diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
new file mode 100644
index 00000000..37ceaf5c
--- /dev/null
+++ b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,24 @@
+name: pre-commit
+
+on:
+  pull_request: {}
+  push:
+    branches: main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Install pre-commit
+        shell: bash
+        run: uv tool install pre-commit --with pre-commit-uv
+      - run: pre-commit run --show-diff-on-failure --color=always --all-files
+        shell: bash
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c126db09..7aadfd8f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,8 +5,6 @@
 # Available pre-commit hooks
 #   https://pre-commit.com/hooks.html
 
-default_language_version:
-    python: python3.7
 fail_fast: true
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -22,12 +20,13 @@ repos:
   hooks:
   - id: check-useless-excludes
 - repo: https://github.com/Yelp/detect-secrets
-  rev: v0.13.0
+  rev: v1.5.0
   hooks:
   - id: detect-secrets
     args: ['--baseline', '.secrets.baseline']
-- repo: https://github.com/mozilla-it/jsonschema-on-yaml
-  rev: main
+- repo: https://github.com/python-jsonschema/check-jsonschema
+  rev: 0.35.0
   hooks:
-  - id: jsonschema-on-yaml
-    args: ['refractr/refractr.yml', 'refractr/schema.yml']
\ No newline at end of file
+    - id: check-jsonschema
+      files: 'refractr\.yml$'
+      args: ['--schemafile', 'refractr/schema.json']
diff --git a/.secrets.baseline b/.secrets.baseline
index 085355c6..9629c8ba 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,54 +1,137 @@
 {
-  "exclude": {
-    "files": null,
-    "lines": null
-  },
-  "generated_at": "2020-04-03T02:39:25Z",
+  "version": "1.5.0",
   "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
     {
       "name": "AWSKeyDetector"
     },
     {
-      "name": "ArtifactoryDetector"
+      "name": "AzureStorageKeyDetector"
     },
     {
-      "base64_limit": 4.5,
-      "name": "Base64HighEntropyString"
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
     },
     {
       "name": "BasicAuthDetector"
     },
     {
-      "hex_limit": 3,
-      "name": "HexHighEntropyString"
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
     },
     {
       "name": "JwtTokenDetector"
     },
     {
-      "keyword_exclude": null,
-      "name": "KeywordDetector"
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
     },
     {
       "name": "MailchimpDetector"
     },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
     {
       "name": "PrivateKeyDetector"
     },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
     {
       "name": "SlackDetector"
     },
     {
       "name": "SoftlayerDetector"
     },
+    {
+      "name": "SquareOAuthDetector"
+    },
     {
       "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
   ],
-  "results": {},
-  "version": "0.13.0",
-  "word_list": {
-    "file": null,
-    "hash": null
-  }
+  "results": {
+    "docs/SRE_INFO.md": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "docs/SRE_INFO.md",
+        "hashed_secret": "19f5128f9b42e46e7ec93f4fc2882c9906c63fc2",
+        "is_verified": false,
+        "line_number": 73
+      }
+    ]
+  },
+  "generated_at": "2025-11-23T20:47:13Z"
 }
diff --git a/docs/refractr-architecture.md b/docs/refractr-architecture.md
index f76a0227..4aee4799 100644
--- a/docs/refractr-architecture.md
+++ b/docs/refractr-architecture.md
@@ -29,7 +29,7 @@ The refractr.yml spec allows for specifying tests in the form of given-source to
 ### minimal changes
 Due to the nature of redirects and rewrites it is common to add new domains or subtract old ones. This means that the nginx config needs to be told which are the valid list of domains and update them when deploying a new refractr Docker image to GKE. When a new version of the refractr image is pushed to prod, redirects are already live.
 
-In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project. 
+In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project.
 
 ## refractr traffic flow
 Traffic flow to refractr starts with DNS. A domain that should be handled by the system must be pointed to it's Loadbalancer, usually by a CNAME, in some cases, by A / AAAA records. Once a request reaches the Loadbalancer, we force HTTPS, then forward to the actual application pods, which then handle individual redirects as configured.
diff --git a/examples/complex-redirect.yml b/examples/complex-redirect.yml
index 1efe90cd..6239ef70 100644
--- a/examples/complex-redirect.yml
+++ b/examples/complex-redirect.yml
@@ -59,4 +59,3 @@ validate:
         - 301 http://lockwise.firefox.com/ -> https://www.mozilla.org/firefox/lockwise/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-
diff --git a/examples/complex-rewrite-with-if-and-redirect.yml b/examples/complex-rewrite-with-if-and-redirect.yml
index dab5da8e..45ec1dad 100644
--- a/examples/complex-rewrite-with-if-and-redirect.yml
+++ b/examples/complex-rewrite-with-if-and-redirect.yml
@@ -68,4 +68,3 @@ validate:
         hops:
         - 301 http://en-uk.start.mozilla.com/ -> https://start.mozilla.org/en-uk/ MATCHED
         test-result: MATCHED
-
diff --git a/examples/simple-multiple-sources.yml b/examples/simple-multiple-sources.yml
index 57b4329e..75cf717b 100644
--- a/examples/simple-multiple-sources.yml
+++ b/examples/simple-multiple-sources.yml
@@ -41,4 +41,3 @@ validate:
         - 301 http://labs.mozilla.com -> https://labs.mozilla.org/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-
diff --git a/examples/simple-single-source.yml b/examples/simple-single-source.yml
index 70a92c5c..8dfb0083 100644
--- a/examples/simple-single-source.yml
+++ b/examples/simple-single-source.yml
@@ -31,4 +31,3 @@ validate:
         - 301 http://wiki.mozilla.com -> https://wiki.mozilla.org/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-
diff --git a/prod-refractr.yml b/prod-refractr.yml
index 7bd178cf..61b6b083 100644
--- a/prod-refractr.yml
+++ b/prod-refractr.yml
@@ -1228,17 +1228,17 @@ refracts:
   - www.browseagainstthemachine.com
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us:
   - downloadfirefox.us
   - www.downloadfirefox.us
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us:
   - fire-fox.us
   - www.fire-fox.us
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us:
   - mozillafirefox.us
   - www.mozillafirefox.us
 
@@ -1265,6 +1265,6 @@ refracts:
   - www.mozillastore.com
 
 # SREIN-636
-- viewsourceconf.org/
+- viewsourceconf.org/:
   - viewsourceconf.com
   - www.viewsourceconf.com
diff --git a/refractr/image/refractr.sh b/refractr/image/refractr.sh
index 68b906fe..d2391e27 100755
--- a/refractr/image/refractr.sh
+++ b/refractr/image/refractr.sh
@@ -44,4 +44,3 @@ case "$ACTION" in
         exit 1
         ;;
 esac
-