feat(pre-commit): ship sqlshield as pre-commit hook

Add .pre-commit-hooks.yaml so users can wire sqlshield into their
.pre-commit-config.yaml. Convert workspace root Cargo.toml to a combined
package+workspace manifest with a `sqlshield-precommit` shim package
(publish = false) that exposes the same `sqlshield` bin from
sqlshield-cli/src/main.rs. This makes `cargo install --path .` (used by
pre-commit's `language: rust`) succeed against the workspace root, which
is otherwise a virtual manifest.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

.pre-commit-hooks.yaml

@@ -0,0 +1,7 @@
+- id: sqlshield
+  name: sqlshield
+  description: Schema-aware SQL linter for embedded queries in Python, Rust, Go, and JavaScript / TypeScript source files.
+  entry: sqlshield
+  language: rust
+  pass_filenames: false
+  files: \.(py|rs|go|js|ts|tsx|sql)$

Cargo.lock

@@ -19,3 +19,33 @@ repository = "https://github.com/davidsmfreire/sqlshield"
 [workspace.dependencies]
 sqlshield = { version = "0.0.2", path = "sqlshield" }
 sqlshield-introspect = { version = "0.0.2", path = "sqlshield-introspect" }
+
+# Root package exists solely so `cargo install --path .` (used by
+# pre-commit's `language: rust`) succeeds against this workspace. Not
+# published; mirrors `sqlshield-cli` and ships the same `sqlshield` bin.
+[package]
+name = "sqlshield-precommit"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+license.workspace = true
+repository.workspace = true
+description = "pre-commit shim that installs the sqlshield CLI from this workspace root"
+publish = false
+
+[[bin]]
+name = "sqlshield"
+path = "sqlshield-cli/src/main.rs"
+
+[features]
+default = ["introspect"]
+introspect = ["dep:sqlshield-introspect"]
+
+[dependencies]
+clap = { version = "4.4.18", features = ["derive"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+sqlshield = { workspace = true }
+sqlshield-introspect = { workspace = true, optional = true }
+toml = "0.8"

Cargo.toml

@@ -154,6 +154,28 @@ A first-party VS Code extension lives at
 [`editors/vscode/`](editors/vscode/README.md) — it spawns `sqlshield-lsp`
 over stdio and forwards diagnostics as you type.
 
+## pre-commit
+
+sqlshield ships a [pre-commit](https://pre-commit.com/) hook so it can
+gate every commit alongside your other linters. Add it to
+`.pre-commit-config.yaml`:
+
+```yaml
+- repo: https://github.com/davidsmfreire/sqlshield
+  rev: sqlshield-cli-v0.0.2  # pin to a tagged release
+  hooks:
+    - id: sqlshield
+```
+
+`pass_filenames: false` is hard-coded in the hook definition because
+sqlshield walks the directory itself (driven by `.sqlshield.toml` or its
+defaults) — file-by-file invocation isn't supported. The hook still
+runs only when files matching `\.(py|rs|go|js|ts|tsx|sql)$` change.
+
+The hook uses `language: rust`, so pre-commit's first run compiles the
+CLI from source via `cargo install`. Subsequent runs reuse the cached
+binary.
+
 ## Python integration
 
 [`sqlshield-py`](sqlshield-py/) exposes `validate_query` and