From 90cdb6e51a33e1a9d1fc908cf40b97f5cea8ce03 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Mon, 13 Jul 2026 09:42:49 -0400 Subject: [PATCH] =?UTF-8?q?chore(hygiene):=20root=20secret-capture=20guard?= =?UTF-8?q?s=20=E2=80=94=20.gitignore=20patterns=20+=20opt-in=20pre-commit?= =?UTF-8?q?=20secret=20scan=20(plan=20R2-08=20T3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 9 +++++++++ tools/hooks/README.md | 5 +++++ tools/hooks/pre-commit | 22 ++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 tools/hooks/README.md create mode 100755 tools/hooks/pre-commit diff --git a/.gitignore b/.gitignore index aec5aeb6..70761ed8 100644 --- a/.gitignore +++ b/.gitignore @@ -44,5 +44,14 @@ docker-env2/*/data/ # Local credentials / login captures — never commit *login*.txt +# Ad-hoc scratch/credential captures at the repo root — never commit +# (arch-review 08 round 2 NF1: a live API key sat in an untracked test.txt) +/test.txt +/*credentials* +/*secret* + +# Claude tool worktrees (NF7) +.claire/ + # Sister-project deployment artifacts (not part of this solution) /deploy/ diff --git a/tools/hooks/README.md b/tools/hooks/README.md new file mode 100644 index 00000000..6d569873 --- /dev/null +++ b/tools/hooks/README.md @@ -0,0 +1,5 @@ +# Git hooks + +`pre-commit` scans the staged diff for obvious credential material (inbound API tokens `sbk_...`, plaintext password assignments in root `.txt`/`.md` additions) and blocks the commit if found (bypass a false positive with `git commit --no-verify`). + +Opt in once with: `git config core.hooksPath tools/hooks` diff --git a/tools/hooks/pre-commit b/tools/hooks/pre-commit new file mode 100755 index 00000000..d94b8347 --- /dev/null +++ b/tools/hooks/pre-commit @@ -0,0 +1,22 @@ +#!/bin/sh +# Root secret-capture guard (arch-review 08 round 2 NF1). +# Scans ONLY the staged diff for obvious credential material and blocks the +# commit if found. Opt-in: `git config core.hooksPath tools/hooks`. +# Bypass a knowing false positive with: git commit --no-verify + +diff=$(git diff --cached -U0) + +# 1) Inbound API token: sbk__ +token=$(printf '%s\n' "$diff" | grep -nE '^\+.*sbk_[0-9a-f]{16,}_[A-Za-z0-9_-]{20,}') + +# 2) Plaintext password assignment added to a root-level .txt/.md file. +pw=$(printf '%s\n' "$diff" | grep -nE '^\+.*[Pp]assword[0-9]*[[:space:]]*[:=][[:space:]]*[^[:space:]]') + +if [ -n "$token" ] || [ -n "$pw" ]; then + echo "pre-commit: possible secret in staged changes — commit blocked." >&2 + [ -n "$token" ] && echo " inbound API token (sbk_...) matched:" >&2 && printf '%s\n' "$token" >&2 + [ -n "$pw" ] && echo " plaintext password assignment matched:" >&2 && printf '%s\n' "$pw" >&2 + echo "Bypass a false positive with: git commit --no-verify" >&2 + exit 1 +fi +exit 0