Context
The security best-practices report identified that scripts/check-detect-secrets.sh scans staged files or tracked files, but not untracked non-ignored files in normal all-files mode. That leaves a local gap before accidental credential templates, logs, SQLite files, or caches are staged.
Evidence
scripts/check-detect-secrets.sh:31-40 uses git diff --cached ... for staged mode and git ls-files -z otherwise.- Untracked non-ignored files are not included until staged.
docs/privacy-redaction-boundaries.md:111-116 forbids local auth files, cookies, tokens, generated stores, caches, logs, and database files in the repo.
Acceptance criteria
- Add an opt-in local scan mode that includes untracked non-ignored files, for example by incorporating
git ls-files --others --exclude-standard -z.
- Keep the existing cheap CI/tracked-file behavior available.
- Add focused tests or script-level validation covering tracked, staged, and untracked scan behavior.
- Document when developers should use the broader local mode.
Context
The security best-practices report identified that
scripts/check-detect-secrets.shscans staged files or tracked files, but not untracked non-ignored files in normal all-files mode. That leaves a local gap before accidental credential templates, logs, SQLite files, or caches are staged.Evidence
scripts/check-detect-secrets.sh:31-40usesgit diff --cached ...for staged mode andgit ls-files -zotherwise.docs/privacy-redaction-boundaries.md:111-116forbids local auth files, cookies, tokens, generated stores, caches, logs, and database files in the repo.Acceptance criteria
git ls-files --others --exclude-standard -z.