#!/bin/sh
# Pre-commit guard — block committing a typosquat/forbidden dependency
# (loadash, lodash, lodahs, …). Local mirror of the CI gate
# (scripts/check-deps-typosquats.js, run in the `test` job of .github/workflows/scan.yml)
# and defense-in-depth with the package.json `preinstall` denylist.
#
# Enable once per clone:  git config core.hooksPath .githooks
#
# This repo uses NEITHER lodash NOR loadash (CLAUDE.md interdiction). The loadash
# typosquat has re-entered package.json repeatedly; this stops it at commit time.

node scripts/check-deps-typosquats.js
status=$?
if [ "$status" -ne 0 ]; then
  echo "pre-commit: ABORTED — remove the typosquat dependency from package.json (see above)." >&2
  exit 1
fi
exit 0
