diff --git a/.git-hooks/_helpers.mts b/.git-hooks/_helpers.mts
new file mode 100644
index 000000000..fde8c3fa5
--- /dev/null
+++ b/.git-hooks/_helpers.mts
@@ -0,0 +1,304 @@
+// Shared helpers for git hooks — API-key allowlist + ANSI colors +
+// content scanners. Imported by .git-hooks/{commit-msg,pre-commit,
+// pre-push}.mts. No third-party deps; uses only Node built-ins.
+//
+// Requires Node 25+ for stable .mts type-stripping (no flag needed).
+// Earlier Node versions either lacked --experimental-strip-types or
+// shipped it under a flag, both unacceptable for hook ergonomics.
+
+import { spawnSync } from 'node:child_process'
+import { existsSync, readFileSync, statSync } from 'node:fs'
+
+// Hard-fail if Node is below 25. This runs at module load — every
+// hook invocation imports _helpers.mts before doing anything, so the
+// version check is the first thing that happens.
+const NODE_MIN_MAJOR = 25
+const nodeMajor = Number.parseInt(
+  process.versions.node.split('.')[0] || '0',
+  10,
+)
+if (nodeMajor < NODE_MIN_MAJOR) {
+  process.stderr.write(
+    `\x1b[0;31m✗ Hook requires Node >= ${NODE_MIN_MAJOR}.0.0 (have v${process.versions.node})\x1b[0m\n`,
+  )
+  process.stderr.write(
+    'Install Node 25+ — these hooks rely on stable .mts type stripping.\n',
+  )
+  process.exit(1)
+}
+
+// ── Allowlist constants ────────────────────────────────────────────
+// These exempt known-safe matches from the API-key scanner. Each
+// allowlist entry is a substring; if the matched line contains it,
+// the line is dropped from the findings.
+
+// Real public API key shipped in socket-lib test fixtures. Safe to
+// appear anywhere in the fleet.
+export const ALLOWED_PUBLIC_KEY =
+  'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+
+// Substring marker used in test fixtures (see
+// socket-lib/test/unit/utils/fake-tokens.ts). Lines containing this
+// are treated as test fixtures.
+export const FAKE_TOKEN_MARKER = 'socket-test-fake-token'
+
+// Legacy lib-scoped marker — accepted during the rename from
+// `socket-lib-test-fake-token` to `socket-test-fake-token`. Drop when
+// lib's rename PR lands.
+export const FAKE_TOKEN_LEGACY = 'socket-lib-test-fake-token'
+
+// Name of the env var used in shell examples; not a token value.
+export const SOCKET_SECURITY_ENV = 'SOCKET_SECURITY_API_KEY='
+
+// ── ANSI colors ────────────────────────────────────────────────────
+
+export const RED = '\x1b[0;31m'
+export const GREEN = '\x1b[0;32m'
+export const YELLOW = '\x1b[1;33m'
+export const NC = '\x1b[0m'
+
+// ── Output helpers ─────────────────────────────────────────────────
+
+export const out = (msg: string): void => {
+  process.stdout.write(msg + '\n')
+}
+
+export const err = (msg: string): void => {
+  process.stderr.write(msg + '\n')
+}
+
+export const red = (msg: string): string => `${RED}${msg}${NC}`
+export const green = (msg: string): string => `${GREEN}${msg}${NC}`
+export const yellow = (msg: string): string => `${YELLOW}${msg}${NC}`
+
+// ── API-key allowlist filter ───────────────────────────────────────
+
+// Drops any line that matches an allowlist entry.
+export const filterAllowedApiKeys = (lines: readonly string[]): string[] => {
+  return lines.filter(
+    line =>
+      !line.includes(ALLOWED_PUBLIC_KEY) &&
+      !line.includes(FAKE_TOKEN_MARKER) &&
+      !line.includes(FAKE_TOKEN_LEGACY) &&
+      !line.includes(SOCKET_SECURITY_ENV) &&
+      !line.includes('.example'),
+  )
+}
+
+// ── Personal-path scanner ──────────────────────────────────────────
+
+// Real personal paths to flag: /Users/foo/, /home/foo/, C:\Users\foo\.
+const PERSONAL_PATH_RE =
+  /(\/Users\/[^/\s]+\/|\/home\/[^/\s]+\/|C:\\Users\\[^\\]+\\)/
+
+// Placeholders we ALLOW (documentation, not real leaks): any path
+// component wrapped in <...> or starting with $VAR / ${VAR}.
+const PERSONAL_PATH_PLACEHOLDER_RE =
+  /(\/Users\/<[^>]*>\/|\/home\/<[^>]*>\/|C:\\Users\\<[^>]*>\\|\/Users\/\$\{?[A-Z_]+\}?\/|\/home\/\$\{?[A-Z_]+\}?\/)/
+
+export type LineHit = { lineNumber: number; line: string }
+
+// Returns lines that contain a real personal path (excludes lines
+// that are pure placeholders). Caller decides what to do with hits.
+export const scanPersonalPaths = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (!PERSONAL_PATH_RE.test(line)) {
+      continue
+    }
+    if (PERSONAL_PATH_PLACEHOLDER_RE.test(line)) {
+      // Has placeholder — but might also have a real path on the
+      // same line. Strip placeholder forms and re-test.
+      const stripped = line.replace(
+        new RegExp(PERSONAL_PATH_PLACEHOLDER_RE, 'g'),
+        '',
+      )
+      if (!PERSONAL_PATH_RE.test(stripped)) {
+        continue
+      }
+    }
+    hits.push({ lineNumber: i + 1, line })
+  }
+  return hits
+}
+
+// ── Secret scanners ────────────────────────────────────────────────
+
+const SOCKET_API_KEY_RE = /sktsec_[a-zA-Z0-9_-]+/
+const AWS_KEY_RE = /(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)/i
+const GITHUB_TOKEN_RE = /gh[ps]_[a-zA-Z0-9]{36}/
+const PRIVATE_KEY_RE = /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/
+
+export const scanSocketApiKeys = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (SOCKET_API_KEY_RE.test(line)) {
+      hits.push({ lineNumber: i + 1, line })
+    }
+  }
+  // Filter the LineHit objects directly so duplicate-content lines
+  // at different line numbers keep their correct numbers.
