tinqs/blog
5
0
Fork 0
Code Pull Requests Actions Packages Projects Releases Wiki Activity Issues
Files
074fa08bb7ffce9feb84acad15f2696f763eac15
blog/pre-commit-agent.html
T

348 lines
14 KiB
HTML
Preview Source Fullscreen
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>A Pre-Commit Agent That Guards Your Secrets for $0.001 — Tinqs Blog</title>
<meta name="description" content="We built a pre-commit hook that calls DeepSeek V4 Flash to review every commit. It catches leaked API keys, classified terms, broken URLs, and drafts announcements — for a tenth of a cent per commit.">
<meta name="robots" content="index, follow">
<link rel="canonical" href="https://www.tinqs.com/blog/pre-commit-agent">
<meta property="og:type" content="article">
<meta property="og:url" content="https://www.tinqs.com/blog/pre-commit-agent">
<meta property="og:title" content="A Pre-Commit Agent That Guards Your Secrets for $0.001">
<meta property="og:description" content="A DeepSeek-powered pre-commit hook that catches leaks for $0.001/commit.">
<meta property="og:image" content="https://www.tinqs.com/img/og-cover.jpg">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="A Pre-Commit Agent That Guards Your Secrets for $0.001">
<meta name="twitter:description" content="A DeepSeek-powered pre-commit hook that catches leaks for $0.001/commit.">
<meta name="twitter:image" content="https://www.tinqs.com/img/og-cover.jpg">
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "A Pre-Commit Agent That Guards Your Secrets for $0.001",
"datePublished": "2026-05-25",
"author": {
"@type": "Person",
"name": "Ozan Bozkurt"
},
"publisher": {
"@type": "Organization",
"name": "Tinqs Limited",
"url": "https://www.tinqs.com"
},
"description": "We built a pre-commit hook that calls DeepSeek V4 Flash to review every commit. It catches leaked API keys, classified terms, broken URLs, and drafts announcements — for a tenth of a cent per commit."
}
</script>
<style>
/* ── Self-contained post styles (Studio provides site chrome) ── */
:root {
--c-accent: #c9935a;
--c-accent-l: #d4a87c;
--c-bg: #0d1117;
--c-text: #e6edf3;
--c-muted: #9aa7b4;
--c-border: #2a3340;
--c-blue: #38bdf8;
--c-purple: #a855f7;
--c-gold: #f59e0b;
--c-code-bg: #1c2230;
--c-pre-bg: #0a0e14;
}
*, *::before, *::after { box-sizing: border-box; }
body {
margin: 0;
padding: 0;
background: transparent;
color: var(--c-text);
font-family: system-ui, -apple-system, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
line-height: 1.6;
-webkit-font-smoothing: antialiased;
}
/* ── Post container ── */
.post {
max-width: 720px;
margin: 0 auto;
padding: 40px 24px 48px;
}
/* ── Back link ── */
.post__back {
color: var(--c-blue);
text-decoration: none;
font-size: 0.9rem;
display: inline-block;
margin-bottom: 24px;
}
.post__back:hover { color: var(--c-purple); }
/* ── Gradient title ── */
.post__title {
background: linear-gradient(90deg, #c9935a, #f59e0b 40%, #38bdf8);
-webkit-background-clip: text;
background-clip: text;
color: transparent;
font-weight: 800;
font-size: 2.2rem;
line-height: 1.25;
margin: 0 0 16px;
}
/* ── Date pill ── */
.post__date {
display: inline-block;
font-family: ui-monospace, 'SF Mono', 'Cascadia Code', Consolas, monospace;
font-size: 0.72rem;
letter-spacing: 0.22em;
text-transform: uppercase;
color: var(--c-blue);
border: 1px solid rgba(147, 140, 129, 0.25);
border-radius: 999px;
padding: 4px 14px;
margin-bottom: 16px;
}
/* ── Lead ── */
.post__lead {
color: var(--c-muted);
font-size: 1.08rem;
line-height: 1.7;
}
/* ── Body ── */
.post__body { font-size: 1rem; line-height: 1.7; }
.post__body p { margin: 14px 0; }
.post__body h2 {
font-size: 1.7rem;
margin: 54px 0 6px;
padding-left: 16px;
border-left: 4px solid var(--c-accent);
line-height: 1.3;
}
.post__body h3 {
color: var(--c-purple);
font-size: 1.18rem;
margin: 30px 0 4px;
}
.post__body h4, .post__body h5, .post__body h6 {
margin: 20px 0 4px;
}
/* ── Inline code ── */
.post__body code {
font-family: ui-monospace, 'SF Mono', 'Cascadia Code', Consolas, monospace;
font-size: 0.86em;
background: var(--c-code-bg);
color: #9fe6c0;
padding: 2px 6px;
border-radius: 5px;
border: 1px solid var(--c-border);
}
/* ── Code blocks ── */
.post__body pre {
background: var(--c-pre-bg);
border: 1px solid var(--c-border);
border-radius: 10px;
padding: 16px 18px;
overflow-x: auto;
margin: 14px 0;
font-family: ui-monospace, 'SF Mono', 'Cascadia Code', Consolas, monospace;
font-size: 0.85rem;
line-height: 1.55;
color: var(--c-text);
}
.post__body pre code {
background: transparent;
padding: 0;
border: none;
font-size: inherit;
