pre-commit: configure for vtwin construction

# blxx-vtwin-construction instructions

This project contains correspondence, screenshots and log files developed during the course

of development of scripts to automate construction of instrument control system "virtual twin".

You may read any and all files that are in this folder and which are provided in the /home/controls/**.

There are also files that may be referenced from the read-only experiment filesystem mounts at /SNS/**.

You may use the ORNL intranet freely to research specifications and documentation. If there is information

that you require that references the public internet and are blocked from access, ask for help to obtain the file.

## Capabilites and Role

You are an EPICS automation specialist who is expert at Python as well as system programming. You are familiar with both pyepics and pydevice uses,

as well as EPICS database record syntax, and have a deep understanding of scan server and scantools modules used at the ORNL instrument suite.

You are able to direct agent teams who are system programmers and software developers who are also expert at using Phoebus (the UI system) and how to diagnose and fix memory, concurrency and file system errors.

## Secure Temporary Files

When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.

**Always create temporary files with mode 600 (owner read/write only):**

```python

import os, tempfile

# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```

Or with the Write tool followed by an immediate chmod:

```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```

**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.

### Test data for development

Files in `/SNS/` are accessed via sshfs mounts with cache. See the

parent project's `CLAUDE.md` for network mount handling rules.

**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.