+  const allowedSet = new Set(filterAllowedApiKeys(hits.map(h => h.line)))
+  return hits.filter(h => allowedSet.has(h.line))
+}
+
+export const scanAwsKeys = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (AWS_KEY_RE.test(line)) {
+      hits.push({ lineNumber: i + 1, line })
+    }
+  }
+  return hits
+}
+
+export const scanGitHubTokens = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (GITHUB_TOKEN_RE.test(line)) {
+      hits.push({ lineNumber: i + 1, line })
+    }
+  }
+  return hits
+}
+
+export const scanPrivateKeys = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (PRIVATE_KEY_RE.test(line)) {
+      hits.push({ lineNumber: i + 1, line })
+    }
+  }
+  return hits
+}
+
+// ── npx/dlx scanner ────────────────────────────────────────────────
+
+const NPX_DLX_RE = /\b(npx|pnpm dlx|yarn dlx)\b/
+
+export const scanNpxDlx = (text: string): LineHit[] => {
+  const hits: LineHit[] = []
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    if (NPX_DLX_RE.test(line) && !line.includes('# zizmor:')) {
+      hits.push({ lineNumber: i + 1, line })
+    }
+  }
+  return hits
+}
+
+// ── Linear issue reference scanner ─────────────────────────────────
+// CLAUDE.md "ABSOLUTE RULES": NEVER reference Linear issues in commits.
+// Team keys enumerated from the Socket workspace. PATCH listed before
+// PAT so the alternation matches the longer prefix first.
+
+const LINEAR_TEAM_KEYS =
+  'ASK|AUTO|BOT|CE|CORE|DAT|DES|DEV|ENG|INFRA|LAB|MAR|MET|OPS|PAR|PATCH|PAT|PLAT|REA|SALES|SBOM|SEC|SMO|SUP|TES|TI|WEB'
+
+const LINEAR_ISSUE_RE = new RegExp(
+  `(?:^|[^A-Za-z0-9_])((?:${LINEAR_TEAM_KEYS})-[0-9]+)(?:$|[^A-Za-z0-9_])`,
+  'gm',
+)
+
+const LINEAR_URL_RE = /linear\.app\/[A-Za-z0-9/_-]+/g
+
+export const scanLinearReferences = (commitMsg: string): string[] => {
+  const hits: string[] = []
+  const lines = commitMsg.split('\n').filter(l => !l.startsWith('#'))
+  const body = lines.join('\n')
+  for (const m of body.matchAll(LINEAR_ISSUE_RE)) {
+    hits.push(m[1]!)
+  }
+  for (const m of body.matchAll(LINEAR_URL_RE)) {
+    hits.push(m[0]!)
+  }
+  return hits.slice(0, 5)
+}
+
+// ── AI attribution scanner ─────────────────────────────────────────
+
+const AI_ATTRIBUTION_RE =
+  /(Generated with.*(Claude|AI)|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|@anthropic\.com|Assistant:|Generated by Claude|Machine generated|Claude Code)/i
+
+export const containsAiAttribution = (text: string): boolean =>
+  AI_ATTRIBUTION_RE.test(text)
+
+export const stripAiAttribution = (
+  text: string,
+): { cleaned: string; removed: number } => {
+  const lines = text.split('\n')
+  const kept: string[] = []
+  let removed = 0
+  for (const line of lines) {
+    if (AI_ATTRIBUTION_RE.test(line)) {
+      removed++
+    } else {
+      kept.push(line)
+    }
+  }
+  return { cleaned: kept.join('\n'), removed }
+}
+
+// ── File classification ────────────────────────────────────────────
+
+// Files we never scan: hooks themselves, husky shims, test fixtures.
+const SKIP_FILE_RE =
+  /\.(test|spec)\.(m?[jt]s|tsx?|cts|mts)$|\.example$|\/test\/|\/tests\/|fixtures\/|\.git-hooks\/|\.husky\/|node_modules\/|pnpm-lock\.yaml/
+
+export const shouldSkipFile = (filePath: string): boolean =>
+  SKIP_FILE_RE.test(filePath)
+
+// Returns file content as a string. For binaries, runs `strings` to
+// extract printable byte sequences (catches paths embedded in WASM
+// or other compiled artifacts).
+export const readFileForScan = (filePath: string): string => {
+  if (!existsSync(filePath)) {
+    return ''
+  }
+  try {
+    if (statSync(filePath).isDirectory()) {
+      return ''
+    }
+  } catch {
+    return ''
+  }
+  // Detect binary via grep -I (matches text-only); if grep says
+  // binary, fall back to `strings`.
+  const grepResult = spawnSync('grep', ['-qI', '', filePath])
+  if (grepResult.status === 0) {
+    // Text file.
+    try {
+      return readFileSync(filePath, 'utf8')
+    } catch {
+      return ''
+    }
+  }
+  // Binary — extract strings.
+  const stringsResult = spawnSync('strings', [filePath], {
+    encoding: 'utf8',
+  })
+  return stringsResult.stdout || ''
+}
+
+// ── Git wrappers ───────────────────────────────────────────────────
+
+export const git = (...args: string[]): string => {
+  const result = spawnSync('git', args, { encoding: 'utf8' })
+  return result.stdout.trim()
+}
+
+export const gitLines = (...args: string[]): string[] => {
+  const out = git(...args)
+  return out ? out.split('\n') : []
+}
diff --git a/.git-hooks/_helpers.sh b/.git-hooks/_helpers.sh
deleted file mode 100644
index 15e9a4083..000000000
--- a/.git-hooks/_helpers.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash
-# Shared helpers for git hooks.
-# Sourced by .git-hooks/commit-msg, pre-commit, pre-push.
-#
-# Constants
-# ---------
-# ALLOWED_PUBLIC_KEY   Real public API key shipped in socket-lib test
-#                      fixtures. Safe to appear in commits anywhere.