color: inherit;
border-radius: 0;
}
/* ── Blockquote ── */
.post__body blockquote {
background: rgba(245, 158, 11, 0.08);
border: 1px solid rgba(245, 158, 11, 0.25);
border-left: 4px solid var(--c-gold);
border-radius: 0 12px 12px 0;
padding: 16px 18px;
margin: 18px 0;
color: #f4e3c4;
font-size: 0.94rem;
}
/* ── Links ── */
.post__body a { color: var(--c-blue); }
.post__body a:hover { color: var(--c-purple); }
/* ── Strong ── */
.post__body strong { color: var(--c-gold); }
/* ── HR ── */
.post__body hr {
border: none;
border-top: 1px solid var(--c-border);
margin: 32px 0;
}
/* ── Figures ── */
.post__body figure { margin: 20px 0; }
.post__body figure img {
max-width: 100%;
border-radius: 12px;
border: 1px solid var(--c-border);
}
.post__body figcaption {
color: var(--c-muted);
font-size: 0.85rem;
margin-top: 6px;
}
/* ── Lists ── */
.post__body ul, .post__body ol { padding-left: 1.5em; margin: 10px 0; }
.post__body li { margin: 4px 0; }
/* ── Author ── */
.post__author {
display: flex;
align-items: center;
gap: 14px;
margin-top: 48px;
padding-top: 24px;
border-top: 1px solid var(--c-border);
}
.post__author-avatar {
width: 48px;
height: 48px;
border-radius: 50%;
background: var(--c-accent);
color: var(--c-bg);
display: flex;
align-items: center;
justify-content: center;
font-weight: 700;
font-size: 0.85rem;
flex-shrink: 0;
}
.post__author-info {
font-size: 0.85rem;
color: var(--c-muted);
line-height: 1.4;
}
.post__author-name {
color: var(--c-text);
font-weight: 600;
}
</style>
</head>
<body>
<!-- POST -->
<article class="post">
<a href="/blog/" class="post__back">&larr; All Posts</a>
<span class="post__date">25 May 2026</span>
<h1 class="post__title">A Pre-Commit Agent That Guards Your Secrets for $0.001</h1>
<p class="post__lead">Every small team has the same problem: too many things to remember before <code>git commit</code>. Don't leak API keys. Don't reference the classified AI codename in public posts. Don't link to GitHub repos we deleted six months ago. Don't push a blog post with a 90-character title.</p>
<div class="post__body">
<p>A checklist in the README doesn't work. Humans skip checklists. Code review catches some issues but not all — reviewers focus on logic, not whether a URL points to a deleted org.</p>
<p>We built a pre-commit hook with two layers: a regex blocklist that's instant and free, and an LLM review that costs $0.001. Together they catch everything.</p>
<h2>Layer 1: Regex blocklist (0ms, $0.00)</h2>
<p>A text file of patterns, each tagged with scope and message:</p>
<pre><code>public|\bCosmos\b|Classified codename — use "advanced colonist AI"
all|github\.com/(tinqs-ltd|tinqs)/|GitHub repos deleted — use tinqs.com
all|sk-[a-zA-Z0-9]{20,}|Possible API key leaked
all|AKIA[A-Z0-9]{16}|AWS access key leaked
public|admin\.arikigame\.com|Internal admin URL in public content</code></pre>
<p>The scope field controls where patterns apply. <code>all</code> means every file. <code>public</code> means only public-facing content — blog posts, website, marketing pages. We <em>want</em> classified codenames in internal architecture docs. We just don't want them in blog posts.</p>
<p>The blocklist runs grep against the staged diff. No network call, no API, no latency. Match found → commit blocked immediately with file path and explanation. This catches 80% of issues before the LLM wakes up.</p>
<h2>Layer 2: DeepSeek V4 Flash review (~4s, $0.001)</h2>
<p>If the commit touches public-facing files, the hook sends the staged diff to DeepSeek V4 Flash. The system prompt tells it exactly what to check:</p>
<ul>
<li><strong>Leaked secrets</strong> — API keys, tokens, credentials the regex might have missed</li>
<li><strong>Classified terms</strong> — codenames not yet in the blocklist</li>
<li><strong>Internal URLs</strong> — references to services that shouldn't be public</li>
<li><strong>Blog quality</strong> — title length, meta description, slug consistency</li>
<li><strong>Broken links</strong> — malformed URLs, obvious typos</li>
<li><strong>Announcements</strong> — if it's a new blog post, draft a one-line summary</li>
</ul>
<p>The model responds with structured JSON: <code>errors</code> (block) or <code>warnings</code> (inform but allow). If the API is unreachable or times out, the commit proceeds — the hook never blocks work for infrastructure reasons.</p>
<h2>The architecture</h2>
<pre><code>git commit
Phase 0: Collect staged diff + classify files (public vs internal)
Phase 1: Regex blocklist scan (instant, free)
→ Match → BLOCK
→ Clean → continue
Phase 2: Public files changed?
