feat(hooks): add pre-commit check for binary file additions

Blocks accidental commits of build artifacts, databases, and compiled
binaries. Image and font formats (png, jpg, svg, ttf, woff, etc.) are
allowed. Uses git diff --numstat binary detection (-  -  path).

Closes #4

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.pre-commit-config.yaml

@@ -12,6 +12,12 @@ repos:
 
   - repo: local
     hooks:
+      - id: check-no-binary
+        name: check for binary files (build artifacts, databases)
+        language: system
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && scripts/check_no_binary.sh'
+        pass_filenames: false
+        always_run: true
       - id: forbidden-files-hook
         name: check for forbidden home-directory files
         language: system

scripts/check_no_binary.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Fail if binary files (other than images and fonts) are staged for commit.
+# Prevents accidental inclusion of build artifacts, databases, compiled binaries.
+set -euo pipefail
+
+ALLOWED_EXTENSIONS='(png|jpg|jpeg|gif|webp|svg|ico|ttf|otf|woff|woff2)'
+
+# git diff --numstat shows "-  -  path" for binary files
+BINARY=$(git diff --cached --numstat | awk '$1=="-" && $2=="-" {print $3}')
+
+if [ -z "$BINARY" ]; then
+  exit 0
+fi
+
+BLOCKED=''
+while IFS= read -r f; do
+  if ! echo "$f" | grep -qiE "\.$ALLOWED_EXTENSIONS$"; then
+    BLOCKED="$BLOCKED\n  $f"
+  fi
+done <<< "$BINARY"
+
+if [ -n "$BLOCKED" ]; then
+  echo "Binary files staged for commit (not allowed):"
+  echo -e "$BLOCKED"
+  echo ""
+  echo "If this is intentional, add the extension to ALLOWED_EXTENSIONS in scripts/check_no_binary.sh"
+  exit 1
+fi