-# FAKE_TOKEN_MARKER    Substring marker used in fleet test fixtures.
-# FAKE_TOKEN_LEGACY    Legacy lib-scoped marker — accepted during the
-#                      rename from `socket-lib-test-fake-token` to
-#                      `socket-test-fake-token`. Drop when socket-lib's
-#                      fixture rename PR lands.
-# SOCKET_SECURITY_ENV  Env var name used in shell examples; not a token.
-#
-# Functions
-# ---------
-# filter_allowed_api_keys  Reads stdin, drops allowlist matches (public
-#                          key, fake-token markers, env var name,
-#                          `.example` paths), prints the rest.
-#
-# Colors
-# ------
-# RED, GREEN, YELLOW, NC
-
-# shellcheck disable=SC2034  # constants sourced by other hooks
-ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
-FAKE_TOKEN_MARKER="socket-test-fake-token"
-FAKE_TOKEN_LEGACY="socket-lib-test-fake-token"
-SOCKET_SECURITY_ENV="SOCKET_SECURITY_API_KEY="
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m'
-
-filter_allowed_api_keys() {
-  grep -v "$ALLOWED_PUBLIC_KEY" \
-    | grep -v "$FAKE_TOKEN_MARKER" \
-    | grep -v "$FAKE_TOKEN_LEGACY" \
-    | grep -v "$SOCKET_SECURITY_ENV" \
-    | grep -v '\.example'
-}
diff --git a/.git-hooks/commit-msg b/.git-hooks/commit-msg
deleted file mode 100755
index 7acf4c56b..000000000
--- a/.git-hooks/commit-msg
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/bin/bash
-# Socket Security Commit-msg Hook
-# Additional security layer - validates commit even if pre-commit was bypassed.
-
-set -e
-
-# shellcheck source=./_helpers.sh
-. "$(dirname "$0")/_helpers.sh"
-
-ERRORS=0
-
-# Get files in this commit (for security checks).
-COMMITTED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || printf "\n")
-
-# Quick checks for critical issues in committed files.
-if [ -n "$COMMITTED_FILES" ]; then
-  for file in $COMMITTED_FILES; do
-    if [ -f "$file" ]; then
-      # Check for Socket API keys (except allowed).
-      if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | filter_allowed_api_keys | grep -q .; then
-        printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
-        printf "File: %s\n" "$file"
-        ERRORS=$((ERRORS + 1))
-      fi
-
-      # Check for .env files.
-      if echo "$file" | grep -qE '^\.env(\.[^/]+)?$' && ! echo "$file" | grep -qE '^\.env\.(example|test)$'; then
-        printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
-        ERRORS=$((ERRORS + 1))
-      fi
-    fi
-  done
-fi
-
-# Block Linear issue references in the commit message.
-# Linear tracking lives in Linear; keep commit history tool-agnostic.
-# Team keys enumerated from the Socket workspace. PATCH listed before PAT so
-# the engine matches the longer prefix first on strings like "PATCH-123".
-COMMIT_MSG_FILE="$1"
-LINEAR_TEAM_KEYS='ASK|AUTO|BOT|CE|CORE|DAT|DES|DEV|ENG|INFRA|LAB|MAR|MET|OPS|PAR|PATCH|PAT|PLAT|REA|SALES|SBOM|SEC|SMO|SUP|TES|TI|WEB'
-if [ -f "$COMMIT_MSG_FILE" ]; then
-  LINEAR_HITS=$(grep -vE '^#' "$COMMIT_MSG_FILE" 2>/dev/null \
-    | grep -oE "(^|[^A-Za-z0-9_])($LINEAR_TEAM_KEYS)-[0-9]+($|[^A-Za-z0-9_])|linear\.app/[A-Za-z0-9/_-]+" \
-    | head -5 || true)
-  if [ -n "$LINEAR_HITS" ]; then
-    printf "${RED}✗ Commit message references Linear issue(s):${NC}\n"
-    printf '%s\n' "$LINEAR_HITS" | sed 's/^/  /'
-    printf "${RED}Linear tracking lives in Linear. Remove the reference from the commit message.${NC}\n"
-    ERRORS=$((ERRORS + 1))
-  fi
-fi
-
-# Auto-strip AI attribution from commit message.
-if [ -f "$COMMIT_MSG_FILE" ]; then
-  # Create a temporary file to store the cleaned message.
-  TEMP_FILE=$(mktemp) || {
-    printf "${RED}✗ Failed to create temporary file${NC}\n" >&2
-    exit 1
-  }
-  # Ensure cleanup on exit
-  trap 'rm -f "$TEMP_FILE"' EXIT
-  REMOVED_LINES=0
-
-  # Read the commit message line by line and filter out AI attribution.
-  while IFS= read -r line || [ -n "$line" ]; do
-    # Check if this line contains AI attribution patterns.
-    if echo "$line" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
-      REMOVED_LINES=$((REMOVED_LINES + 1))
-    else
-      # Line doesn't contain AI attribution, keep it.
-      printf '%s\n' "$line" >> "$TEMP_FILE"
-    fi
-  done < "$COMMIT_MSG_FILE"
-
-  # Replace the original commit message with the cleaned version.
-  if [ $REMOVED_LINES -gt 0 ]; then
-    mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
-    printf "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message\n"
-  else
-    # No lines were removed, just clean up the temp file.
-    rm -f "$TEMP_FILE"
-  fi
-fi
-
-if [ $ERRORS -gt 0 ]; then
-  printf "${RED}✗ Commit blocked by security validation${NC}\n"
-  exit 1
-fi
-
-exit 0
diff --git a/.git-hooks/commit-msg.mts b/.git-hooks/commit-msg.mts
new file mode 100644
index 000000000..e080c6d34
--- /dev/null
+++ b/.git-hooks/commit-msg.mts
@@ -0,0 +1,111 @@
+#!/usr/bin/env node
+// Socket Security Commit-msg Hook
+//
+// Three responsibilities:
+//   1. Block commits that introduce API keys / .env files (security
+//      layer that runs even when pre-commit is bypassed via
+//      `--no-verify`).
