@ -15,4 +15,4 @@
  *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  *  SOFTWARE.
- */
+ */
@@ -1 +1 @@
-# replace this
+# replace this
@@ -661,4 +661,3 @@ The API is implemented as an **Amazon API Gateway REST API** (or HTTP API) with
 ### Relationship to internal message schema
 
 The API request/response schemas defined here are the **external** contract. The input gateway normalizes API requests into the **internal message schema** (see [INPUT_GATEWAY.md](./INPUT_GATEWAY.md)) before dispatching to the task pipeline. The internal schema may include additional fields (e.g. `channel_metadata`, `normalized_at`) that are not exposed in the API.
-
@@ -211,4 +211,4 @@ Different tasks and repos may benefit from different models. The `model_id` fiel
 - **Implementation tasks (`new_task`):** Claude Sonnet 4 (good balance of quality and cost)
 - **PR iteration tasks (`pr_iteration`):** Claude Sonnet 4 (needs to understand review feedback and make code changes — similar complexity to implementation)
 - **PR review tasks (`pr_review`):** Claude Haiku (fast, cheap — review is read-only analysis)
-- **Complex/critical repos:** Claude Opus 4 (highest quality, highest cost — opt-in per repo)
+- **Complex/critical repos:** Claude Opus 4 (highest quality, highest cost — opt-in per repo)
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,4 +4,4 @@ @@
           "code-review@claude-plugins-official": true,
           "pr-review-toolkit@claude-plugins-official": true
       }
-    }
+    }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,4 +6,4 @@

		## File must end with CODEOWNERS file

		.github/CODEOWNERS @aws-samples/coding-agents-admin
		.github/CODEOWNERS @aws-samples/coding-agents-admin
Original file line number	Diff line number	Diff line change
Expand Up		@@ -661,4 +661,3 @@ The API is implemented as an Amazon API Gateway REST API (or HTTP API) with
		### Relationship to internal message schema

		The API request/response schemas defined here are the external contract. The input gateway normalizes API requests into the internal message schema (see [INPUT_GATEWAY.md](./INPUT_GATEWAY.md)) before dispatching to the task pipeline. The internal schema may include additional fields (e.g. `channel_metadata`, `normalized_at`) that are not exposed in the API.