fix(pre-push): redirect stdin from /dev/null for pre-check commands

cursoragent · cursoragent · commit 0fb9c637e220 · 2026-04-10T17:22:47.000Z
agentshield and zizmor inherit stdin from the git pre-push hook,
which is a pipe carrying ref data. If either tool reads from stdin,
it consumes the ref data, causing the while-read loop to iterate
zero times and silently bypassing all commit-level security checks.
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
@@ -27,7 +27,7 @@ TOTAL_ERRORS=0
 # ============================================================================
 if command -v agentshield >/dev/null 2>&1 || [ -x "$(pnpm bin 2>/dev/null)/agentshield" ]; then
   AGENTSHIELD="$(command -v agentshield 2>/dev/null || echo "$(pnpm bin)/agentshield")"
-  if ! "$AGENTSHIELD" scan --quiet 2>/dev/null; then
+  if ! "$AGENTSHIELD" scan --quiet 2>/dev/null </dev/null; then
     printf "${RED}✗ AgentShield: security issues found in Claude config${NC}\n"
     printf "Run 'pnpm exec agentshield scan' for details\n"
     TOTAL_ERRORS=$((TOTAL_ERRORS + 1))
@@ -44,7 +44,7 @@ elif [ -x "$HOME/.socket/zizmor/bin/zizmor" ]; then
   ZIZMOR="$HOME/.socket/zizmor/bin/zizmor"
 fi
 if [ -n "$ZIZMOR" ] && [ -d ".github/" ]; then
-  if ! "$ZIZMOR" .github/ 2>/dev/null; then
+  if ! "$ZIZMOR" .github/ 2>/dev/null </dev/null; then
     printf "${RED}✗ Zizmor: workflow security issues found${NC}\n"
     printf "Run 'zizmor .github/' for details\n"
     TOTAL_ERRORS=$((TOTAL_ERRORS + 1))
