fix(hooks): replace echo with printf for consistent output

Replaced all echo statements with printf in git hooks for better
cross-platform compatibility and consistent output formatting.

Changes affect:
- .husky/pre-commit
- .husky/security-checks.sh
- .git-hooks/commit-msg
- .git-hooks/pre-commit
- .git-hooks/pre-push

Benefits:
- printf is more portable and reliable across shells
- Better handling of escape sequences and formatting
- Consistent with CLAUDE.md standards for shell scripts
- Avoids potential issues with echo -e flag inconsistencies

Note: echo statements in pipes (e.g., echo "$VAR" | grep) and command
substitutions were intentionally preserved as they serve different purposes.

Author: jdalton

.git-hooks/commit-msg

@@ -24,7 +24,7 @@ if [ -n "$COMMITTED_FILES" ]; then
       # Check for Socket API keys (except allowed).
       if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
         printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
-        echo "File: $file"
+        printf "File: %s\n" "$file"
         ERRORS=$((ERRORS + 1))
       fi
 

.git-hooks/pre-commit

@@ -26,32 +26,32 @@ fi
 ERRORS=0
 
 # Check for .DS_Store files.
-echo "Checking for .DS_Store files..."
+printf "Checking for .DS_Store files...\n"
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
   printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
-echo "Checking for log files..."
+printf "Checking for log files...\n"
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
   printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
-echo "Checking for .env files..."
+printf "Checking for .env files...\n"
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
   printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
-  echo "These files should never be committed. Use .env.example instead."
+  printf "These files should never be committed. Use .env.example instead.\n"
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for hardcoded user paths (generic detection).
-echo "Checking for hardcoded personal paths..."
+printf "Checking for hardcoded personal paths...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
@@ -63,26 +63,26 @@ for file in $STAGED_FILES; do
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
       printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
-      echo "Replace with relative paths or environment variables."
+      printf "Replace with relative paths or environment variables.\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 # Check for Socket API keys.
-echo "Checking for API keys..."
+printf "Checking for API keys...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
       printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-      echo "If this is a real API key, DO NOT COMMIT IT."
+      printf "If this is a real API key, DO NOT COMMIT IT.\n"
     fi
   fi
 done
 
 # Check for common secret patterns.
-echo "Checking for potential secrets..."
+printf "Checking for potential secrets...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
@@ -113,9 +113,9 @@ for file in $STAGED_FILES; do
 done
 
 if [ $ERRORS -gt 0 ]; then
-  echo ""
+  printf "\n"
   printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
-  echo "Fix the issues above and try again."
+  printf "Fix the issues above and try again.\n"
   exit 1
 fi
 

.git-hooks/pre-push

@@ -38,7 +38,7 @@ while read local_ref local_sha remote_ref remote_sha; do
   # ============================================================================
   # CHECK 1: Scan commit messages for AI attribution
   # ============================================================================
-  echo "Checking commit messages for AI attribution..."
+  printf "Checking commit messages for AI attribution...\n"
 
   # Check each commit in the range for AI patterns.
   while IFS= read -r commit_sha; do
@@ -47,28 +47,28 @@ while read local_ref local_sha remote_ref remote_sha; do
     if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
       if [ $ERRORS -eq 0 ]; then
         printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
-        echo "Commits with AI attribution:"
+        printf "Commits with AI attribution:\n"
       fi
-      echo "  - $(git log -1 --oneline "$commit_sha")"
+      printf "  - %s\n" "$(git log -1 --oneline "$commit_sha")"
       ERRORS=$((ERRORS + 1))
     fi
   done < <(git rev-list "$range")
 
   if [ $ERRORS -gt 0 ]; then
-    echo ""
-    echo "These commits were likely created with --no-verify, bypassing the"
-    echo "commit-msg hook that strips AI attribution."
-    echo ""
-    echo "To fix:"
-    echo "  git rebase -i $remote_sha"
-    echo "  Mark commits as 'reword', remove AI attribution, save"
-    echo "  git push"
+    printf "\n"
+    printf "These commits were likely created with --no-verify, bypassing the\n"
+    printf "commit-msg hook that strips AI attribution.\n"
+    printf "\n"
+    printf "To fix:\n"
+    printf "  git rebase -i %s\n" "$remote_sha"
+    printf "  Mark commits as 'reword', remove AI attribution, save\n"
+    printf "  git push\n"
   fi
 
   # ============================================================================
   # CHECK 2: File content security checks
   # ============================================================================
-  echo "Checking files for security issues..."
+  printf "Checking files for security issues...\n"
 
   # Get all files changed in these commits.
   CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
@@ -77,21 +77,21 @@ while read local_ref local_sha remote_ref remote_sha; do
     # Check for sensitive files.
     if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
       printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
-      echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for .DS_Store.
     if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
       printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
-      echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep '\.DS_Store')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for log files.
     if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
       printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
-      echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
       ERRORS=$((ERRORS + 1))
     fi
 
@@ -144,9 +144,9 @@ while read local_ref local_sha remote_ref remote_sha; do
 done
 
 if [ $TOTAL_ERRORS -gt 0 ]; then
-  echo ""
+  printf "\n"
   printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
-  echo "Fix the issues above before pushing."
+  printf "Fix the issues above before pushing.\n"
   exit 1
 fi
 

.husky/pre-commit

@@ -4,11 +4,11 @@
 if [ -z "${DISABLE_PRECOMMIT_LINT}" ]; then
   pnpm lint --staged
 else
-  echo "Skipping lint due to DISABLE_PRECOMMIT_LINT env var"
+  printf "Skipping lint due to DISABLE_PRECOMMIT_LINT env var\n"
 fi
 
 if [ -z "${DISABLE_PRECOMMIT_TEST}" ]; then
   NODE_COMPILE_CACHE="./.cache" PRE_COMMIT=1 pnpm test --staged
 else
-  echo "Skipping testing due to DISABLE_PRECOMMIT_TEST env var"
+  printf "Skipping testing due to DISABLE_PRECOMMIT_TEST env var\n"
 fi

.husky/security-checks.sh

@@ -28,32 +28,32 @@ fi
 ERRORS=0
 
 # Check for .DS_Store files.
-echo "Checking for .DS_Store files..."
+printf "Checking for .DS_Store files...\n"
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
   printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
-echo "Checking for log files..."
+printf "Checking for log files...\n"
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
   printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
-echo "Checking for .env files..."
+printf "Checking for .env files...\n"
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
   printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
-  echo "These files should never be committed. Use .env.example instead."
+  printf "These files should never be committed. Use .env.example instead.\n"
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for hardcoded user paths (generic detection).
-echo "Checking for hardcoded personal paths..."
+printf "Checking for hardcoded personal paths...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
@@ -65,26 +65,26 @@ for file in $STAGED_FILES; do
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
       printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
-      echo "Replace with relative paths or environment variables."
+      printf "Replace with relative paths or environment variables.\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 # Check for Socket API keys.
-echo "Checking for API keys..."
+printf "Checking for API keys...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
       printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-      echo "If this is a real API key, DO NOT COMMIT IT."
+      printf "If this is a real API key, DO NOT COMMIT IT.\n"
     fi
   fi
 done
 
 # Check for common secret patterns.
-echo "Checking for potential secrets..."
+printf "Checking for potential secrets...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
@@ -115,9 +115,9 @@ for file in $STAGED_FILES; do
 done
 
 if [ $ERRORS -gt 0 ]; then
-  echo ""
+  printf "\n"
   printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
-  echo "Fix the issues above and try again."
+  printf "Fix the issues above and try again.\n"
   exit 1
 fi