Ignore local runtime and keyserver state files#36
Conversation
Ignore local runtime and keyserver state files that may contain command logs, token hashes, or operational metadata, and document a lightweight pre-commit secret hygiene check for contributors. Constraint: Keep this issue scoped to repository hygiene without adding new tooling or dependencies. Rejected: Add a CI secret scanner in this PR | would expand the change beyond the lowest-risk first issue. Confidence: high Scope-risk: narrow Directive: Keep local runtime directories and keyserver state out of version control unless they are sanitized fixtures. Tested: Reviewed git diff for .gitignore and CONTRIBUTING.md. Not-tested: go test ./... blocked by local Go toolchain mismatch: stdlib reports go1.25.0 while tool reports go1.25.6.
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR appropriately addresses issue #35 by adding .gitignore entries for local state files and contributor guidance for secret hygiene. The changes include ignoring agent/runtime directories (.codex/, .omx/) and keyserver state files that could contain sensitive data. The new "Secret hygiene" section in CONTRIBUTING.md provides clear, actionable guidance for contributors to verify no sensitive files are staged before committing.
No blocking issues identified. The implementation correctly protects against accidentally committing sensitive local state files.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
Closing because this was opened against the wrong repository. The security triage is being redone against companyjupiter/quarkify. |
1 participant
Summary
Closes #35.
Validation
.gitignoreandCONTRIBUTING.md.env -u GOROOT -u GOPATH /opt/homebrew/bin/go test ./...