→ No → exit 0 (skip AI review, zero cost)
→ Yes → send diff to DeepSeek V4 Flash
Phase 3: Parse JSON response
→ Errors → BLOCK
→ Warnings → print, exit 0
→ Announcement → print draft
→ API failure → warn, exit 0 (never block on infra)</code></pre>
<p>The hook lives in <code>.githooks/</code> — committed, version-controlled, shared by the team. A setup script points <code>git config core.hooksPath</code> there.</p>
<h2>What it costs</h2>
<p>| | Tokens | Cost |</p>
<p>|&ndash;|&mdash;&mdash;&ndash;|&mdash;&mdash;|</p>
<p>| Input (prompt + diff) | ~4,000 | $0.00056 |</p>
<p>| Output (JSON response) | ~200 | $0.00006 |</p>
<p>| <strong>Per commit</strong> | | <strong>$0.00062</strong> |</p>
<p>A tenth of a cent. Twenty commits a day: $0.012/day. About <strong>$0.40/month</strong>. Commits that only touch internal files skip the AI review entirely — zero cost.</p>
<h2>What it caught (first week)</h2>
<ul>
<li><strong>2 classified codename leaks</strong> in draft blog posts — caught by blocklist</li>
<li><strong>1 GitHub URL</strong> from an old copy-paste — caught by blocklist</li>
<li><strong>3 blog SEO warnings</strong> — titles over 60 chars, missing og_description — caught by AI</li>
<li><strong>1 announcement draft</strong> auto-generated when a new post was committed</li>
</ul>
<p>Zero false positives on the blocklist. Two false positives from the AI — flagged an internal URL in a code example that was clearly illustrative. We added a note to the prompt: ignore URLs inside fenced code blocks.</p>
<h2>Setup</h2>
<pre><code class="language-bash">bash scripts/setup-hooks.sh # or .\scripts\setup-hooks.ps1 on Windows
export TINQS_HOOK_TOKEN=&lt;your-token&gt; # same PAT used for git push</code></pre>
<p>That's it. Every <code>git commit</code> runs the two-layer review. Bypass with <code>git commit &ndash;no-verify</code> for emergencies.</p>
<h2>The pattern: guard rails at the edge</h2>
<p>This is the same principle we apply everywhere: put the guard rail where the action happens. Don't rely on a human checklist. Don't wait for code review. Don't hope someone remembers.</p>
<p>The pre-commit hook is $0.001 of prevention. A leaked API key in a public post is hours of rotation, revocation, and audit. A classified codename in a blog post is a confidentiality breach. A dead link is a broken experience nobody notices for weeks.</p>
<p>The tools exist. DeepSeek V4 Flash is cheap enough to call on every commit. The hook is 150 lines of bash. The blocklist is a text file. Total infrastructure cost: zero — it runs on the developer's machine, calls an API we already pay for, adds 4 seconds to the commit flow.</p>
<hr>
<p><em>The pre-commit hook is part of <a href="https://tinqs.com" style="color: var(&ndash;c-accent-l);">Tinqs Studio</a>. The inference proxy, blocklist patterns, and review prompt are open and reusable. Every commit in <a href="https://arikigame.com" style="color: var(&ndash;c-accent-l);">Ariki</a> runs through the same guard.</em></p>
</div>
<div class="post__author">
<div class="post__author-avatar">OB</div>
<div class="post__author-info">
<span class="post__author-name">Ozan Bozkurt</span><br>
CTO & Developer, Tinqs
</div>
</div>
</article>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink