feat(redact): opt-in pre-push hook (accident catcher) + safe installer

bin/gstack-redact-prepush scans the diff being pushed for HIGH credentials and
blocks on a hit, for public AND private repos (a pushed secret is compromised
regardless of visibility). Correct git pre-push semantics: scans remote..local
(what's being pushed), handles new-branch zero-SHA via merge-base or empty-tree
fallback, force-push, and branch-delete skip. MEDIUM warns non-blocking; LOW/WARN
silent. GSTACK_REDACT_PREPUSH=skip escape valve logs to prepush-skip.jsonl.

bin/gstack-redact gains install-prepush-hook / uninstall-prepush-hook
subcommands that chain any pre-existing hook (renamed to pre-push.local,
stdin forwarded to both, exit code propagated).

Guardrail not enforcement: --no-verify and the env skip both bypass; it scans
only the pushed delta, not history/binary/LFS. 9 tests in a throwaway git repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

bin/gstack-redact

@@ -27,6 +27,8 @@
  * user can always bypass it (direct gh/git). It catches accidents.
  */
 import * as fs from "fs";
+import * as path from "path";
+import { spawnSync } from "child_process";
 import {
   scan,
   applyRedactions,
@@ -38,6 +40,71 @@ import {
 
 const MAX_STDIN_BYTES = 16 * 1024 * 1024; // hard ceiling before the engine cap
 
+// ── pre-push hook install/uninstall (chains any existing hook) ────────────────
+
+const MANAGED_MARKER = "# gstack-redact pre-push (managed)";
+
+function hooksPath(): string {
+  const r = spawnSync("git", ["rev-parse", "--git-path", "hooks"], { encoding: "utf8" });
+  if (r.status !== 0) {
+    process.stderr.write("gstack-redact: not in a git repo\n");
+    process.exit(1);
+  }
+  return r.stdout.trim();
+}
+
+function installPrepushHook(): void {
+  const dir = hooksPath();
+  fs.mkdirSync(dir, { recursive: true });
+  const hookPath = path.join(dir, "pre-push");
+  const prepushBin = path.join(import.meta.dir, "gstack-redact-prepush");
+
+  // If a non-managed hook exists, preserve it as pre-push.local and chain it.
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, "utf8");
+    if (existing.includes(MANAGED_MARKER)) {
+      process.stdout.write("gstack-redact: pre-push hook already installed.\n");
+      return;
+    }
+    const localPath = path.join(dir, "pre-push.local");
+    fs.renameSync(hookPath, localPath);
+    fs.chmodSync(localPath, 0o755);
+    process.stdout.write("gstack-redact: preserved existing hook as pre-push.local (chained).\n");
+  }
+
+  // stdin is single-consume: capture it once, feed both the chained hook and ours.
+  const wrapper = `#!/usr/bin/env bash
+${MANAGED_MARKER}
+set -euo pipefail
+_input="$(cat)"
+_local="$(git rev-parse --git-path hooks/pre-push.local)"
+if [ -x "$_local" ]; then
+  printf '%s' "$_input" | "$_local" "$@" || exit $?
+fi
+printf '%s' "$_input" | bun "${prepushBin}" "$@"
+`;
+  fs.writeFileSync(hookPath, wrapper, { mode: 0o755 });
+  fs.chmodSync(hookPath, 0o755);
+  process.stdout.write(`gstack-redact: installed pre-push hook at ${hookPath}\n`);
+}
+
+function uninstallPrepushHook(): void {
+  const dir = hooksPath();
+  const hookPath = path.join(dir, "pre-push");
+  const localPath = path.join(dir, "pre-push.local");
+  if (!fs.existsSync(hookPath) || !fs.readFileSync(hookPath, "utf8").includes(MANAGED_MARKER)) {
+    process.stdout.write("gstack-redact: no managed pre-push hook to remove.\n");
+    return;
+  }
+  if (fs.existsSync(localPath)) {
+    fs.renameSync(localPath, hookPath); // restore the chained original
+    process.stdout.write("gstack-redact: removed managed hook, restored pre-push.local.\n");
+  } else {
+    fs.unlinkSync(hookPath);
+    process.stdout.write("gstack-redact: removed managed pre-push hook.\n");
+  }
+}
+
 function arg(name: string): string | undefined {
   const i = process.argv.indexOf(name);
   return i >= 0 ? process.argv[i + 1] : undefined;
@@ -115,6 +182,11 @@ function humanTable(findings: Finding[]): string {
 }
 
 function main() {
+  // Subcommands (positional, not flags).
+  const sub = process.argv[2];
+  if (sub === "install-prepush-hook") return installPrepushHook();
+  if (sub === "uninstall-prepush-hook") return uninstallPrepushHook();
+
   const opts = buildOpts();
   const input = readInput();