chore(workspace): add hardened startup/security workflows and skill suite

2026-03-04 19:13:33 +00:00
parent 4903e9d75d
commit 808af5ee13
58 changed files with 3787 additions and 3 deletions
--- a/skills/git-workspace-hygiene/scripts/precommit-scan.sh
+++ b/skills/git-workspace-hygiene/scripts/precommit-scan.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="${1:-.}"
+cd "$ROOT"
+
+echo "[scan] checking for likely secrets in staged changes..."
+STAGED=$(git diff --cached --name-only || true)
+if [[ -z "${STAGED}" ]]; then
+  echo "[scan] no staged files"
+  exit 0
+fi
+
+FAIL=0
+
+# simple patterns (high-signal only)
+PATTERN='(AKIA[0-9A-Z]{16}|-----BEGIN (RSA|EC|OPENSSH|PRIVATE) KEY-----|xox[baprs]-|ghp_[A-Za-z0-9]{20,}|AIza[0-9A-Za-z\-_]{35})'
+
+if git diff --cached | grep -E -n "$PATTERN" >/tmp/precommit-scan-matches.txt; then
+  echo "[scan] possible secret patterns found:"
+  cat /tmp/precommit-scan-matches.txt
+  FAIL=1
+fi
+
+# block obvious sensitive paths
+while IFS= read -r f; do
+  case "$f" in
+    .openclaw/credentials/*|*.pem|*.key|*.p12|*.pfx|.env|.env.*)
+      echo "[scan] blocked sensitive path staged: $f"
+      FAIL=1
+      ;;
+  esac
+done <<< "$STAGED"
+
+if [[ "$FAIL" -ne 0 ]]; then
+  echo "[scan] FAILED. unstage/remove sensitive data before commit."
+  exit 2
+fi
+
+echo "[scan] ok"