Add security audit secret scanning

[konard]

Summary

• Add a dependency-free secret audit scanner for high-confidence committed credential patterns.
• Wire npm run validate:secrets into CI, pre-commit, docs, and foundation validation.
• Document credential inventory, rotation steps, platform secure storage review requirements, and human security review before release.

Issue

Fixes #23

Tests

• npm test
• npm run validate:secrets
• npm run validate:foundation
• npm run validate:release
• npm run decompose:dry-run
• Manual checks, if relevant: reviewed staged diff and confirmed git diff --cached --check passes

Risk

• Secret scanning uses high-confidence patterns to reduce false positives. Existing redaction fixtures are allowlisted only by exact file, pattern id, and line marker.
• Native secure storage remains a documented release blocker until platform implementations exist and receive human security review.

Screenshots or recordings

Not applicable.

Security and privacy

• This PR does not include secrets, production credentials, access tokens, Telegram API hashes, private keys, or private message content.
• Any logs, screenshots, or fixtures are redacted.
• Security-sensitive changes request human maintainer review before release.

[konard]

Solution summary

Implemented and pushed issue #23 to PR #121: #121

Key changes:

• Added committed-secret scanning in secret-audit.mjs and npm run validate:secrets.
• Wired the scan into CI, pre-commit, package scripts, and foundation validation.
• Added docs/security-audit.md with credential inventory, rotation steps, secure storage review, and human security review requirements.
• Added tests for scanner detection, redacted findings, safe secure references, and audit docs.

Validation passed:

• npm test - 195 passing
• npm run validate:secrets
• npm run validate:foundation
• npm run validate:release
• npm run decompose:dry-run
• GitHub CI and Release validation are green on head 860acac.

PR #121 is marked ready for review, and the local worktree is clean.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Model: GPT-5.5
• Provider: OpenAI
• Public pricing estimate: $9.875357

📊 Context and tokens usage:

• 6.4M / 1.1M (610%) input tokens, 29.1K / 128K (23%) output tokens

Total: (240.5K + 6.2M cached) input tokens, 29.1K output tokens, $9.875357 cost

🤖 Models used:

• Tool: OpenAI Codex
• Requested: gpt-5.5
• Model: GPT-5.5 (gpt-5.5)

📎 Log file uploaded as Repository (37017KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.