+//   2. Block commits whose message references Linear issues — Socket
+//      keeps Linear tracking out of git history per CLAUDE.md.
+//   3. Auto-strip AI attribution lines from the commit message before
+//      git records the commit.
+//
+// Wired via .husky/commit-msg, which invokes this with the path to the
+// commit message file as argv[2] (after the script path itself).
+
+import { existsSync, readFileSync, writeFileSync } from 'node:fs'
+
+import { basename } from 'node:path'
+import process from 'node:process'
+
+import {
+  err,
+  gitLines,
+  green,
+  out,
+  red,
+  readFileForScan,
+  scanLinearReferences,
+  scanSocketApiKeys,
+  shouldSkipFile,
+  stripAiAttribution,
+} from './_helpers.mts'
+
+const main = (): number => {
+  let errors = 0
+  const committedFiles = gitLines(
+    'diff',
+    '--cached',
+    '--name-only',
+    '--diff-filter=ACM',
+  )
+
+  for (const file of committedFiles) {
+    if (!file || shouldSkipFile(file)) {
+      continue
+    }
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+
+    // Socket API keys (allowlist-aware).
+    const apiHits = scanSocketApiKeys(text)
+    if (apiHits.length > 0) {
+      out(red('✗ SECURITY: Potential API key detected in commit!'))
+      out(`File: ${file}`)
+      errors++
+    }
+
+    // .env files at any depth — allow only .env.example, .env.test,
+    // .env.precommit (templates / tracked placeholders).
+    const base = basename(file)
+    if (
+      /^\.env(\.[^/]+)?$/.test(base) &&
+      !/^\.env\.(example|test|precommit)$/.test(base)
+    ) {
+      out(red('✗ SECURITY: .env file in commit!'))
+      out(`File: ${file}`)
+      errors++
+    }
+  }
+
+  const commitMsgFile = process.argv[2]
+  if (commitMsgFile && existsSync(commitMsgFile)) {
+    const original = readFileSync(commitMsgFile, 'utf8')
+
+    // Block Linear issue references in the commit message. Socket
+    // keeps Linear tracking out of git history; commit messages stay
+    // tool-agnostic.
+    const linearHits = scanLinearReferences(original)
+    if (linearHits.length > 0) {
+      out(red('✗ Commit message references Linear issue(s):'))
+      for (const hit of linearHits) {
+        out(`  ${hit}`)
+      }
+      out(
+        red(
+          'Linear tracking lives in Linear. Remove the reference from the commit message.',
+        ),
+      )
+      errors++
+    }
+
+    // Auto-strip AI attribution lines from the commit message.
+    const { cleaned, removed } = stripAiAttribution(original)
+    if (removed > 0) {
+      writeFileSync(commitMsgFile, cleaned)
+      out(
+        `${green('✓ Auto-stripped')} ${removed} AI attribution line(s) from commit message`,
+      )
+    }
+  }
+
+  if (errors > 0) {
+    err(red('✗ Commit blocked by security validation'))
+    return 1
+  }
+  return 0
+}
+
+process.exit(main())
diff --git a/.git-hooks/pre-commit.mts b/.git-hooks/pre-commit.mts
new file mode 100644
index 000000000..aa3898678
--- /dev/null
+++ b/.git-hooks/pre-commit.mts
@@ -0,0 +1,186 @@
+#!/usr/bin/env node
+// Socket Security Pre-commit Hook
+//
+// Local-defense layer: scans staged files for sensitive content
+// before git records the commit. Mandatory enforcement re-runs in
+// pre-push for the final gate.
+//
+// Bypassable: --no-verify skips this hook entirely. Use sparingly
+// (hotfixes, history operations, pre-build states).
+
+import process from 'node:process'
+
+import {
+  err,
+  gitLines,
+  green,
+  out,
+  red,
+  readFileForScan,
+  scanAwsKeys,
+  scanGitHubTokens,
+  scanNpxDlx,
+  scanPersonalPaths,
+  scanPrivateKeys,
+  scanSocketApiKeys,
+  shouldSkipFile,
+  yellow,
+} from './_helpers.mts'
+
+const main = (): number => {
+  out(green('Running Socket Security checks...'))
+  const stagedFiles = gitLines(
+    'diff',
+    '--cached',
+    '--name-only',
+    '--diff-filter=ACM',
+  )
+  if (stagedFiles.length === 0) {
+    out(green('✓ No files to check'))
+    return 0
+  }
+
+  let errors = 0
+
+  // .DS_Store files.
+  out('Checking for .DS_Store files...')
+  const dsStores = stagedFiles.filter(f => f.includes('.DS_Store'))
+  if (dsStores.length > 0) {
+    out(red('✗ ERROR: .DS_Store file detected!'))
+    dsStores.forEach(f => out(f))
+    errors++
+  }
+
+  // Log files (ignore test logs).
+  out('Checking for log files...')
+  const logs = stagedFiles.filter(
+    f => f.endsWith('.log') && !/test.*\.log$/.test(f),
+  )
+  if (logs.length > 0) {
+    out(red('✗ ERROR: Log file detected!'))
+    logs.forEach(f => out(f))
+    errors++
+  }
+
+  // .env files (allowlist .env.example / .env.test / .env.precommit).
+  // Match commit-msg.mts allowlist — .env.precommit is a tracked file
+  // some repos use to disable test API tokens during pre-commit runs.
+  out('Checking for .env files...')
+  const envFiles = stagedFiles.filter(
+    f =>
+      /^\.env(\.[^/]+)?$/.test(f) &&
+      !/^\.env\.(example|test|precommit)$/.test(f),
+  )
+  if (envFiles.length > 0) {
+    out(red('✗ ERROR: .env file detected!'))
+    envFiles.forEach(f => out(f))
+    out(
+      'These files should never be committed. Use .env.example for templates.',
+    )
+    errors++
+  }
+
+  // Hardcoded personal paths.
+  out('Checking for hardcoded personal paths...')
+  for (const file of stagedFiles) {
+    if (shouldSkipFile(file)) {
+      continue
+    }
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+    const hits = scanPersonalPaths(text)
+    if (hits.length > 0) {
+      out(red(`✗ ERROR: Hardcoded personal path found in: ${file}`))
+      hits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      out('Replace with relative paths or environment variables.')
