From db8fd1f26ab6b8d82d846dd972dc1091446d1998 Mon Sep 17 00:00:00 2001
From: nocoo <lizheng@lizheng.me>
Date: Thu, 16 Apr 2026 06:10:38 +0800
Subject: [PATCH 1/4] feat(6dq): add husky hooks for L0 compliance

- pre-commit: lint + typecheck across all workspaces
- pre-push: test + typecheck across all workspaces
---
 .husky/pre-commit |  2 ++
 .husky/pre-push   |  2 ++
 bun.lock          |  5 +++++
 package.json      | 11 +++++++++--
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100755 .husky/pre-commit
 create mode 100755 .husky/pre-push

diff --git a/.husky/pre-commit b/.husky/pre-commit
new file mode 100755
index 0000000..f7cd706
--- /dev/null
+++ b/.husky/pre-commit
@@ -0,0 +1,2 @@
+bun run lint
+bun run typecheck
diff --git a/.husky/pre-push b/.husky/pre-push
new file mode 100755
index 0000000..045577c
--- /dev/null
+++ b/.husky/pre-push
@@ -0,0 +1,2 @@
+bun run test
+bun run typecheck
diff --git a/bun.lock b/bun.lock
index abf22cb..314ea96 100644
--- a/bun.lock
+++ b/bun.lock
@@ -4,6 +4,9 @@
   "workspaces": {
     "": {
       "name": "flow",
+      "devDependencies": {
+        "husky": "^9.1.7",
+      },
     },
     "apps/api": {
       "name": "api",
@@ -537,6 +540,8 @@
 
     "html-escaper": ["html-escaper@2.0.2", "", {}, "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg=="],
 
+    "husky": ["husky@9.1.7", "", { "bin": { "husky": "bin.js" } }, "sha512-5gs5ytaNjBrh5Ow3zrvdUUY+0VxIuWVL4i9irt6friV+BqdCfmV11CQTWMiBYWHbXhco+J1kHfTOUkePhCDvMA=="],
+
     "ignore": ["ignore@5.3.2", "", {}, "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g=="],
 
     "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
diff --git a/package.json b/package.json
index 3320a6c..e2986d4 100644
--- a/package.json
+++ b/package.json
@@ -1,17 +1,24 @@
 {
   "name": "flow",
   "private": true,
-  "workspaces": ["apps/*", "packages/*"],
+  "workspaces": [
+    "apps/*",
+    "packages/*"
+  ],
   "scripts": {
     "dev": "bun run --filter '*' dev",
     "dev:web": "bun run --filter web dev",
     "dev:api": "bun run --filter api dev",
     "lint": "bun run --filter '*' lint",
     "test": "bun run --filter '*' test",
-    "typecheck": "bun run --filter '*' typecheck"
+    "typecheck": "bun run --filter '*' typecheck",
+    "prepare": "husky"
   },
   "overrides": {
     "picomatch": "^4.0.4",
     "vite": "^8.0.5"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7"
   }
 }

From 4697f9a63cf34047e94a15e76f71f92a97a4f83b Mon Sep 17 00:00:00 2001
From: nocoo <lizheng@lizheng.me>
Date: Thu, 16 Apr 2026 06:11:03 +0800
Subject: [PATCH 2/4] feat(6dq): add security configs for G2 compliance

- .gitleaks.toml: secret scanning with default rules
- osv-scanner.toml: dependency vulnerability scanning
---
 .gitleaks.toml   | 8 ++++++++
 osv-scanner.toml | 6 ++++++
 2 files changed, 14 insertions(+)
 create mode 100644 .gitleaks.toml
 create mode 100644 osv-scanner.toml

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..f2b2925
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+  '''bun\.lock''',
+  '''package-lock\.json''',
+]
diff --git a/osv-scanner.toml b/osv-scanner.toml
new file mode 100644
index 0000000..6a214e9
--- /dev/null
+++ b/osv-scanner.toml
@@ -0,0 +1,6 @@
+[[PackageOverrides]]
+# Add known false positives below
+# name = "example-package"
+# ecosystem = "npm"
+# ignore = true
+# reason = "false positive"

From ab4f1c47e11480dd7d206b3d3436d05ed2e3230b Mon Sep 17 00:00:00 2001
From: nocoo <lizheng@lizheng.me>
Date: Thu, 16 Apr 2026 06:11:23 +0800
Subject: [PATCH 3/4] feat(6dq): enable security scanning in CI

Enable gitleaks + osv-scanner in the base-ci workflow.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a6c183c..a31c191 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,6 @@ jobs:
     uses: nocoo/base-ci/.github/workflows/bun-quality.yml@v2026
     with:
       test-command: "bun run test"
-      enable-security: "false"
+      enable-security: "true"
       enable-l2: "false"
     secrets: inherit

From 1a8d889c355e9de2e58926dc05bdc36edd261421 Mon Sep 17 00:00:00 2001
From: nocoo <nicco@duck.com>
Date: Thu, 16 Apr 2026 07:10:11 +0800
Subject: [PATCH 4/4] fix(ci): wire osv-config into reusable workflow

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a31c191..73f25dc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,5 +12,6 @@ jobs:
     with:
       test-command: "bun run test"
       enable-security: "true"
+      osv-config: "osv-scanner.toml"
       enable-l2: "false"
     secrets: inherit