Почетна Преглед Помоћ
Пријавите се
logic855
/
claude-mods
огледало од https://github.com/0xDarkMatter/claude-mods.git
1
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Преглед изворни кода

feat(push-gate): Block .claude/settings.local.json in forbidden-files gate

settings.local.json routinely accumulates API keys inside permission
rules and must never reach a remote. Add it to the Step 7 FORBIDDEN_REGEX
so any push that adds the file is refused (exit 2), and note it in the
SKILL.md exit-code table.

Completes the three-layer protection shipped in v2.9.0 (gitignore +
setperms self-heal + push-gate refusal) — this lands the gate layer on
main for everyone, not just locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0xDarkMatter пре 1 недеља
родитељ
81e8796fc3
комит
038136132c
2 измењених фајлова са 2 додато и 2 уклоњено
Подељен поглед Покажи статистику Diff
  1. 1 1
      skills/push-gate/SKILL.md
  2. 1 1
      skills/push-gate/scripts/preflight.sh

+ 1 - 1
skills/push-gate/SKILL.md
Прегледај датотеку 

@@ -57,7 +57,7 @@ The script prints a structured report and exits with:
 
 |---|---|---|
 
 | 0 | All gates passed; ready for push | Ask user to confirm, then `git push <remote> <branch>` |
 
 | 1 | Secret-scanner hit | Report to user; refuse; suggest `git filter-repo` / BFG |
 
-| 2 | Forbidden file added (.env, key files, worktree paths, etc.) | Report; refuse |
 
+| 2 | Forbidden file added (.env, key files, `.claude/settings.local.json`, worktree paths, etc.) | Report; refuse |
 
 | 3 | Dirty working tree | Report; ask user to commit or stash first |
 
 | 4 | Non-ff divergence | Report; ask user to rebase or merge first |
 
 | 5 | Missing dependency (gitleaks) | Report install instructions; refuse |

+ 1 - 1
skills/push-gate/scripts/preflight.sh
Прегледај датотеку 

@@ -113,7 +113,7 @@ echo "STEP 6  OK    secret scan clean"
 
 # ── Step 7: forbidden files ───────────────────────────────────────────────────
 
 # Files that should never ship to a remote. Matched against added-file paths.
 
 # Gitignore-style patterns would be nicer; for now, a small explicit list.
 
-FORBIDDEN_REGEX='(^|/)\.env(\.|$)|(^|/)\.env\.(local|development|production|test)$|\.(pem|key|pfx|p12|asc|ppk|id_rsa|id_ed25519|id_ecdsa|id_dsa)$|(^|/)\.aws/credentials$|(^|/)\.ssh/(id_|config)|(^|/)\.claude/worktrees/|(^|/)secrets?\.(json|ya?ml|toml|ini)$'
 
+FORBIDDEN_REGEX='(^|/)\.env(\.|$)|(^|/)\.env\.(local|development|production|test)$|\.(pem|key|pfx|p12|asc|ppk|id_rsa|id_ed25519|id_ecdsa|id_dsa)$|(^|/)\.aws/credentials$|(^|/)\.ssh/(id_|config)|(^|/)\.claude/worktrees/|(^|/)\.claude/settings\.local\.json$|(^|/)secrets?\.(json|ya?ml|toml|ini)$'
 
 
 if git rev-parse --verify "${REMOTE}/${BRANCH}" >/dev/null 2>&1; then
 
   ADDED_FILES="$(git diff --name-only --diff-filter=A "${REMOTE}/${BRANCH}..${BRANCH}")"