+      errors++
+    }
+  }
+
+  // Socket API keys (warning, not blocking).
+  out('Checking for API keys...')
+  for (const file of stagedFiles) {
+    if (shouldSkipFile(file)) {
+      continue
+    }
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+    const hits = scanSocketApiKeys(text)
+    if (hits.length > 0) {
+      out(yellow(`⚠ WARNING: Potential API key found in: ${file}`))
+      hits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      out('If this is a real API key, DO NOT COMMIT IT.')
+    }
+  }
+
+  // Other secret patterns (AWS, GitHub, private keys).
+  out('Checking for potential secrets...')
+  for (const file of stagedFiles) {
+    if (shouldSkipFile(file)) {
+      continue
+    }
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+
+    const aws = scanAwsKeys(text)
+    if (aws.length > 0) {
+      out(red(`✗ ERROR: Potential AWS credentials found in: ${file}`))
+      aws.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const gh = scanGitHubTokens(text)
+    if (gh.length > 0) {
+      out(red(`✗ ERROR: Potential GitHub token found in: ${file}`))
+      gh.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const pk = scanPrivateKeys(text)
+    if (pk.length > 0) {
+      out(red(`✗ ERROR: Private key found in: ${file}`))
+      errors++
+    }
+  }
+
+  // npx/dlx usage.
+  out('Checking for npx/dlx usage...')
+  for (const file of stagedFiles) {
+    if (
+      file.includes('node_modules/') ||
+      file.endsWith('pnpm-lock.yaml') ||
+      file.includes('.git-hooks/')
+    ) {
+      continue
+    }
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+    const hits = scanNpxDlx(text)
+    if (hits.length > 0) {
+      out(red(`✗ ERROR: npx/dlx usage found in: ${file}`))
+      hits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      out("Use 'pnpm exec <package>' or 'pnpm run <script>' instead.")
+      errors++
+    }
+  }
+
+  if (errors > 0) {
+    err('')
+    err(red(`✗ Security check failed with ${errors} error(s).`))
+    err('Fix the issues above and try again.')
+    return 1
+  }
+
+  out(green('✓ All security checks passed!'))
+  return 0
+}
+
+process.exit(main())
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
deleted file mode 100755
index 8f8637b88..000000000
--- a/.git-hooks/pre-push
+++ /dev/null
@@ -1,200 +0,0 @@
-#!/bin/bash
-# Socket Security Pre-push Hook
-# Security enforcement layer for all pushes.
-# Validates commits being pushed for AI attribution and secrets.
-#
-# Architecture:
-#   .husky/pre-push (thin wrapper) → .git-hooks/pre-push (this file)
-#   Husky sets core.hooksPath=.husky/_ which delegates to .husky/pre-push.
-#   This file contains all the actual logic.
-#
-# Range logic:
-#   New branch:  remote/<default_branch>..<local_sha>  (only new commits)
-#   Existing:    <remote_sha>..<local_sha>             (only new commits)
-#   We never use release tags — that would re-scan already-merged history.
-
-set -e
-
-# shellcheck source=./_helpers.sh
-. "$(dirname "$0")/_helpers.sh"
-
-printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
-
-# Get the remote name and URL from git (passed as arguments to pre-push hooks).
-remote="$1"
-url="$2"
-
-TOTAL_ERRORS=0
-
-# Read stdin for refs being pushed (git provides: local_ref local_sha remote_ref remote_sha).
-while read local_ref local_sha remote_ref remote_sha; do
-  # Skip tag pushes: tags point to existing commits already validated.
-  if echo "$local_ref" | grep -q '^refs/tags/'; then
-    printf "${GREEN}Skipping tag push: %s${NC}\n" "$local_ref"
-    continue
-  fi
-
-  # Skip delete pushes (local_sha is all zeros when deleting a remote branch).
-  if [ "$local_sha" = "0000000000000000000000000000000000000000" ]; then
-    continue
-  fi
-
-  # ── Compute commit range ──────────────────────────────────────────────
-  # Goal: only scan commits that are NEW in this push, never re-scan
-  # commits already on the remote. This prevents false positives from
-  # old AI-attributed commits that were merged before the hook existed.
-  if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
-    # New branch — compare against the remote's default branch (usually main).
-    # This ensures we only check commits unique to this branch.
-    default_branch=$(git symbolic-ref "refs/remotes/$remote/HEAD" 2>/dev/null | sed "s@^refs/remotes/$remote/@@")
-    if [ -z "$default_branch" ]; then
-      default_branch="main"
-    fi
-    if git rev-parse "$remote/$default_branch" >/dev/null 2>&1; then
-      range="$remote/$default_branch..$local_sha"
-    else
-      # No remote default branch (shallow clone, etc.) — skip to avoid
-      # walking entire history which would cause false positives.
-      printf "${GREEN}✓ Skipping validation (no baseline to compare against)${NC}\n"
-      continue
-    fi
-  else
-    # Existing branch — only check commits not yet on the remote.
-    range="$remote_sha..$local_sha"
-  fi
-
-  # Validate the computed range before using it.
-  if ! git rev-list "$range" >/dev/null 2>&1; then
-    printf "${RED}✗ Invalid commit range: %s${NC}\n" "$range" >&2
-    exit 1
-  fi
-
-  ERRORS=0
-
-  # ── CHECK 1: AI attribution in commit messages ────────────────────────
-  # Strips these at commit time via commit-msg hook, but this catches
-  # commits made with --no-verify or on other machines.
-  printf "Checking commit messages for AI attribution...\n"
-
-  for commit_sha in $(git rev-list "$range"); do
-    full_msg=$(git log -1 --format='%B' "$commit_sha")
-
-    if echo "$full_msg" | grep -qiE "(Generated with.*(Claude|AI)|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|@anthropic\.com|Assistant:|Generated by Claude|Machine generated)"; then
-      if [ $ERRORS -eq 0 ]; then
-        printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
-        printf "Commits with AI attribution:\n"
-      fi
-      printf "  - %s\n" "$(git log -1 --oneline "$commit_sha")"
-      ERRORS=$((ERRORS + 1))
-    fi
-  done
-
-  if [ $ERRORS -gt 0 ]; then
-    printf "\n"
-    printf "These commits were likely created with --no-verify, bypassing the\n"
-    printf "commit-msg hook that strips AI attribution.\n"
-    printf "\n"
-    range_base="${range%%\.\.*}"
-    printf "To fix:\n"
-    printf "  git rebase -i %s\n" "$range_base"
-    printf "  Mark commits as 'reword', remove AI attribution, save\n"
-    printf "  git push\n"
-  fi
-
-  # ── CHECK 2: File content security checks ─────────────────────────────
-  # Scans files changed in the push range for secrets, keys, and mistakes.
-  printf "Checking files for security issues...\n"
-
-  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
-
-  if [ -n "$CHANGED_FILES" ]; then
-    # Check for sensitive files (.env, .DS_Store, log files).
-    if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-      printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
-      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
-      ERRORS=$((ERRORS + 1))
-    fi
-
-    if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-      printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
-      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep '\.DS_Store')"
-      ERRORS=$((ERRORS + 1))
-    fi
-
-    if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
-      printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
-      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
-      ERRORS=$((ERRORS + 1))
-    fi
-
-    # Check file contents for secrets and hardcoded paths.
-    while IFS= read -r file; do
-      if [ -f "$file" ] && [ ! -d "$file" ]; then
-        # Skip test files, example files, and hook scripts themselves.
-        if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
-          continue
-        fi
-
-        # Use strings for binary files, grep directly for text files.
-        is_binary=false
-        if grep -qI '' "$file" 2>/dev/null; then
-          is_binary=false
-        else
-          is_binary=true
-        fi
-
-        if [ "$is_binary" = true ]; then
-          file_text=$(strings "$file" 2>/dev/null)
-        else
-          file_text=$(cat "$file" 2>/dev/null)
-        fi
-
-        # Hardcoded personal paths (/Users/foo/, /home/foo/, C:\\Users\\foo\\).
-        if echo "$file_text" | grep -qE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)'; then
-          printf "${RED}✗ BLOCKED: Hardcoded personal path found in: %s${NC}\n" "$file"
-          echo "$file_text" | grep -nE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' | head -3
-          ERRORS=$((ERRORS + 1))
-        fi
-
-        # Socket API keys (except allowed public key and test placeholders).
-        if echo "$file_text" | grep -E 'sktsec_[a-zA-Z0-9_-]+' | filter_allowed_api_keys | grep -q .; then
-          printf "${RED}✗ BLOCKED: Real API key detected in: %s${NC}\n" "$file"
-          echo "$file_text" | grep -n 'sktsec_' | filter_allowed_api_keys | head -3
-          ERRORS=$((ERRORS + 1))
-        fi
-
-        # AWS keys (word-boundary match to avoid false positives in base64 data).
-        if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)'; then
-          printf "${RED}✗ BLOCKED: Potential AWS credentials found in: %s${NC}\n" "$file"
-          echo "$file_text" | grep -niE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)' | head -3
-          ERRORS=$((ERRORS + 1))
-        fi
-
-        # GitHub tokens.
-        if echo "$file_text" | grep -qE 'gh[ps]_[a-zA-Z0-9]{36}'; then
-          printf "${RED}✗ BLOCKED: Potential GitHub token found in: %s${NC}\n" "$file"
-          echo "$file_text" | grep -nE 'gh[ps]_[a-zA-Z0-9]{36}' | head -3
-          ERRORS=$((ERRORS + 1))
-        fi
-
-        # Private keys.
-        if echo "$file_text" | grep -qE -- '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----'; then
-          printf "${RED}✗ BLOCKED: Private key found in: %s${NC}\n" "$file"
-          ERRORS=$((ERRORS + 1))
-        fi
-      fi
-    done <<< "$CHANGED_FILES"
-  fi
-
-  TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
-done
-
-if [ $TOTAL_ERRORS -gt 0 ]; then
-  printf "\n"
-  printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
-  printf "Fix the issues above before pushing.\n"
-  exit 1
-fi
-
-printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
-exit 0
diff --git a/.git-hooks/pre-push.mts b/.git-hooks/pre-push.mts
new file mode 100644
index 000000000..f68b2bf67
--- /dev/null
+++ b/.git-hooks/pre-push.mts
@@ -0,0 +1,324 @@
+#!/usr/bin/env node
+// Socket Security Pre-push Hook
+//
+// Mandatory enforcement layer for all pushes. Validates commits
+// being pushed for AI attribution, secrets, and personal-path leaks.
+//
+// Architecture:
+//   .husky/pre-push (thin wrapper) → node .git-hooks/pre-push.mts
+//
+// Range logic:
+//   New branch:  remote/<default_branch>..<local_sha>  (only new commits)
+//   Existing:    <remote_sha>..<local_sha>             (only new commits)
+//   We never use release tags — that would re-scan already-merged history.
+//
+// Stdin format (provided by git): one push line per ref, each line:
+//   <local_ref> <local_sha> <remote_ref> <remote_sha>
+
+import { spawnSync } from 'node:child_process'
+import { existsSync, statSync } from 'node:fs'
+
+import process from 'node:process'
+
+import {
+  containsAiAttribution,
+  err,
+  git,
+  gitLines,
+  green,
+  out,
+  red,
+  readFileForScan,
+  scanAwsKeys,
+  scanGitHubTokens,
+  scanPersonalPaths,
+  scanPrivateKeys,
+  scanSocketApiKeys,
+  shouldSkipFile,
+} from './_helpers.mts'
+
+const ZERO_SHA = '0000000000000000000000000000000000000000'
+
+const readStdin = (): Promise<string> =>
+  new Promise(resolve => {
+    let buf = ''
+    process.stdin.setEncoding('utf8')
+    process.stdin.on('data', chunk => {
+      buf += chunk
+    })
+    process.stdin.on('end', () => resolve(buf))
+  })
+
+// Submodule pristine check — refuses push if any submodule has a
+// drifted commit pointer or unresolved merge conflict.
+const checkSubmodules = (): number => {
+  if (!existsSync('.gitmodules')) {
+    return 0
+  }
+  out('Checking submodules are pristine...')
+  let errors = 0
+  const status = gitLines('submodule', 'status')
+  for (const line of status) {
+    if (!line) {
+      continue
+    }
+    const prefix = line[0]
+    const rest = line.slice(1).trim().split(/\s+/)
+    const smPath = rest[1] || '<unknown>'
+    if (prefix === '+') {
+      out(red(`✗ BLOCKED: Submodule has wrong commit: ${smPath}`))
+      out(`  Run: git submodule update --init ${smPath}`)
+      errors++
+    } else if (prefix === 'U') {
+      out(red(`✗ BLOCKED: Submodule has merge conflict: ${smPath}`))
+      errors++
+    }
+    // '-' (uninitialized) is OK — CI shallow clones skip submodules.
+  }
+  if (errors > 0) {
+    err('')
+    err(red(`✗ Push blocked: ${errors} submodule(s) not pristine!`))
+    err('Fix submodules before pushing.')
+    return errors
+  }
+  out(green('✓ All submodules pristine'))
+  return 0
+}
+
+// Computes the commit range to scan. Returns null if no scan needed
+// (skip case — tag, delete, or no baseline).
+const computeRange = (
+  remote: string,
+  localRef: string,
+  localSha: string,
+  remoteSha: string,
+): string | null => {
+  if (localRef.startsWith('refs/tags/')) {
+    out(green(`Skipping tag push: ${localRef}`))
+    return null
+  }
+  if (localSha === ZERO_SHA) {
+    return null
+  }
+
+  const defaultBranchOf = (remoteName: string): string => {
+    const sym = git('symbolic-ref', `refs/remotes/${remoteName}/HEAD`).trim()
+    if (sym) {
+      return sym.replace(`refs/remotes/${remoteName}/`, '')
+    }
+    return 'main'
+  }
+
+  // git cat-file -e exits 0 silently on success; spawnSync directly
+  // so we can inspect status without printing.
+  const remoteShaExists = (sha: string): boolean => {
+    const result = spawnSync('git', ['cat-file', '-e', sha])
+    return result.status === 0
+  }
+
+  const refExists = (ref: string): boolean => {
+    const r = spawnSync('git', ['rev-parse', ref])
+    return r.status === 0
+  }
+
+  if (remoteSha === ZERO_SHA) {
+    // New branch — compare against remote default branch.
+    const def = defaultBranchOf(remote)
+    const baseRef = `${remote}/${def}`
+    if (!refExists(baseRef)) {
+      out(green('✓ Skipping validation (no baseline to compare against)'))
+      return null
+    }
+    return `${baseRef}..${localSha}`
+  }
+
+  // Existing branch.
+  if (!remoteShaExists(remoteSha)) {
+    // Force-push or history rewrite — fall back to default branch.
+    const def = defaultBranchOf(remote)
+    const baseRef = `${remote}/${def}`
+    if (!refExists(baseRef)) {
+      out(green('✓ Skipping validation (no baseline for force-push)'))
+      return null
+    }
+    return `${baseRef}..${localSha}`
+  }
+  return `${remoteSha}..${localSha}`
+}
+
+// Scans every commit in the range for AI attribution in commit
+// messages.
+const scanCommitMessages = (range: string): number => {
+  out('Checking commit messages for AI attribution...')
+  const shas = gitLines('rev-list', range)
+  let errors = 0
+  for (const sha of shas) {
+    if (!sha) {
+      continue
+    }
+    const msg = git('log', '-1', '--format=%B', sha)
+    if (containsAiAttribution(msg)) {
+      if (errors === 0) {
+        out(red('✗ BLOCKED: AI attribution found in commit messages!'))
+        out('Commits with AI attribution:')
+      }
+      const oneline = git('log', '-1', '--oneline', sha)
+      out(`  - ${oneline}`)
+      errors++
+    }
+  }
+  if (errors > 0) {
+    out('')
+    out('These commits were likely created with --no-verify, bypassing the')
+    out('commit-msg hook that strips AI attribution.')
+    out('')
+    const rangeBase = range.split('..')[0]
+    out('To fix:')
+    out(`  git rebase -i ${rangeBase}`)
+    out("  Mark commits as 'reword', remove AI attribution, save")
+    out('  git push')
+  }
+  return errors
+}
+
+// Scans changed files in the range for secrets, keys, and leaks.
+const scanFilesInRange = (range: string): number => {
+  out('Checking files for security issues...')
+  const changed = gitLines('diff', '--name-only', range)
+  let errors = 0
+  if (changed.length === 0) {
+    return 0
+  }
+
+  // Top-level sensitive filenames in the change set.
+  const envHits = changed.filter(f => /^\.env(\.local)?$/.test(f))
+  if (envHits.length > 0) {
+    out(red('✗ BLOCKED: Attempting to push .env file!'))
+    out(`Files: ${envHits.join(', ')}`)
+    errors += envHits.length
+  }
+  const dsHits = changed.filter(f => f.includes('.DS_Store'))
+  if (dsHits.length > 0) {
+    out(red('✗ BLOCKED: .DS_Store file in push!'))
+    out(`Files: ${dsHits.join(', ')}`)
+    errors += dsHits.length
+  }
+  const logHits = changed.filter(
+    f => f.endsWith('.log') && !/test.*\.log$/.test(f),
+  )
+  if (logHits.length > 0) {
+    out(red('✗ BLOCKED: Log file in push!'))
+    out(`Files: ${logHits.join(', ')}`)
+    errors += logHits.length
+  }
+
+  // Per-file content scans.
+  for (const file of changed) {
+    if (!file || !existsSync(file)) {
+      continue
+    }
+    try {
+      if (statSync(file).isDirectory()) {
+        continue
+      }
+    } catch {
+      continue
+    }
+    if (shouldSkipFile(file)) {
+      continue
+    }
+    // Tracked-only — skip files removed from git that still exist on disk.
