chore: harden against environment-specific leaks#56
Merged
Conversation
Swap the 100.x CGNAT example for 192.0.2.10 (RFC 5737 TEST-NET-1) in the token-transport guard tests — keeps the non-loopback-HTTP assertion, drops an environment-specific address.
Extend the pre-commit secret-scan to catch environment-specific values (*.ts.net MagicDNS names and 100.64.0.0/10 tailnet IPs) so live infra can't be committed into code, docs, or examples. Verified: detects leaks, no false positive on 192.0.2.x or non-CGNAT 100.x, and the script does not self-trip.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two small hygiene changes (separate concern from #54):
100.xCGNAT fixture in the token-transport guard tests with192.0.2.10(RFC 5737 TEST-NET-1) — a clearly-example, non-loopback address. Same assertions, no environment-specific IP.scripts/secret-scan.shto flag*.ts.netMagicDNS names and100.64.0.0/10tailnet IPs, so live infra can't be committed into code, docs, or examples going forward.Verified the guard detects leaks, has no false positive on
192.0.2.x/ non-CGNAT100.x, and does not self-trip on its own pattern definitions. Use examples (honcho.example.net,192.0.2.x) instead.