From c5bcca812ba8da0353281662daf849b2c0c55142 Mon Sep 17 00:00:00 2001
From: alderpath <alderpath@proton.me>
Date: Sun, 14 Jun 2026 02:39:12 +0100
Subject: [PATCH] guardrails: YAML lint, build check pre-test, pre-commit stale
 .perf detection

---
 .githooks/pre-commit     | 19 +++++++++++++++++++
 .github/workflows/ci.yml | 13 ++++++++-----
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/.githooks/pre-commit b/.githooks/pre-commit
index 356a02f..98ac898 100755
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@@ -33,4 +33,23 @@ if command -v cargo-deny >/dev/null 2>&1 || command -v cargo deny >/dev/null 2>&
     }
 fi
 
+# 5. Validate workflow YAML syntax
+if command -v python3 >/dev/null 2>&1; then
+    for f in .github/workflows/*.yml; do
+        if [ -f "$f" ]; then
+            python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null || {
+                echo "FAIL: $f has invalid YAML syntax"
+                exit 1
+            }
+        fi
+    done
+fi
+
+# 6. Check for stale .perf files in src
+stale=$(find . -name "*.perf" -not -path "./target/*" 2>/dev/null)
+if [ -n "$stale" ]; then
+    echo "FAIL: stale .perf files committed: $stale"
+    exit 1
+fi
+
 echo "[guard] All checks passed."
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 987b560..c3be544 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,14 @@ jobs:
       - name: Install tools
         run: |
           cargo install cargo-audit cargo-deny 2>/dev/null
+      - name: Validate workflow YAML syntax
+        run: |
+          for f in .github/workflows/*.yml; do
+            python3 -c "import yaml; yaml.safe_load(open('$f'))" || { echo "FAIL: $f has invalid YAML"; exit 1; }
+            echo "  OK: $f"
+          done
+      - name: Build check
+        run: cargo check --release
       - name: cargo test
         run: cargo test --release
       - name: clippy (deny warnings) — lib only
@@ -36,11 +44,6 @@ jobs:
       - name: Init smoke test
         run: |
           timeout 10 ./target/release/reliary-agent init </dev/null 2>&1 || true
-      - name: Stale file detector
-        run: |
-          stale=$(find . -name "*.bak" -o -name "*.perf" -o -name "*.old" -not -path "./target/*" 2>/dev/null)
-          if [ -n "$stale" ]; then echo "FAIL: stale files: $stale"; exit 1; fi
-          test -f .gitleaks.toml || { echo "FAIL: .gitleaks.toml missing"; exit 1; }
       - name: Dependency graph diff (against master)
         run: |
           cargo tree -e normal --prefix none 2>/dev/null | sort > /tmp/deps_head.txt