This file provides context for AI coding assistants and developers working on the rh-ai-hooks project.
Name: rh-ai-hooks Purpose: Pre-commit hooks to help Red Hat teams adopt AI coding assistants responsibly Repository: https://github.com/openshift-hyperfleet/rh-hooks-ai Language: Python 3 (hooks), Bash (bootstrap scripts) Framework: pre-commit.com hook system
Goal: Make it easy for Red Hat development teams to:
- Enforce baseline security compliance (rh-pre-commit)
- Maintain quality AI context files (AGENTS.md)
- Encourage AI attribution transparency
- Stay up-to-date with hook improvements
rh-ai-hooks/
├── hooks/ # Hook implementations (Python scripts)
│ ├── check_rh_precommit.py # Enforces rh-pre-commit installation
│ ├── validate_agents_md.py # Validates AGENTS.md quality
│ ├── ai_attribution_reminder.py # One-time AI attribution tip
│ └── check_version.py # Optional version update checker
├── configs/
│ └── baseline.yaml # Example .pre-commit-config.yaml for users
├── templates/
│ ├── AGENTS.md.template # Template for user repos
│ └── gitmessage.txt # Git commit message template
├── bootstrap/
│ └── quick-setup.sh # One-command setup script
├── .github/workflows/
│ └── release-please.yml # Automated release workflow
├── .pre-commit-hooks.yaml # Hook registry for pre-commit
├── .pre-commit-config.yaml # Hooks used BY this repo (dogfooding)
└── CHANGELOG.md # Auto-generated by release-please
All hooks use language: script in .pre-commit-hooks.yaml:
- Scripts run directly (no Python package installation needed)
- All scripts have shebang:
#!/usr/bin/env python3 - Cross-platform compatible (Linux, macOS, Windows)
Automated via GitHub Actions:
- Conventional commits determine version bumps
- release-please creates release PRs with CHANGELOG
- When merged, GitHub release is tagged
- baseline.yaml auto-updates with new version tag
- Formatter: black (enforced by pre-commit)
- Line length: 88 characters (black default)
- Python version: 3.7+ (for compatibility)
- Imports: Standard library only (no external dependencies)
- Error handling: Fail gracefully with helpful messages
- Linter: shellcheck (enforced by pre-commit)
- Shebang:
#!/usr/bin/env bash - Error handling:
set -efor critical operations - User feedback: Colored output with clear status messages
MUST follow Conventional Commits format (enforced by pre-commit):
<type>[optional scope]: <description>
[optional body]
[optional footer]
Valid types:
feat:- New feature (minor version bump: v0.1.0 → v0.2.0)fix:- Bug fix (patch version bump: v0.1.0 → v0.1.1)docs:- Documentation onlychore:- Maintenance (no version bump)refactor:- Code refactoringtest:- Test changesci:- CI/CD changesfeat!:orBREAKING CHANGE:- Major version bump (v0.1.0 → v1.0.0)
- Helpful, not annoying: Non-blocking where possible, clear error messages
- Fast: Cache results, avoid slow network calls
- Fail gracefully: Network errors, missing files → don't crash
- Cross-platform: Use Python stdlib, avoid platform-specific commands
- Self-contained: No external dependencies, single-file scripts
- Blocking: Yes (if rh-pre-commit not configured)
- Warning only: If not installed globally
- Checks:
.pre-commit-config.yamlmust reference rh-pre-commit repo - Output: Helpful error with exact fix commands
- Blocking: Yes (if hook is enabled and file issues found)
- Stage: Runs on
git push(not every commit - less annoying) - Requirements: AGENTS.md must exist, not empty, >100 chars
- Note: Teams must explicitly add this hook (opt-in enforcement)
- Blocking: No (always passes)
- Frequency: One-time per repository
- Marker: Creates
.git/.ai-tip-shown - Message: Suggests
Assisted-by:/Generated-by:trailers
- Blocking: No (always passes)
- Frequency: Once per 24 hours (cached)
- Network: Fails silently if offline/timeout
- Detection: Reads version from user's
.pre-commit-config.yaml - Comparison: String comparison works for semantic versioning
- Fetch method: Always downloads from GitHub (not local files)
- Reason: Users run in their own repos, not rh-ai-hooks clone
- Downloads: baseline.yaml, gitmessage.txt, AGENTS.md.template
- Configuration: Local git config only (not global)
# Test individual hook
python3 hooks/check_rh_precommit.py
# Test all hooks
pre-commit run --all-files
# Test in clean repo
cd /tmp && mkdir test-repo && cd test-repo && git init
# Run hooks hereWe dogfood our own hooks plus:
- Conventional commit enforcement
- Python formatting (black)
- Shell linting (shellcheck)
- Standard pre-commit hooks (trailing whitespace, YAML validation, etc.)
