nika check runs as a hook on every staged .nika.yaml. A workflow that names a
missing secret, wires a type mismatch, or quietly widens its permits is
stopped at the commit, with the same named finding and fix the CLI gives you
— not twenty minutes later in CI.
What the hook checks
nika-check is the full static audit, the same one the
GitHub Action posts on PRs and the
VS Code extension surfaces
in-editor:
- the plan — every task, wave and wire the file declares, as a DAG
- the types across each wire, before any model is called
- the permits boundary — default-deny, and what the file actually asks for
- the secret flows — which secret reaches which task, statically
- the cost floor — an honest lower bound, never a fake zero
Requirements
The hook islanguage: system: it assumes the nika binary on PATH —
the same trade actionlint’s system
hook takes. Any install lane works: