Fix contribution hooks and setup

.github/actionlint.yaml

@@ -1,3 +1,4 @@
+---
 self-hosted-runner:
   labels:
     - ubuntu24.04-amd64-8-core

.github/renovate.json5

@@ -49,4 +49,4 @@
       },
     ],
     ignorePaths: [],
-  }
+  }

.gitignore

@@ -177,3 +177,6 @@ dataset/
 *.json
 *.csv
 !failed_flag_submissions.csv
+
+.task
+.envrc

.hooks/check_pinned_hash_dependencies.py

@@ -2,17 +2,16 @@
 import re
 import sys
 from pathlib import Path
-from typing import List, Tuple
 
 
 class GitHubActionChecker:
-    def __init__(self):
+    def __init__(self) -> None:
         # Pattern for actions with SHA-1 hashes (pinned)
         self.pinned_pattern = re.compile(r"uses:\s+([^@\s]+)@([a-f0-9]{40})")
 
         # Pattern for actions with version tags (unpinned)
         self.unpinned_pattern = re.compile(
-            r"uses:\s+([^@\s]+)@(v\d+(?:\.\d+)*(?:-[a-zA-Z0-9]+(?:\.\d+)*)?)"
+            r"uses:\s+([^@\s]+)@(v\d+(?:\.\d+)*(?:-[a-zA-Z0-9]+(?:\.\d+)*)?)",
         )
 
         # Pattern for all uses statements
@@ -30,19 +29,19 @@ def format_terminal_link(self, file_path: str, line_number: int) -> str:
         """
         return f"{file_path}:{line_number}"
 
-    def get_line_numbers(self, content: str, pattern: re.Pattern) -> List[Tuple[str, int]]:
+    def get_line_numbers(self, content: str, pattern: re.Pattern[str]) -> list[tuple[str, int]]:
         """Find matches with their line numbers."""
-        matches = []
-        for i, line in enumerate(content.splitlines(), 1):
-            for match in pattern.finditer(line):
-                matches.append((match.group(0), i))
-        return matches
+        return [
+            (match.group(0), i)
+            for i, line in enumerate(content.splitlines(), 1)
+            for match in pattern.finditer(line)
+        ]
 
     def check_file(self, file_path: str) -> bool:
         """Check a single file for unpinned dependencies."""
         try:
             content = Path(file_path).read_text()
-        except Exception as e:
+        except OSError as e:
             print(f"\033[91mError reading file {file_path}: {e}\033[0m")
             return False
 
@@ -88,7 +87,7 @@ def check_file(self, file_path: str) -> bool:
             print("\033[91m[!] Completely unpinned (no SHA or version):\033[0m")
             for match, line_num in unpinned_without_hash:
                 print(
-                    f" |- {match} \033[90m({self.format_terminal_link(file_path, line_num)})\033[0m"
+                    f" |- {match} \033[90m({self.format_terminal_link(file_path, line_num)})\033[0m",
                 )
 
         # Print summary
@@ -105,7 +104,7 @@ def check_file(self, file_path: str) -> bool:
         return not has_errors
 
 
-def main():
+def main() -> None:
     checker = GitHubActionChecker()
     files_to_check = sys.argv[1:]
 

.hooks/generate_pr_description.py

@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 # /// script
 # requires-python = ">=3.10"
 # dependencies = [
@@ -7,11 +8,12 @@
 # ///
 
 import asyncio
+import shutil
 import subprocess
 import typing as t
 
 import rigging as rg
-import typer
+import typer  # type: ignore [import-not-found, misc]
 
 TRUNCATION_WARNING = (
     "\n---\n**Note**: Due to the large size of this diff, some content has been truncated."
@@ -41,27 +43,28 @@ def get_diff(base_ref: str, source_ref: str, *, exclude: list[str] | None = None
     """
     Get the git diff between two branches.
     """
+    git_path = shutil.which("git")
+    if git_path is None:
+        raise RuntimeError("Git executable not found in PATH")
 
-    merge_base = subprocess.run(
-        ["git", "merge-base", source_ref, base_ref],
+    merge_base = subprocess.run(  # noqa: S603 # Safe: git_path is validated via shutil.which
+        [git_path, "merge-base", source_ref, base_ref],
         capture_output=True,
         text=True,
         check=True,
     ).stdout.strip()
 
-    diff_command = ["git", "diff", "--no-color", merge_base, source_ref]
+    diff_command = [git_path, "diff", "--no-color", merge_base, source_ref]
     if exclude:
         diff_command.extend(["--", ".", *[f":(exclude){path}" for path in exclude]])
 
-    diff_text = subprocess.run(
+    return subprocess.run(  # noqa: S603 # Safe: git_path is validated via shutil.which
         diff_command,
         capture_output=True,
         text=True,
         check=True,
     ).stdout
 
-    return diff_text
-
 
 def main(
     base_ref: str = "origin/main",

.hooks/post_merge.sh

@@ -1,38 +1,19 @@
 #!/bin/bash
 
 # Get pre-merge hash from the target branch
-old_hash=$(git show ORIG_HEAD:poetry.lock | md5sum 2> /dev/null || echo "")
+old_hash=$(git show ORIG_HEAD:uv.lock | md5sum 2> /dev/null || echo "")
 
 # Get current hash
-new_hash=$(md5sum poetry.lock 2> /dev/null || echo "")
+new_hash=$(md5sum uv.lock 2> /dev/null || echo "")
 
-# Compare and run poetry install if changed
+# Compare and run uv sync if changed
 if [ "$old_hash" != "$new_hash" ]; then
-    echo "📦 Root dependencies changed. Running poetry install..."
-    poetry install || {
+    echo "📦 Root dependencies changed. Running uv sync..."
+    uv sync || {
         echo "❌ Failed to update dependencies"
         exit 1
     }
     echo "✅ Root dependencies updated!"
 else
     echo "📦 No root dependency changes"
 fi
-
-# Get pre-merge hash from the target branch
-old_hash=$(git show ORIG_HEAD:components/api/poetry.lock | md5sum 2> /dev/null || echo "")
-
-# Get current hash
-new_hash=$(md5sum components/api/poetry.lock 2> /dev/null || echo "")
-
-# Compare and run poetry install if changed
-if [ "$old_hash" != "$new_hash" ]; then
-    echo "📦 API dependencies changed. Running poetry install..."
-    cd components/api || exit
-    if ! poetry install --with dev; then
-        echo "❌ Failed to update dependencies"
-        exit 1
-    fi
-    echo "✅ API dependencies updated!"
-else
-    echo "📦 No API dependency changes"
-fi

.secrets.baseline

@@ -0,0 +1,127 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2025-07-14T12:43:03Z"
+}

.vscode/settings.json

@@ -15,4 +15,4 @@
   "mypy.runUsingActiveInterpreter": true,
   "debugpy.debugJustMyCode": false,
   "jupyter.debugJustMyCode": false
-}
+}

LICENSE

@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.