fix(hooks): quote CONFIG_ARG, guard pre-push against empty repos

- Quote $CONFIG_ARG in pre-commit and pre-push to prevent word-splitting
  on paths with spaces or special characters
- Add `git rev-parse HEAD` guard in pre-push so gitleaks is skipped on
  repos with no commits yet (gitleaks git exits non-zero on empty history)
- Expand pre-push header comment to document the empty-repo skip and note
  the full-history scan tradeoff for large repos

hooks/pre-commit

@@ -16,7 +16,7 @@ fi
 CONFIG_ARG="--config=$BASE_CONFIG"
 [[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG"
 
-if ! gitleaks protect --staged $CONFIG_ARG --redact 2>&1; then
+if ! gitleaks protect --staged "$CONFIG_ARG" --redact 2>&1; then
     echo ""
     echo "Commit blocked: secrets or PII detected in staged changes."
     echo "Review above, remove the sensitive value, then re-stage and retry."

hooks/pre-push

@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 # pre-push — scan full branch history not yet on remote
-# Safety net: catches anything committed with --no-verify or before hooks were wired
+# Safety net: catches secrets in full branch history.
+# Skips on empty repos (no commits yet). For large repos this scans all history — acceptable
+# for CircuitForge repo sizes; switch to range scanning if it becomes slow.
 set -euo pipefail
 
 HOOKS_REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -16,7 +18,10 @@ fi
 CONFIG_ARG="--config=$BASE_CONFIG"
 [[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG"
 
-if ! gitleaks git $CONFIG_ARG --redact 2>&1; then
+# Skip scan on empty repo (no commits yet) — gitleaks git exits non-zero with nothing to scan
+git rev-parse HEAD &>/dev/null || exit 0
+
+if ! gitleaks git "$CONFIG_ARG" --redact 2>&1; then
     echo ""
     echo "Push blocked: secrets or PII found in branch history."
     echo "Use git-filter-repo to scrub, then force-push."