Skip to content

feat(hooks): block secrets in all nested .knowledge/.knowlenge paths#53

Merged
skulidropek merged 3 commits intoProverCoderAI:mainfrom
skulidropek:issue-38
Feb 16, 2026
Merged

feat(hooks): block secrets in all nested .knowledge/.knowlenge paths#53
skulidropek merged 3 commits intoProverCoderAI:mainfrom
skulidropek:issue-38

Conversation

@skulidropek
Copy link
Contributor

@skulidropek skulidropek commented Feb 16, 2026
edited
Loading

Summary

  • extended knowledge handling from top-level only to all nested .knowledge and .knowlenge directories
  • integrated external secret scanner support with auto-installed gitleaks in generated Docker images
  • kept deterministic fallback redaction/checks (GitHub/OpenAI/Anthropic/private key markers)
  • extended pre-push guard to block pushes when nested knowledge paths contain:
    • blobs larger than 99,000,000 bytes
    • secret-like content in history (upstream..HEAD)
  • updated history-repair flow to replay both split and secret redaction for already committed data

Closes #38.

What Changed

  • packages/lib/src/core/templates/dockerfile.ts
    • generated project containers now install gitleaks automatically (x64/arm64)
  • scripts/split-knowledge-large-files.js
    • discovers knowledge roots recursively (not only ./.knowledge and ./.knowlenge)
  • scripts/pre-commit-secret-guard.sh
    • scopes to .knowledge/.knowlenge paths at any depth
    • uses gitleaks automatically when available
    • redacts known secret formats and re-validates staged content
  • scripts/pre-push-knowledge-guard.js
    • scans pushed ranges for nested knowledge paths
    • blocks on both oversized blobs and secret-like content
    • uses gitleaks on blob content when available (with regex fallback)
  • .githooks/pre-commit + scripts/setup-pre-commit-hook.js
    • stage all nested knowledge directories after split
  • scripts/repair-knowledge-history.js
    • applies split + secret guard during rebase replay
  • .githooks/pre-push
    • docs updated to reflect new safety behavior
  • tests updated:
    • packages/lib/tests/usecases/prepare-files.test.ts
    • packages/docker-git/tests/core/templates.test.ts

Proof (manual fragments)

1) Split works for nested .knowlenge

$ truncate -s 100000001 nested/deeper/.knowlenge/huge.bin
$ node scripts/split-knowledge-large-files.js
[knowledge-split] Split .../nested/deeper/.knowlenge/huge.bin -> 2 part(s)

2) Pre-commit auto-redacts nested .knowlenge secrets

pre-commit: auto-redacted secrets in 1 staged .knowledge/.knowlenge file(s) ...
my gh token: <REDACTED_GITHUB_TOKEN>
my openai: <REDACTED_OPENAI_KEY>

3) Pre-push blocks secret in nested .knowlenge

exit=1
ERROR: Push blocked. Found secret-like content under .knowledge/.knowlenge paths.
 - x/.knowlenge/raw.md: GitHub token [...]

4) Pre-push blocks oversized nested .knowledge blob

exit=1
ERROR: Push blocked. Found blobs > 99000000 bytes (99.00 MB) under .knowledge/.knowlenge paths.
 - z/y/.knowledge/huge.bin: 100000001 bytes (100.00 MB) [...]

Validation

pnpm --filter ./packages/lib test
pnpm --filter ./packages/docker-git test
pnpm --filter ./packages/app lint
pnpm --filter ./packages/app test

All commands passed locally.

@skulidropek skulidropek merged commit 18f37a2 into ProverCoderAI:main Feb 16, 2026
11 checks passed
This was referenced Mar 18, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@skulidropek