feat: git pre-commit hook blocks commits on main/master

vivek7405 · vivek7405 · commit ca315258b3f3 · 2026-04-17T11:39:38.000+05:30
Added .git/hooks/pre-commit locally and .hooks/pre-commit in the
scaffolder template. webjs create now runs git init + configures
core.hooksPath to .hooks/ so the hook is tracked in the repo and
works for everyone who clones it.

This is git-level enforcement — no AI agent, editor, or human can
commit to main. Feature branches only.
diff --git a/packages/cli/lib/create.js b/packages/cli/lib/create.js
@@ -94,6 +94,8 @@ export async function scaffoldApp(name, cwd) {
     'test/unit/example.test.ts',
     'test/browser/example.test.js',
     'web-test-runner.config.js',
+    // Git hooks (blocks commits on main)
+    '.hooks/pre-commit',
     // Claude Code config + hooks
     '.claude.json',
     '.claude/settings.json',
@@ -122,6 +124,9 @@ export async function scaffoldApp(name, cwd) {
     const hookPath = join(appDir, '.claude', 'hooks', hook);
     if (existsSync(hookPath)) await chmod(hookPath, 0o755);
   }
+  // Make git pre-commit hook executable
+  const preCommitPath = join(appDir, '.hooks', 'pre-commit');
+  if (existsSync(preCommitPath)) await chmod(preCommitPath, 0o755);
 
   // --- App files ---
 
@@ -263,6 +268,14 @@ export class ThemeToggle extends WebComponent {
 ThemeToggle.register(import.meta.url);
 `);
 
+  // --- Git init + configure hooks directory ---
+  const { execSync } = await import('node:child_process');
+  try {
+    execSync('git init', { cwd: appDir, stdio: 'pipe' });
+    // Tell git to use .hooks/ as the hooks directory (tracked in the repo)
+    execSync('git config core.hooksPath .hooks', { cwd: appDir, stdio: 'pipe' });
+  } catch { /* git not available — skip */ }
+
   // --- Print success ---
 
   console.log(`  ${name}/
diff --git a/packages/cli/templates/.hooks/pre-commit b/packages/cli/templates/.hooks/pre-commit
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# pre-commit hook — blocks commits on main/master.
+#
+# No AI agent, no editor, no human can commit to main directly.
+# Create a feature branch first. This is git-level enforcement.
+#
+# To bypass in emergencies: git commit --no-verify
+
+BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null)
+
+if [ "$BRANCH" = "main" ] || [ "$BRANCH" = "master" ]; then
+  echo ""
+  echo "ERROR: Cannot commit directly to '$BRANCH'."
+  echo ""
+  echo "Create a feature branch first:"
+  echo "  git checkout -b feature/<name>"
+  echo ""
+  echo "To bypass (emergencies only): git commit --no-verify"
+  echo ""
+  exit 1
+fi
+
+exit 0
