Add gitleaks pre-commit hook and bump opencode to 1.4.2

.gitleaks.toml

@@ -0,0 +1,18 @@
+# .gitleaks.toml
+# Secret detection config — extends gitleaks default rules
+
+title = "opencode-devbox"
+
+[extend]
+useDefault = true
+
+# Global allowlist — safe files that may contain example keys/patterns
+[[allowlists]]
+description = "Allow example and template files"
+paths = [
+  '''\.env\.example$''',
+  '''\.env\.sample$''',
+  '''\.env\.template$''',
+  '''README\.md$''',
+  '''docs/.*\.md$''',
+]

Dockerfile

@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=bookworm-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.4.0
+ARG OPENCODE_VERSION=1.4.2
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"

README.md

@@ -17,6 +17,10 @@ cd opencode-devbox
 cp .env.example .env
 # Edit .env with your provider, API key, workspace path, git config
 
+# Install git hooks (secret scanning)
+brew install gitleaks  # one-time
+./setup-hooks.sh
+
 # Build and run
 docker compose run --rm devbox
 ```
@@ -105,12 +109,26 @@ volumes:
   - ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro
 ```
 
+### Rebuilding the Image
+
+`docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
+
+```bash
+# Rebuild then run
+docker compose build
+docker compose run --rm devbox
+
+# Or rebuild and run in one step
+docker compose run --rm --build devbox
+```
+
 ### Build Args
 
-Enable optional language runtimes:
+Enable optional language runtimes or pin a specific opencode version:
 
 ```bash
 docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
+docker compose build --build-arg OPENCODE_VERSION=1.5.0
 ```
 
 | Arg | Default | Description |
@@ -137,6 +155,31 @@ The `--use-device-code` flag outputs a URL and short code instead of trying to o
 
 SSO sessions typically last 8–12 hours before requiring re-authentication.
 
+## Secret Scanning
+
+A [gitleaks](https://github.com/gitleaks/gitleaks) pre-commit hook prevents accidentally committing API keys, passwords, or other secrets.
+
+### Setup
+
+```bash
+brew install gitleaks   # one-time install
+./setup-hooks.sh        # installs the pre-commit hook
+```
+
+The hook runs automatically on every `git commit`. If gitleaks isn't installed, the hook prints a warning and allows the commit (no hard dependency on collaborators).
+
+### Bypass
+
+For legitimate cases (test data, documentation with example keys):
+
+```bash
+git commit --no-verify -m "Add test fixtures"
+```
+
+### Configuration
+
+Allowlisted paths and rules are in `.gitleaks.toml`. The defaults extend gitleaks' built-in rules and allow `.env.example` and documentation files.
+
 ## Architecture
 
 ```

setup-hooks.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# Install git hooks for this project
+set -e
+
+HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
+mkdir -p "$HOOK_DIR"
+
+# --- pre-commit hook: secret scanning with gitleaks ---
+cat > "$HOOK_DIR/pre-commit" << 'HOOK'
+#!/bin/bash
+# Pre-commit hook — scans staged files for secrets using gitleaks
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo ""
+  echo "⚠️  gitleaks is not installed — skipping secret scan"
+  echo "   Install: brew install gitleaks"
+  echo ""
+  exit 0
+fi
+
+echo "🔒 Scanning for secrets..."
+
+if gitleaks protect --staged --no-banner 2>/dev/null; then
+  echo "✅ No secrets detected"
+  exit 0
+else
+  echo ""
+  echo "❌ Secrets detected in staged changes — commit blocked"
+  echo ""
+  echo "   Details:  gitleaks protect --staged --verbose"
+  echo "   Bypass:   git commit --no-verify"
+  echo ""
+  exit 1
+fi
+HOOK
+
+chmod +x "$HOOK_DIR/pre-commit"
+echo "✅ Pre-commit hook installed (.git/hooks/pre-commit)"