chore: fix all prek lint findings and wire prek into CI (NVIDIA#705)

* chore(husky): prefer local node_modules bins and optional pre-commit on push

* fix(husky): ensure Node is on PATH for git hook environments

* chore(husky): update hook scripts to executable permissions

* fix(husky): run pyright with dev extras for pytest types

uv run --with pyright omitted optional dev deps; pytest was unresolved in
orchestrator/test_endpoint_validation.py. Align pre-push and pre-commit
with nemoclaw-blueprint Makefile (uv run --extra dev --with pyright).

* fix(tooling): unblock prek shellcheck, hadolint, and vitest hooks

- husky-env: shellcheck shell=bash for SC2148
- Dockerfile: hadolint pragmas and merged pip install with pyyaml pin
- vitest pre-commit: use repo-root node_modules vitest (avoid broken npx)

* fix(npm): skip prek install when core.hooksPath is set

Husky sets core.hooksPath; prek refuses to install in that case.
Still run prek install for clones without hooksPath.

* chore: centralize prek hook types and format shell scripts

- Add default_install_hook_types (pre-commit, commit-msg, pre-push) to .pre-commit-config.yaml
- Simplify npm prepare to run prek install without repeated --hook-type flags
- Align backup-workspace, brev-setup, and install-openshell with shfmt/shellcheck style

* refactor: replace Husky hooks with prek-only equivalents

Remove .husky/ directory, scripts/husky-env.sh, and the lint-staged
dependency. All hook logic now lives in .pre-commit-config.yaml:

  - pre-commit: formatters, linters, Vitest (unchanged)
  - commit-msg: commitlint (unchanged)
  - pre-push: tsc, pyright, plus prek-push-range which re-runs
    pre-commit hooks on the outgoing commit range

The prepare script unconditionally runs `prek install` (no more
core.hooksPath guard). Contributors with a stale Husky hooksPath
should run: git config --unset core.hooksPath

* ci: run prek in PR workflow instead of make check

Replace the ad-hoc make check (eslint + prettier + tsc + ruff) with
npx prek run --all-files, which covers every hook in
.pre-commit-config.yaml (shfmt, shellcheck, hadolint, gitleaks, SPDX
headers, etc.) in addition to the existing linters.

Pre-push stage hooks (tsc --noEmit, pyright) run in a second step
with --skip prek-push-range to avoid recursion.

make check now delegates to prek as well.

* fix: resolve pre-existing prek hook failures across the repo

- Fix trailing whitespace and missing final newlines in docs, skills,
  CODE_OF_CONDUCT.md, and scripts/debug.sh.
- Set executable bits on scripts with shebangs: install.sh,
  smoke-macos-install.sh, test-full-e2e.sh, lib/runtime.sh,
  migrations/snapshot.py.
- Fix shellcheck SC2206 in install.sh (safe IFS+read -ra for version
  parsing) and remove unused SCRIPT_DIR in setup-spark.sh.
- Add hadolint ignore pragmas to test Dockerfiles (DL3008, DL3013,
  DL3042, DL3059, DL4006 — test images don't need version pinning).
- Add SPDX license headers to __init__.py, test-double-onboard.sh,
  test-inference-local.sh, test-inference.sh, test-full-e2e.sh.

* fix: remove redundant prek-push-range hook and fix remaining lint

prek already runs pre-commit-stage hooks during pre-push, so the
prek-push-range hook caused a duplicate pass. Remove it.

Also fix: test-full-e2e.sh exec bit, hadolint SC2086/SC2038 ignores
in test Dockerfiles.

* fix: use local commitlint binary instead of npx

prek's system hook couldn't resolve npx. Use the repo-local
node_modules/.bin/commitlint directly via git rev-parse.

* chore: add explicit priority to all prek hooks

commitlint, tsc-check, and pyright-check were missing priority.
Set all three to priority 10 (validation tier).

* chore: apply shfmt formatting to all shell scripts

Auto-formatted by shfmt -i 2 -ci -bn to pass the prek shfmt hook.
No logic changes — indentation and spacing only.

* fix(security): use mktemp for temp files, stop leaking API key in walkthrough

- test-inference-local.sh, test-inference.sh: replace hardcoded
  /tmp/req.json with mktemp + trap cleanup (TOCTOU fix).
- walkthrough.sh: print a placeholder instead of expanding the real
  NVIDIA_API_KEY in the tmux-fallback instructions.
- Makefile: add comment clarifying lint-ts/lint-py are for targeted runs.

* ci: consolidate install steps into a single block per job

* fix(ci): switch hadolint from Docker to native binary

hadolint-docker times out pulling ghcr.io images in CI. Use a local
system hook with the binary installed via curl in the workflow.

