fix(git-hooks): use here-strings to avoid echo + grep/sed pitfalls

Replace `echo "$X" | grep ...` with `grep ... <<<"$X"` across all canonical
hooks. When `$X` begins with `-`, `echo` can interpret it as a flag and
grep/sed can match it as an option, breaking the script. Here-strings pass
bytes directly on stdin and are immune to that class of bug.

Also fix pre-push stdin consumption: `while read` was draining the ref
stream git passes on stdin, leaving the `local-pre-push` hook with nothing.
The script now captures stdin once and re-feeds it to both the force-push
guard and the local hook.

Flagged by gemini-code-assist on resq-software/crates#46 and
resq-software/npm#30.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: WomB0ComB0

scripts/git-hooks/commit-msg

@@ -13,9 +13,9 @@ INPUT_FILE="${1:-}"
 PATTERN="^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .+$"
 
 FIRST_LINE=$(head -1 "$INPUT_FILE")
-SUBJECT=$(echo "$FIRST_LINE" | sed 's/^\[[A-Z][A-Z]*-[0-9]*\] //')
+SUBJECT=$(sed 's/^\[[A-Z][A-Z]*-[0-9]*\][[:space:]]*//' <<<"$FIRST_LINE")
 
-if ! echo "$SUBJECT" | grep -qE "$PATTERN"; then
+if ! grep -qE "$PATTERN" <<<"$SUBJECT"; then
     echo "Error: Invalid commit message format."
     echo "Expected: type(scope): subject"
     echo "Examples:"
@@ -27,7 +27,7 @@ fi
 BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
 case "$BRANCH" in
     main|master)
-        if echo "$FIRST_LINE" | grep -qiE "^(\[[A-Z]+-[0-9]+\] )?(fixup!|squash!|wip[: ])"; then
+        if grep -qiE "^(\[[A-Z]+-[0-9]+\] )?(fixup!|squash!|wip[: ])" <<<"$FIRST_LINE"; then
             echo "Error: fixup!/squash!/WIP commits are not allowed on $BRANCH."
             echo "Create a feature branch instead."
             exit 1

scripts/git-hooks/post-checkout

@@ -16,10 +16,10 @@ IS_BRANCH_CHECKOUT="${3:-}"
 if [ "$IS_BRANCH_CHECKOUT" = "1" ] && [ "$PREV_HEAD" != "$NEW_HEAD" ]; then
     CHANGED=$(git diff --name-only "$PREV_HEAD" "$NEW_HEAD" 2>/dev/null || true)
 
-    echo "$CHANGED" | grep -q "^Cargo\.lock$"   && echo "📦 Cargo.lock changed — run: cargo build"
-    echo "$CHANGED" | grep -q "^bun\.lockb\?$"  && echo "📦 bun.lock changed — run: bun install"
-    echo "$CHANGED" | grep -q "^uv\.lock$"      && echo "📦 uv.lock changed — run: uv sync"
-    echo "$CHANGED" | grep -q "^flake\.lock$"   && echo "📦 flake.lock changed — exit and re-enter: nix develop"
+    grep -q "^Cargo\.lock$"   <<<"$CHANGED" && echo "📦 Cargo.lock changed — run: cargo build"
+    grep -q "^bun\.lockb\?$"  <<<"$CHANGED" && echo "📦 bun.lock changed — run: bun install"
+    grep -q "^uv\.lock$"      <<<"$CHANGED" && echo "📦 uv.lock changed — run: uv sync"
+    grep -q "^flake\.lock$"   <<<"$CHANGED" && echo "📦 flake.lock changed — exit and re-enter: nix develop"
 fi
 
 LOCAL_HOOK="$(git rev-parse --show-toplevel)/.git-hooks/local-post-checkout"

scripts/git-hooks/post-merge

@@ -11,10 +11,10 @@ set -euo pipefail
 
 CHANGED=$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD 2>/dev/null || true)
 
