fix(hooks): add -- to grep for private key pattern

[John-David Dalton (jdalton)]

The private key grep pattern starts with dashes which grep interprets as options. Add -- to signal end of options.

---

Note

Medium Risk
Changes pre-push secret scanning behavior by inspecting binary files via strings and reworking all checks to operate on extracted content, which could introduce new false positives/negatives and unexpectedly block pushes.

Overview
Improves the .git-hooks/pre-push secret scanner by normalizing file inspection: it now detects binary files and scans strings output instead of grepping raw bytes, while keeping text files scanned directly.

Updates all secret/path detectors to operate on the extracted file_text, and hardens the private-key check by using grep -- so the -----BEGIN ... pattern isn’t treated as an option.

^{Reviewed by Cursor Bugbot for commit fa4ebfd. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit fa4ebfd. Configure here.}

[cursor]

Companion security-checks.sh not kept in sync as required

Medium Severity

Line 5 of this file states "Security checks parallel .husky/security-checks.sh — keep in sync." The -- fix for the private key grep pattern and the binary file handling were only applied here, but .husky/security-checks.sh (line 110) still uses the old grep -E '-----BEGIN ...' pattern without --. This means the pre-commit hook still has the original bug where the dash-prefixed pattern can be misinterpreted as grep options.

Additional Locations (1)

• .git-hooks/pre-push#L4-L5

 

^{Reviewed by Cursor Bugbot for commit fa4ebfd. Configure here.}

[John-David Dalton (jdalton)]

Merged into #1196