chore(hygiene): root secret-capture guards — .gitignore patterns + opt-in pre-commit secret scan (plan R2-08 T3)
This commit is contained in:
@@ -44,5 +44,14 @@ docker-env2/*/data/
|
|||||||
# Local credentials / login captures — never commit
|
# Local credentials / login captures — never commit
|
||||||
*login*.txt
|
*login*.txt
|
||||||
|
|
||||||
|
# Ad-hoc scratch/credential captures at the repo root — never commit
|
||||||
|
# (arch-review 08 round 2 NF1: a live API key sat in an untracked test.txt)
|
||||||
|
/test.txt
|
||||||
|
/*credentials*
|
||||||
|
/*secret*
|
||||||
|
|
||||||
|
# Claude tool worktrees (NF7)
|
||||||
|
.claire/
|
||||||
|
|
||||||
# Sister-project deployment artifacts (not part of this solution)
|
# Sister-project deployment artifacts (not part of this solution)
|
||||||
/deploy/
|
/deploy/
|
||||||
|
|||||||
@@ -0,0 +1,5 @@
|
|||||||
|
# Git hooks
|
||||||
|
|
||||||
|
`pre-commit` scans the staged diff for obvious credential material (inbound API tokens `sbk_...`, plaintext password assignments in root `.txt`/`.md` additions) and blocks the commit if found (bypass a false positive with `git commit --no-verify`).
|
||||||
|
|
||||||
|
Opt in once with: `git config core.hooksPath tools/hooks`
|
||||||
Executable
+22
@@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Root secret-capture guard (arch-review 08 round 2 NF1).
|
||||||
|
# Scans ONLY the staged diff for obvious credential material and blocks the
|
||||||
|
# commit if found. Opt-in: `git config core.hooksPath tools/hooks`.
|
||||||
|
# Bypass a knowing false positive with: git commit --no-verify
|
||||||
|
|
||||||
|
diff=$(git diff --cached -U0)
|
||||||
|
|
||||||
|
# 1) Inbound API token: sbk_<hex>_<token>
|
||||||
|
token=$(printf '%s\n' "$diff" | grep -nE '^\+.*sbk_[0-9a-f]{16,}_[A-Za-z0-9_-]{20,}')
|
||||||
|
|
||||||
|
# 2) Plaintext password assignment added to a root-level .txt/.md file.
|
||||||
|
pw=$(printf '%s\n' "$diff" | grep -nE '^\+.*[Pp]assword[0-9]*[[:space:]]*[:=][[:space:]]*[^[:space:]]')
|
||||||
|
|
||||||
|
if [ -n "$token" ] || [ -n "$pw" ]; then
|
||||||
|
echo "pre-commit: possible secret in staged changes — commit blocked." >&2
|
||||||
|
[ -n "$token" ] && echo " inbound API token (sbk_...) matched:" >&2 && printf '%s\n' "$token" >&2
|
||||||
|
[ -n "$pw" ] && echo " plaintext password assignment matched:" >&2 && printf '%s\n' "$pw" >&2
|
||||||
|
echo "Bypass a false positive with: git commit --no-verify" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
Reference in New Issue
Block a user