+    const tracked = spawnSync('git', ['ls-files', '--error-unmatch', file])
+    if (tracked.status !== 0) {
+      continue
+    }
+
+    const text = readFileForScan(file)
+    if (!text) {
+      continue
+    }
+
+    const pathHits = scanPersonalPaths(text)
+    if (pathHits.length > 0) {
+      out(red(`✗ BLOCKED: Hardcoded personal path found in: ${file}`))
+      pathHits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const apiHits = scanSocketApiKeys(text)
+    if (apiHits.length > 0) {
+      out(red(`✗ BLOCKED: Real API key detected in: ${file}`))
+      apiHits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const awsHits = scanAwsKeys(text)
+    if (awsHits.length > 0) {
+      out(red(`✗ BLOCKED: Potential AWS credentials found in: ${file}`))
+      awsHits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const ghHits = scanGitHubTokens(text)
+    if (ghHits.length > 0) {
+      out(red(`✗ BLOCKED: Potential GitHub token found in: ${file}`))
+      ghHits.slice(0, 3).forEach(h => out(`${h.lineNumber}:${h.line.trim()}`))
+      errors++
+    }
+
+    const pkHits = scanPrivateKeys(text)
+    if (pkHits.length > 0) {
+      out(red(`✗ BLOCKED: Private key found in: ${file}`))
+      errors++
+    }
+  }
+  return errors
+}
+
+const main = async (): Promise<number> => {
+  out(green('Running mandatory pre-push validation...'))
+
+  const submoduleErrors = checkSubmodules()
+  if (submoduleErrors > 0) {
+    return 1
+  }
+
+  const remote = process.argv[2] || 'origin'
+  // url at process.argv[3] is unused.
+
+  const stdin = await readStdin()
+  let totalErrors = 0
+  const refLines = stdin.trim().split('\n').filter(Boolean)
+
+  for (const refLine of refLines) {
+    const [localRef, localSha, , remoteSha] = refLine.split(/\s+/)
+    if (!localRef || !localSha || !remoteSha) {
+      continue
+    }
+    const range = computeRange(remote, localRef, localSha, remoteSha)
+    if (range === null) {
+      continue
+    }
+    // Validate range.
+    const rl = spawnSync('git', ['rev-list', range], { stdio: 'ignore' })
+    if (rl.status !== 0) {
+      err(red(`✗ Invalid commit range: ${range}`))
+      return 1
+    }
+
+    totalErrors += scanCommitMessages(range)
+    totalErrors += scanFilesInRange(range)
+  }
+
+  if (totalErrors > 0) {
+    err('')
+    err(red('✗ Push blocked by mandatory validation!'))
+    err('Fix the issues above before pushing.')
+    return 1
+  }
+
+  out(green('✓ All mandatory validation passed!'))
+  return 0
+}
+
+main().then(code => process.exit(code))
diff --git a/.husky/commit-msg b/.husky/commit-msg
index 650c1f84b..42fe3bddc 100755
--- a/.husky/commit-msg
+++ b/.husky/commit-msg
@@ -1,7 +1,2 @@
 # Run commit message validation and auto-strip AI attribution.
-if [ -x ".git-hooks/commit-msg" ]; then
-  .git-hooks/commit-msg "$1"
-else
-  printf "\033[0;31m✗ Error: .git-hooks/commit-msg not found or not executable\033[0m\n" >&2
-  exit 1
-fi
+node .git-hooks/commit-msg.mts "$1"
diff --git a/.husky/pre-commit b/.husky/pre-commit
index c140059d3..11250ead4 100755
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,21 +1,41 @@
+#!/bin/sh
 # Optional checks - can be bypassed with --no-verify for fast local commits.
-# Mandatory security checks run in pre-push hook.
+# Mandatory security checks ALSO run in pre-push hook.
+#
+# Architecture (parallels commit-msg and pre-push):
+#   .husky/pre-commit (this file) → .git-hooks/pre-commit.mts (security) + pnpm lint/test
+#
+# Use --no-verify for:
+# - History operations (squash, rebase, amend)
+# - Emergency hotfixes
+# - When tests require binaries that haven't been built yet
+#
+# Use environment variables to selectively disable:
+# - DISABLE_PRECOMMIT_LINT=1 to skip linting
+# - DISABLE_PRECOMMIT_TEST=1 to skip testing
 
-# Check prerequisites.
+# Run Socket security pre-commit checks (API keys, .DS_Store, etc.).
+node .git-hooks/pre-commit.mts
+
+# Check if pnpm is available
 if ! command -v pnpm >/dev/null 2>&1; then
-  printf "Error: pnpm not found in PATH\n" >&2
-  printf "Install from: https://pnpm.io/installation\n" >&2
+  echo "Error: pnpm not found. Install pnpm to run git hooks."
+  echo "Visit: https://pnpm.io/installation"
   exit 1
 fi
 
 if [ -z "${DISABLE_PRECOMMIT_LINT}" ]; then
   pnpm lint --staged
 else
-  printf "Skipping lint due to DISABLE_PRECOMMIT_LINT env var\n"
+  echo "Skipping lint due to DISABLE_PRECOMMIT_LINT env var"
 fi
 
 if [ -z "${DISABLE_PRECOMMIT_TEST}" ]; then
+  # Only run tests if there are staged test files. SOCKET_CLI_NO_API_TOKEN=1
+  # disables the API-token requirement so contributors without a real key
+  # configured don't see test failures during pre-commit (matches the
+  # original .env.precommit behavior).
   SOCKET_CLI_NO_API_TOKEN=1 pnpm test --staged
 else
-  printf "Skipping testing due to DISABLE_PRECOMMIT_TEST env var\n"
+  echo "Skipping testing due to DISABLE_PRECOMMIT_TEST env var"
 fi
diff --git a/.husky/pre-push b/.husky/pre-push
index e636e3a64..1af273748 100755
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1,2 +1,2 @@
 # Run pre-push security validation.
-.git-hooks/pre-push "$@"
+node .git-hooks/pre-push.mts "$@"