fix(hooks): use printf instead of echo for ANSI colors

Replace echo with printf in git hooks for consistent ANSI color
rendering across platforms. The echo command behavior varies between
shells (some require -e, others don't support it), while printf
consistently interprets escape sequences on all platforms.

Author: jdalton

.git-hooks/commit-msg

@@ -23,14 +23,14 @@ if [ -n "$COMMITTED_FILES" ]; then
     if [ -f "$file" ]; then
       # Check for Socket API keys (except allowed).
       if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
-        echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
+        printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
         echo "File: $file"
         ERRORS=$((ERRORS + 1))
       fi
 
       # Check for .env files.
       if echo "$file" | grep -qE '^\.env(\.local)?$'; then
-        echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+        printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
     fi
@@ -58,15 +58,15 @@ if [ -f "$COMMIT_MSG_FILE" ]; then
   # Replace the original commit message with the cleaned version.
   if [ $REMOVED_LINES -gt 0 ]; then
     mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
-    echo "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message"
+    printf "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message\n"
   else
     # No lines were removed, just clean up the temp file.
     rm -f "$TEMP_FILE"
   fi
 fi
 
 if [ $ERRORS -gt 0 ]; then
-  echo "${RED}✗ Commit blocked by security validation${NC}"
+  printf "${RED}✗ Commit blocked by security validation${NC}\n"
   exit 1
 fi
 

.git-hooks/pre-commit

@@ -13,13 +13,13 @@ NC='\033[0m'
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo -e "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo -e "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
@@ -28,23 +28,23 @@ ERRORS=0
 # Check for .DS_Store files.
 echo "Checking for .DS_Store files..."
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo -e "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
 echo "Checking for log files..."
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo -e "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
 echo "Checking for .env files..."
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo -e "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
   echo "These files should never be committed. Use .env.example instead."
   ERRORS=$((ERRORS + 1))
@@ -61,7 +61,7 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo -e "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
       echo "Replace with relative paths or environment variables."
       ERRORS=$((ERRORS + 1))
@@ -74,7 +74,7 @@ echo "Checking for API keys..."
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo -e "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
       echo "If this is a real API key, DO NOT COMMIT IT."
     fi
@@ -92,32 +92,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo -e "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo -e "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo -e "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
   echo ""
-  echo -e "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
   echo "Fix the issues above and try again."
   exit 1
 fi
 
-echo -e "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0

.git-hooks/pre-push

@@ -11,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo -e "${GREEN}Running mandatory pre-push validation...${NC}"
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -46,7 +46,7 @@ while read local_ref local_sha remote_ref remote_sha; do
 
     if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
       if [ $ERRORS -eq 0 ]; then
-        echo -e "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}"
+        printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
         echo "Commits with AI attribution:"
       fi
       echo "  - $(git log -1 --oneline "$commit_sha")"
@@ -76,21 +76,21 @@ while read local_ref local_sha remote_ref remote_sha; do
   if [ -n "$CHANGED_FILES" ]; then
     # Check for sensitive files.
     if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-      echo -e "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
+      printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for .DS_Store.
     if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-      echo -e "${RED}✗ BLOCKED: .DS_Store file in push!${NC}"
+      printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for log files.
     if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
-      echo -e "${RED}✗ BLOCKED: Log file in push!${NC}"
+      printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
       ERRORS=$((ERRORS + 1))
     fi
@@ -105,35 +105,35 @@ while read local_ref local_sha remote_ref remote_sha; do
 
         # Check for hardcoded user paths.
         if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-          echo -e "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
           grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for Socket API keys.
         if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-          echo -e "${RED}✗ BLOCKED: Real API key detected in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
           grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for AWS keys.
         if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-          echo -e "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
           grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for GitHub tokens.
         if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-          echo -e "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
           grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for private keys.
         if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-          echo -e "${RED}✗ BLOCKED: Private key found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
           ERRORS=$((ERRORS + 1))
         fi
       fi
@@ -145,10 +145,10 @@ done
 
 if [ $TOTAL_ERRORS -gt 0 ]; then
   echo ""
-  echo -e "${RED}✗ Push blocked by mandatory validation!${NC}"
+  printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
   echo "Fix the issues above before pushing."
   exit 1
 fi
 
-echo -e "${GREEN}✓ All mandatory validation passed!${NC}"
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
 exit 0

.husky/security-checks.sh

@@ -15,13 +15,13 @@ NC='\033[0m'
 # NOTE: This value is intentionally identical across all Socket repos.
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
@@ -30,23 +30,23 @@ ERRORS=0
 # Check for .DS_Store files.
 echo "Checking for .DS_Store files..."
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
 echo "Checking for log files..."
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
 echo "Checking for .env files..."
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
   echo "These files should never be committed. Use .env.example instead."
   ERRORS=$((ERRORS + 1))
@@ -63,7 +63,7 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
       echo "Replace with relative paths or environment variables."
       ERRORS=$((ERRORS + 1))
@@ -76,7 +76,7 @@ echo "Checking for API keys..."
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
       echo "If this is a real API key, DO NOT COMMIT IT."
     fi
@@ -94,32 +94,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
   echo ""
-  echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
   echo "Fix the issues above and try again."
   exit 1
 fi
 
-echo "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0