Skip to content

extend: ignorelint — catch agent secret files git is about to leak (committed/un-ignored)#9

Open
deemwario wants to merge 1 commit into
mainfrom
extend/ignorelint-cycle28
Open

extend: ignorelint — catch agent secret files git is about to leak (committed/un-ignored)#9
deemwario wants to merge 1 commit into
mainfrom
extend/ignorelint-cycle28

Conversation

@deemwario

Copy link
Copy Markdown

Extend: ignorelint — catch agent secret files git is about to leak

#ossengineextend the family (new "secure"-category tool), additive, no owner gate.

Why

Committing a .env or an .mcp.json holding an API token is the classic one-keystroke disaster — and .gitignore does not save a file git is already tracking. ignorelint is agent-aware: it knows the files that hold agent/dev secrets and checks git's ignore/tracking state for each.

What it does

  • TRACKED_SECRET (HIGH) — a secret-bearing file already tracked/committed → rotate it + git rm --cached
  • UNIGNORED_SECRET (MED) — present, untracked, un-ignored → one git add . from a leak; add it to .gitignore

Curated agent-aware list (.env/.env.* except .example, .mcp.json, .claude.json, .claude/settings.local.json, private keys, .npmrc, .netrc, …); --add to extend. Excludes .example/.sample/.pub; prunes .git/node_modules. Exit 0/1/2; --json.

Checks git state, never file contents — complements leaklint (output secrets) and agent-reach (read blast-radius); does not duplicate them (disclaimer says so).

Verification (independently re-run)

  • test_ignorelint.sh14/14 green (hermetic temp git repos via core.excludesFile=/dev/null, so it's independent of the host's global gitignore — important for CI).
  • Exit codes confirmed directly: findings→1, clean→0, non-git-dir→2.
  • On a synthetic repo it correctly flags a committed .env (HIGH) + an un-ignored .mcp.json (MED), and does not flag .env.example.
  • Single-file python3, stdlib only. README house-style with the deemwar.com/contact CTA. MIT.

🤖 Generated with Claude Code

A new 'secure'-category tool. Committing a .env or an .mcp.json with an API
token is the classic one-keystroke disaster — and .gitignore does NOT save a
file git is ALREADY tracking. ignorelint is agent-aware: it knows the files
that hold agent/dev secrets and checks git's ignore/tracking state for each.

Flags: TRACKED_SECRET (HIGH) — a secret-bearing file already committed (rotate
+ git rm --cached); UNIGNORED_SECRET (MED) — present, untracked, un-ignored,
one 'git add .' from a leak. Curated list (.env/.env.* except .example,
.mcp.json, .claude.json, .claude/settings.local.json, private keys, .npmrc,
.netrc, …); --add to extend. Excludes .example/.sample/.pub; prunes
.git/node_modules.

Checks git STATE, never file CONTENTS — complements leaklint (output secrets)
and agent-reach (read blast-radius), doesn't duplicate them. Exit 0/1/2; --json.

- single-file python3, stdlib only; test_ignorelint.sh 14/14 green (hermetic
  temp git repos, host-gitignore-independent). README house-style + CTA. MIT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant