<metaname="description"content="We built a pre-commit hook that calls DeepSeek V4 Flash to review every commit. It catches leaked API keys, classified terms, broken URLs, and drafts announcements — for a tenth of a cent per commit.">
"description":"We built a pre-commit hook that calls DeepSeek V4 Flash to review every commit. It catches leaked API keys, classified terms, broken URLs, and drafts announcements — for a tenth of a cent per commit."
<pclass="post__lead">Every small team has the same problem: too many things to remember before <code>git commit</code>. Don't leak API keys. Don't reference the classified AI codename in public posts. Don't link to GitHub repos we deleted six months ago. Don't push a blog post with a 90-character title.</p>
<p>A checklist in the README doesn't work. Humans skip checklists. Code review catches some issues but not all — reviewers focus on logic, not whether a URL points to a deleted org.</p>
<p>We built a pre-commit hook with two layers: a regex blocklist that's instant and free, and an LLM review that costs $0.001. Together they catch everything.</p>
<h2>Layer 1: Regex blocklist (0ms, $0.00)</h2>
<p>A text file of patterns, each tagged with scope and message:</p>
<pre><code>public|\b<internal-codename>\b|Classified codename — use the public-facing alias
public|admin\.<internal-domain>|Internal admin URL in public content</code></pre>
<p>The scope field controls where patterns apply. <code>all</code> means every file. <code>public</code> means only public-facing content — blog posts, website, marketing pages. We <em>want</em> classified codenames in internal architecture docs. We just don't want them in blog posts.</p>
<p>The blocklist runs grep against the staged diff. No network call, no API, no latency. Match found → commit blocked immediately with file path and explanation. This catches 80% of issues before the LLM wakes up.</p>
<p>If the commit touches public-facing files, the hook sends the staged diff to DeepSeek V4 Flash. The system prompt tells it exactly what to check:</p>
<ul>
<li><strong>Leaked secrets</strong> — API keys, tokens, credentials the regex might have missed</li>
<li><strong>Classified terms</strong> — codenames not yet in the blocklist</li>
<li><strong>Internal URLs</strong> — references to services that shouldn't be public</li>
<li><strong>Blog quality</strong> — title length, meta description, slug consistency</li>
<li><strong>Announcements</strong> — if it's a new blog post, draft a one-line summary</li>
</ul>
<p>The model responds with structured JSON: <code>errors</code> (block) or <code>warnings</code> (inform but allow). If the API is unreachable or times out, the commit proceeds — the hook never blocks work for infrastructure reasons.</p>
→ API failure → warn, exit 0 (never block on infra)</code></pre>
<p>The hook lives in <code>.githooks/</code> — committed, version-controlled, shared by the team. A setup script points <code>git config core.hooksPath</code> there.</p>
<p>A tenth of a cent. Twenty commits a day: $0.012/day. About <strong>$0.40/month</strong>. Commits that only touch internal files skip the AI review entirely — zero cost.</p>
<h2>What it caught (first week)</h2>
<ul>
<li><strong>2 classified codename leaks</strong> in draft blog posts — caught by blocklist</li>
<li><strong>1 GitHub URL</strong> from an old copy-paste — caught by blocklist</li>
<li><strong>3 blog SEO warnings</strong> — titles over 60 chars, missing og_description — caught by AI</li>
<li><strong>1 announcement draft</strong> auto-generated when a new post was committed</li>
</ul>
<p>Zero false positives on the blocklist. Two false positives from the AI — flagged an internal URL in a code example that was clearly illustrative. We added a note to the prompt: ignore URLs inside fenced code blocks.</p>
<h2>Setup</h2>
<pre><codeclass="language-bash">bash scripts/setup-hooks.sh # or .\scripts\setup-hooks.ps1 on Windows
export TINQS_HOOK_TOKEN=<your-token> # same PAT used for git push</code></pre>
<p>That's it. Every <code>git commit</code> runs the two-layer review. Bypass with <code>git commit –no-verify</code> for emergencies.</p>
<h2>The pattern: guard rails at the edge</h2>
<p>This is the same principle we apply everywhere: put the guard rail where the action happens. Don't rely on a human checklist. Don't wait for code review. Don't hope someone remembers.</p>
<p>The pre-commit hook is $0.001 of prevention. A leaked API key in a public post is hours of rotation, revocation, and audit. A classified codename in a blog post is a confidentiality breach. A dead link is a broken experience nobody notices for weeks.</p>
<p>The tools exist. DeepSeek V4 Flash is cheap enough to call on every commit. The hook is 150 lines of bash. The blocklist is a text file. Total infrastructure cost: zero — it runs on the developer's machine, calls an API we already pay for, adds 4 seconds to the commit flow.</p>
<hr>
<p><em>The pre-commit hook is part of <ahref="https://tinqs.com"style="color: var(--c-lime);">Tinqs Studio</a>. The inference proxy, blocklist patterns, and review prompt are open and reusable. Every commit in <ahref="https://arikigame.com"style="color: var(--c-lime);">Ariki</a> runs through the same guard.</em></p>