* perf: enable tsc incremental caching for pre-push hook

Add --incremental to tsc --noEmit so subsequent type-checks reuse
the .tsbuildinfo cache (supported since TS 4.0). Gitignore the cache
file. See: https://thoughtspile.github.io/2021/06/14/faster-pre-commit/

* ci: bump all GitHub Actions to latest major versions

- actions/checkout v4 → v6
- actions/setup-node v4 → v6
- actions/setup-python v5 → v6
- astral-sh/setup-uv v4 → v7
- actions/upload-artifact stays at v4 (latest)
- rossjrw/pr-preview-action stays at v1 (latest)

* docs: add hadolint to prerequisites in CONTRIBUTING.md

Author: HagegeR

.agents/skills/docs/nemoclaw-overview/references/how-it-works.md

@@ -111,4 +111,4 @@ Approved endpoints persist for the current session but are not saved to the base
 
 - Follow the Quickstart (see the `nemoclaw-get-started` skill) to launch your first sandbox.
 - Refer to the Architecture (see the `nemoclaw-reference` skill) for the full technical structure, including file layouts and the blueprint lifecycle.
-- Refer to Inference Profiles (see the `nemoclaw-reference` skill) for detailed provider configuration.
+- Refer to Inference Profiles (see the `nemoclaw-reference` skill) for detailed provider configuration.

.agents/skills/docs/nemoclaw-overview/references/overview.md

@@ -53,4 +53,4 @@ Explore the following pages to learn more about NemoClaw.
 - Switch Inference Providers (see the `nemoclaw-configure-inference` skill) to configure the inference provider.
 - Approve or Deny Network Requests (see the `nemoclaw-manage-policy` skill) to manage egress approvals.
 - Deploy to a Remote GPU Instance (see the `nemoclaw-deploy-remote` skill) for persistent operation.
-- Monitor Sandbox Activity (see the `nemoclaw-monitor-sandbox` skill) to observe agent behavior.
+- Monitor Sandbox Activity (see the `nemoclaw-monitor-sandbox` skill) to observe agent behavior.

.agents/skills/docs/nemoclaw-overview/references/release-notes.md

@@ -12,4 +12,4 @@ NVIDIA NemoClaw is available in early preview starting March 16, 2026. Use the f
 | [Releases](https://github.com/NVIDIA/NemoClaw/releases) | Versioned release notes and downloadable assets. |
 | [Release comparison](https://github.com/NVIDIA/NemoClaw/compare) | Diff between any two tags or branches. |
 | [Merged pull requests](https://github.com/NVIDIA/NemoClaw/pulls?q=is%3Apr+is%3Amerged) | Individual changes with review discussion. |
-| [Commit history](https://github.com/NVIDIA/NemoClaw/commits/main) | Full commit log on `main`. |
+| [Commit history](https://github.com/NVIDIA/NemoClaw/commits/main) | Full commit log on `main`. |

.agents/skills/docs/nemoclaw-reference/SKILL.md

@@ -13,4 +13,4 @@ Learn how NemoClaw combines a lightweight CLI plugin with a versioned blueprint
 - [NemoClaw CLI Commands Reference](references/commands.md)
 - [NemoClaw Inference Profiles — NVIDIA Endpoint](references/inference-profiles.md)
 - [NemoClaw Network Policies — Baseline Rules and Operator Approval](references/network-policies.md)
-- [NemoClaw Troubleshooting Guide](references/troubleshooting.md)
+- [NemoClaw Troubleshooting Guide](references/troubleshooting.md)

.agents/skills/docs/nemoclaw-reference/references/architecture.md

@@ -79,4 +79,4 @@ OpenShell intercepts them and routes to the configured provider:
 Agent (sandbox)  ──▶  OpenShell gateway  ──▶  NVIDIA Endpoint (build.nvidia.com)
 ```
 
-Refer to Inference Profiles (see the `nemoclaw-reference` skill) for provider configuration details.
+Refer to Inference Profiles (see the `nemoclaw-reference` skill) for provider configuration details.

.agents/skills/docs/nemoclaw-reference/references/commands.md

@@ -149,4 +149,4 @@ After the fixes complete, the script prompts you to run `nemoclaw onboard` to co
 
 ```console
 $ sudo nemoclaw setup-spark
-```
+```

.agents/skills/docs/nemoclaw-reference/references/inference-profiles.md

@@ -50,4 +50,4 @@ $ openshell inference set --provider nvidia-nim --model <model-name>
 ```
 
 The change takes effect immediately.
-No sandbox restart is needed.
+No sandbox restart is needed.

.agents/skills/docs/nemoclaw-reference/references/network-policies.md

@@ -119,4 +119,4 @@ Apply policy updates to a running sandbox without restarting:
 
 ```console
 $ openshell policy set <policy-file>
-```
+```

.agents/skills/docs/nemoclaw-reference/references/troubleshooting.md

@@ -161,4 +161,4 @@ View the error output for the failed blueprint run:
 $ nemoclaw <name> logs
 ```
 
-Use `--follow` to stream logs in real time while debugging.
+Use `--follow` to stream logs in real time while debugging.

.github/PULL_REQUEST_TEMPLATE.md

@@ -16,7 +16,7 @@
 
 ## Testing
 <!-- What testing was done? -->
-- [ ] `make check` passes.
+- [ ] `npx prek run --all-files` passes (or equivalently `make check`).
 - [ ] `npm test` passes.
 - [ ] `make docs` builds without warnings. (for doc-only changes)
 
@@ -28,7 +28,7 @@
 
 ### Code Changes
 <!-- Skip if this is a doc-only PR. -->
-- [ ] `make format` applied (TypeScript and Python).
+- [ ] Formatters applied — `npx prek run --all-files` auto-fixes formatting (or `make format` for targeted runs).
 - [ ] Tests added or updated for new or changed behavior.
 - [ ] No secrets, API keys, or credentials committed.
 - [ ] Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).