DO NOT manually create tags/releases. Let release-please handle it:
- Make conventional commits
- Push to main
- release-please creates PR
- Review and merge PR
- Release auto-created
- Create
hooks/new_hook.pywith shebang - Make executable:
chmod +x hooks/new_hook.py - Add entry to
.pre-commit-hooks.yaml - Update
configs/baseline.yaml(commented if optional) - Document in README.md
- Test locally
- Commit with
feat: add new hook description
- Use
docs:commit type (no version bump) - Update README.md, this AGENTS.md, or inline docstrings
- Run
pre-commit run --all-filesto check formatting
- Use
fix:commit type (patch version bump) - Add test case if possible
- Ensure fix is cross-platform
- Use
feat!:or addBREAKING CHANGE:in commit footer - This triggers major version bump
- Document migration path in commit body
- Never commit secrets (enforced by rh-pre-commit in our config)
- Validate inputs: User-provided file paths, config content
- Fail safely: Don't expose sensitive info in error messages
- Python: Standard library ONLY
pathlib,re,json,urllib,subprocess,sys- NO pip packages (no setup.py, no pyproject.toml)
- Bash: Use
curlfor downloads (universally available)
- Rate limits: check_version.py caches for 24h to avoid limits
- Timeout: 2 second timeout on network calls
- Authentication: Uses
RELEASE_PLEASE_TOKENsecret for releases
- MUST use
language: scriptnotlanguage: python - Why: Avoids package installation, runs scripts directly
- Alternative would require setup.py/pyproject.toml
- pre-commit: https://pre-commit.com/
- Conventional Commits: https://www.conventionalcommits.org/
- AGENTS.md Standard: https://agentsmd.net/
- Semantic Versioning: https://semver.org/
- rh-pre-commit: https://gitlab.cee.redhat.com/infosec-public/developer-workbench/tools/-/tree/main/rh-pre-commit
- AI Guidelines: https://source.redhat.com/projects_and_programs/ai/wiki/code_assistants_guidelines_for_responsible_use_of_ai_code_assistants
- GitHub: https://github.com/openshift-hyperfleet/rh-hooks-ai
- Issues: https://github.com/openshift-hyperfleet/rh-hooks-ai/issues
- Releases: https://github.com/openshift-hyperfleet/rh-hooks-ai/releases
- Keep it simple: Single-file scripts, no complex abstractions
- Helpful errors: Users should know exactly how to fix issues
- Cross-platform: Test patterns work on Linux, macOS, Windows
- No magic: Avoid clever tricks, prefer readable code
- Check if it affects all platforms (Windows path handling, etc.)
- Ensure error messages are actionable
- Don't break backward compatibility without
BREAKING CHANGE:
- Consider: Does this make commits slower? (Cache it!)
- Consider: Will this annoy developers? (Make it non-blocking!)
- Consider: Is this cross-platform? (Test on Windows!)
- Remember: Start minimal, iterate based on feedback
"Helpful, not annoying"
- Enforce security (blocking): rh-pre-commit must be configured
- Validate quality (blocking if opted-in): AGENTS.md must be useful
- Encourage practices (non-blocking): Attribution reminders, version checks