fix(hooks): add -e flag to echo for ANSI color support

Git hooks were displaying raw ANSI escape codes instead of colors.
The `echo` command requires the `-e` flag to interpret backslash
escape sequences like `\033[0;32m`.

Changes:
- Add `-e` flag to all echo statements with color variables
- Affects both pre-commit and pre-push hooks
- Colors now display correctly: green for success, red for errors, yellow for warnings

Author: jdalton

.git-hooks/commit-msg

@@ -23,14 +23,14 @@ if [ -n "$COMMITTED_FILES" ]; then
     if [ -f "$file" ]; then
       # Check for Socket API keys (except allowed).
       if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
-        echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
+        printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
         echo "File: $file"
         ERRORS=$((ERRORS + 1))
       fi
 
       # Check for .env files.
       if echo "$file" | grep -qE '^\.env(\.local)?$'; then
-        echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+        printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
     fi
@@ -58,15 +58,15 @@ if [ -f "$COMMIT_MSG_FILE" ]; then
   # Replace the original commit message with the cleaned version.
   if [ $REMOVED_LINES -gt 0 ]; then
     mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
-    echo "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message"
+    printf "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message\n"
   else
     # No lines were removed, just clean up the temp file.
     rm -f "$TEMP_FILE"
   fi
 fi
 
 if [ $ERRORS -gt 0 ]; then
-  echo "${RED}✗ Commit blocked by security validation${NC}"
+  printf "${RED}✗ Commit blocked by security validation${NC}\n"
   exit 1
 fi
 

.git-hooks/pre-commit

@@ -13,13 +13,13 @@ NC='\033[0m'
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
@@ -28,23 +28,23 @@ ERRORS=0
 # Check for .DS_Store files.
 echo "Checking for .DS_Store files..."
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
 echo "Checking for log files..."
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
 echo "Checking for .env files..."
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
   echo "These files should never be committed. Use .env.example instead."
   ERRORS=$((ERRORS + 1))
@@ -61,7 +61,7 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
       echo "Replace with relative paths or environment variables."
       ERRORS=$((ERRORS + 1))
@@ -74,7 +74,7 @@ echo "Checking for API keys..."
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
       echo "If this is a real API key, DO NOT COMMIT IT."
     fi
@@ -92,32 +92,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
   echo ""
-  echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
   echo "Fix the issues above and try again."
   exit 1
 fi
 
-echo "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0

.git-hooks/pre-push

@@ -11,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo "${GREEN}Running mandatory pre-push validation...${NC}"
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -46,7 +46,7 @@ while read local_ref local_sha remote_ref remote_sha; do
 
     if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
       if [ $ERRORS -eq 0 ]; then
-        echo "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}"
+        printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
         echo "Commits with AI attribution:"
       fi
       echo "  - $(git log -1 --oneline "$commit_sha")"
@@ -76,21 +76,21 @@ while read local_ref local_sha remote_ref remote_sha; do
   if [ -n "$CHANGED_FILES" ]; then
     # Check for sensitive files.
     if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-      echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
+      printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for .DS_Store.
     if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-      echo "${RED}✗ BLOCKED: .DS_Store file in push!${NC}"
+      printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for log files.
     if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
-      echo "${RED}✗ BLOCKED: Log file in push!${NC}"
+      printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
       echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
       ERRORS=$((ERRORS + 1))
     fi
@@ -105,35 +105,35 @@ while read local_ref local_sha remote_ref remote_sha; do
 
         # Check for hardcoded user paths.
         if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
           grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for Socket API keys.
         if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-          echo "${RED}✗ BLOCKED: Real API key detected in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
           grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for AWS keys.
         if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
           grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for GitHub tokens.
         if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
           grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for private keys.
         if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-          echo "${RED}✗ BLOCKED: Private key found in: $file${NC}"
+          printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
           ERRORS=$((ERRORS + 1))
         fi
       fi
@@ -145,10 +145,10 @@ done
 
 if [ $TOTAL_ERRORS -gt 0 ]; then
   echo ""
-  echo "${RED}✗ Push blocked by mandatory validation!${NC}"
+  printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
   echo "Fix the issues above before pushing."
   exit 1
 fi
 
-echo "${GREEN}✓ All mandatory validation passed!${NC}"
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
 exit 0

.husky/security-checks.sh

@@ -15,13 +15,13 @@ NC='\033[0m'
 # NOTE: This value is intentionally identical across all Socket repos.
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
@@ -30,23 +30,23 @@ ERRORS=0
 # Check for .DS_Store files.
 echo "Checking for .DS_Store files..."
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
 echo "Checking for log files..."
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
 echo "Checking for .env files..."
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
   echo "These files should never be committed. Use .env.example instead."
   ERRORS=$((ERRORS + 1))
@@ -63,7 +63,7 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
       echo "Replace with relative paths or environment variables."
       ERRORS=$((ERRORS + 1))
@@ -76,7 +76,7 @@ echo "Checking for API keys..."
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
       echo "If this is a real API key, DO NOT COMMIT IT."
     fi
@@ -94,32 +94,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
   echo ""
-  echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
   echo "Fix the issues above and try again."
   exit 1
 fi
 
-echo "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0