-echo "$CHANGED" | grep -q "^Cargo\.lock$"   && echo "📦 Cargo.lock changed after merge — run: cargo build"
-echo "$CHANGED" | grep -q "^bun\.lockb\?$"  && echo "📦 bun.lock changed after merge — run: bun install"
-echo "$CHANGED" | grep -q "^uv\.lock$"      && echo "📦 uv.lock changed after merge — run: uv sync"
-echo "$CHANGED" | grep -q "^flake\.lock$"   && echo "📦 flake.lock changed after merge — exit and re-enter: nix develop"
+grep -q "^Cargo\.lock$"   <<<"$CHANGED" && echo "📦 Cargo.lock changed after merge — run: cargo build"
+grep -q "^bun\.lockb\?$"  <<<"$CHANGED" && echo "📦 bun.lock changed after merge — run: bun install"
+grep -q "^uv\.lock$"      <<<"$CHANGED" && echo "📦 uv.lock changed after merge — run: uv sync"
+grep -q "^flake\.lock$"   <<<"$CHANGED" && echo "📦 flake.lock changed after merge — exit and re-enter: nix develop"
 
 LOCAL_HOOK="$(git rev-parse --show-toplevel)/.git-hooks/local-post-merge"
 if [ -x "$LOCAL_HOOK" ]; then

scripts/git-hooks/pre-push

@@ -15,6 +15,13 @@ echo "🚀 Running pre-push checks..."
 
 BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
 
+# Capture stdin (the ref info git passes to pre-push) so both the force-push
+# guard and any local-pre-push hook can read it.
+PUSH_REFS=""
+if [ ! -t 0 ]; then
+    PUSH_REFS=$(cat)
+fi
+
 # ── Force-push guard on main/master ─────────────────────────────────────────
 case "$BRANCH" in
     main|master)
@@ -27,7 +34,9 @@ case "$BRANCH" in
                     exit 1
                 fi
             fi
-        done
+        done <<EOF
+$PUSH_REFS
+EOF
         ;;
 esac
 
@@ -36,8 +45,8 @@ ALLOWED_PATTERN="^(feat|fix|docs|chore|refactor|test|ci|perf|release)/.*$"
 SKIP_BRANCHES="^(main|master|dev|develop|staging|production|changeset-release/.*)$"
 
 if [ -n "$BRANCH" ]; then
-    if ! echo "$BRANCH" | grep -qE "$SKIP_BRANCHES"; then
-        if ! echo "$BRANCH" | grep -qE "$ALLOWED_PATTERN"; then
+    if ! grep -qE "$SKIP_BRANCHES" <<<"$BRANCH"; then
+        if ! grep -qE "$ALLOWED_PATTERN" <<<"$BRANCH"; then
             echo "❌ Branch '$BRANCH' does not follow naming convention."
             echo "   Expected: type/description  (e.g. feat/add-login)"
             echo "   Allowed prefixes: feat, fix, docs, chore, refactor, test, ci, perf, release"
@@ -50,7 +59,10 @@ fi
 # ── Local override (language-specific checks) ───────────────────────────────
 LOCAL_HOOK="$(git rev-parse --show-toplevel)/.git-hooks/local-pre-push"
 if [ -x "$LOCAL_HOOK" ]; then
-    "$LOCAL_HOOK" "$@"
+    # Re-supply captured stdin so local hooks that inspect refs still work.
+    "$LOCAL_HOOK" "$@" <<EOF
+$PUSH_REFS
+EOF
 fi
 
 echo "✅ Pre-push checks passed"

scripts/git-hooks/prepare-commit-msg

@@ -17,10 +17,10 @@ esac
 BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
 [ -z "$BRANCH" ] && exit 0
 
-TICKET=$(echo "$BRANCH" | grep -oE '[A-Z]{2,}-[0-9]+' | head -1 || true)
+TICKET=$(grep -oE '[A-Z]{2,}-[0-9]+' <<<"$BRANCH" | head -1 || true)
 if [ -n "$TICKET" ]; then
     COMMIT_MSG=$(cat "$COMMIT_MSG_FILE")
-    if ! echo "$COMMIT_MSG" | grep -qF "$TICKET"; then
+    if ! grep -qF -- "$TICKET" <<<"$COMMIT_MSG"; then
         printf '[%s] %s\n' "$TICKET" "$COMMIT_MSG" > "$COMMIT_MSG_FILE"
     fi
 fi