From b16add06fd0a4b95e8dd90a8e79b927aed2e3d6f Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 09:12:32 +0100
Subject: [PATCH] chore(pre-commit): SHA-pin a2ml + k9 hooks (estate
 supply-chain hygiene)

`rev: main` was being passed to pre-commit for both a2ml-pre-commit and
k9-pre-commit, meaning every clean `pre-commit install` could pull a
different commit. Neither hook repo cuts tags, so SHA pinning is the
right discipline. Pinned to current `main` HEAD (2026-05-22, the
MPL-2.0 license-migration commit on both repos).

This mirrors the SHA-pinning already done in .github/workflows/ (see
e2e8a01, 0dd6990, a91b583, 35fb302).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .pre-commit-config.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 29d0fef..7b2e766 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,15 +19,18 @@ repos:
         args: ['--maxkb=1024']
 
   # --- A2ML manifest validation ---
+  # SHA-pinned (neither hook repo cuts tags). Bump by running
+  # `gh api repos/hyperpolymath/a2ml-pre-commit/commits/main --jq .sha`
+  # (and the k9 equivalent) and replacing the rev when a refresh is needed.
   - repo: https://github.com/hyperpolymath/a2ml-pre-commit
-    rev: main
+    rev: cee7b74f1b9c3da521e9d05999552fa4d03b8b28  # main @ 2026-05-22
     hooks:
       - id: validate-a2ml
         name: Validate A2ML manifests
 
   # --- K9 contract validation ---
   - repo: https://github.com/hyperpolymath/k9-pre-commit
-    rev: main
+    rev: 18bcd863af84d9dea24e14fae5c1f6afa10f6866  # main @ 2026-05-22
     hooks:
       - id: validate-k9
         name: Validate K9 contracts