Skip to content

Keel v1.9.0

Choose a tag to compare

@joseconti joseconti released this 15 Jul 21:59

What's new in 1.9.0

Confidential data never reaches Git

Before EVERY commit and push — test points and sprint closes, the release, website deploys, adoption's first commit, any ad-hoc commit — Keel now checks that nothing confidential is about to enter the repository. This applies from the project's very first commit, not only at release time.

What it scans. The staged files (at release, the whole tracked tree), by name and by content: .env* and credential files, private keys and certificates, wp-config.php with real values, database dumps and backups, API keys and tokens, passwords in config, OAuth client secrets, payment-gateway merchant keys, license keys, and real personal or customer data in fixtures, seeds, logs, or dumps. A dedicated scanner (gitleaks, trufflehog) is used when available — helpful, never required.

What happens on a finding. The commit STOPS. The user is warned file by file that letting it reach the repository is a serious security risk, and the fix matching the file's state is applied before anything is committed:

  • Never tracked → excluded via .gitignore so it can never reach the repository.
  • Tracked but never pushed → git rm --cached plus .gitignore.
  • Ever pushed → removed from history (git filter-repo / BFG) AND the exposed credential rotated: a pushed secret is compromised.

The user has the last word: a flagged file they confirm as safe (placeholders, sandbox-only keys meant to ship) proceeds, with the decision recorded in docs/decisions.md.

Integrated end to end. The CLAUDE.md portability lock now forbids committing without this check (existing projects pick it up through the normal lock-refresh mechanism), Phase 5's commit discipline runs it at every commit, and Phase 7 re-runs it over the whole tracked tree before release.

Full details in keel/CHANGELOG.md.

How to update

Replace your installed keel/ directory with this release's (see INSTALL.md, section "Updating") — or let the session-start update check introduced in 1.8.0 do it for you where the environment allows.