extend: ignorelint — catch agent secret files git is about to leak (committed/un-ignored)#9
Open
deemwario wants to merge 1 commit into
Open
extend: ignorelint — catch agent secret files git is about to leak (committed/un-ignored)#9deemwario wants to merge 1 commit into
deemwario wants to merge 1 commit into
Conversation
A new 'secure'-category tool. Committing a .env or an .mcp.json with an API token is the classic one-keystroke disaster — and .gitignore does NOT save a file git is ALREADY tracking. ignorelint is agent-aware: it knows the files that hold agent/dev secrets and checks git's ignore/tracking state for each. Flags: TRACKED_SECRET (HIGH) — a secret-bearing file already committed (rotate + git rm --cached); UNIGNORED_SECRET (MED) — present, untracked, un-ignored, one 'git add .' from a leak. Curated list (.env/.env.* except .example, .mcp.json, .claude.json, .claude/settings.local.json, private keys, .npmrc, .netrc, …); --add to extend. Excludes .example/.sample/.pub; prunes .git/node_modules. Checks git STATE, never file CONTENTS — complements leaklint (output secrets) and agent-reach (read blast-radius), doesn't duplicate them. Exit 0/1/2; --json. - single-file python3, stdlib only; test_ignorelint.sh 14/14 green (hermetic temp git repos, host-gitignore-independent). README house-style + CTA. MIT.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extend:
ignorelint— catch agent secret files git is about to leak#ossengine —
extend the family(new "secure"-category tool), additive, no owner gate.Why
Committing a
.envor an.mcp.jsonholding an API token is the classic one-keystroke disaster — and.gitignoredoes not save a file git is already tracking.ignorelintis agent-aware: it knows the files that hold agent/dev secrets and checks git's ignore/tracking state for each.What it does
TRACKED_SECRET(HIGH) — a secret-bearing file already tracked/committed → rotate it +git rm --cachedUNIGNORED_SECRET(MED) — present, untracked, un-ignored → onegit add .from a leak; add it to.gitignoreCurated agent-aware list (
.env/.env.*except.example,.mcp.json,.claude.json,.claude/settings.local.json, private keys,.npmrc,.netrc, …);--addto extend. Excludes.example/.sample/.pub; prunes.git/node_modules. Exit0/1/2;--json.Checks git state, never file contents — complements
leaklint(output secrets) andagent-reach(read blast-radius); does not duplicate them (disclaimer says so).Verification (independently re-run)
test_ignorelint.sh— 14/14 green (hermetic temp git repos viacore.excludesFile=/dev/null, so it's independent of the host's global gitignore — important for CI)..env(HIGH) + an un-ignored.mcp.json(MED), and does not flag.env.example.deemwar.com/contactCTA. MIT.🤖 Generated with Claude Code