scripts/secret_gate_lib.sh

#!/usr/bin/env bash

secret_scan_paths() {
    local scan_root="${1:-}"
    shift || true

    if [ -z "$scan_root" ]; then
        echo "secret_scan_paths requires scan root" >&2
        return 1
    fi

    local patterns='(sk-[A-Za-z0-9_-]+|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{35}|ghp_[A-Za-z0-9]{36}|xox[baprs]-[A-Za-z0-9-]{10,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----|authorization:[[:space:]]*bearer[[:space:]]+[A-Za-z0-9._-]{8,}|api[_-]?key[[:space:]]*[:=][[:space:]]*[A-Za-z0-9._-]{8,})'
    local excludes=(
        '--exclude=verify_phase6.sh'
        '--exclude=secret_gate_lib.sh'
        '--exclude=secret_gate_test.sh'
        '--exclude=.env.example'
        '--exclude=README.md'
        '--exclude=CONFIGURATION.md'
        '--exclude=DEPLOYMENT.md'
        '--exclude-dir=.git'
        '--exclude-dir=.serena'
        '--exclude-dir=node_modules'
        '--exclude-dir=dist'
        '--exclude-dir=logs'
        '--exclude-dir=reports'
    )

    if grep -R -n -E -i "$patterns" "$scan_root" "$@" \
        --include='*.go' \
        --include='*.ts' \
        --include='*.tsx' \
        --include='*.js' \
        --include='*.jsx' \
        --include='*.sh' \
        --include='*.yml' \
        --include='*.yaml' \
        "${excludes[@]}"; then
        return 1
    fi

    return 0
}

secret_env_files() {
    local dockerignore_path="$1"

    if [ ! -f "$dockerignore_path" ]; then
        echo "missing dockerignore: $dockerignore_path" >&2
        return 1
    fi

    if ! grep -Eq '^\.env(\..*)?$' "$dockerignore_path"; then
        echo "missing .env ignore rule in $dockerignore_path" >&2
        return 1
    fi

    if ! grep -Eq '^!\.env\.example$' "$dockerignore_path"; then
        echo "missing explicit .env.example allow rule in $dockerignore_path" >&2
        return 1
    fi

    return 0
}
feat(report): improve daily intelligence UX and price tracking 2026-05-27 17:23:08 +08:00			`#!/usr/bin/env bash`

			`secret_scan_paths() {`
			`local scan_root="${1:-}"`
			`shift \|\| true`

			`if [ -z "$scan_root" ]; then`
			`echo "secret_scan_paths requires scan root" >&2`
			`return 1`
			`fi`

			`local patterns='(sk-[A-Za-z0-9_-]+\|AKIA[0-9A-Z]{16}\|AIza[0-9A-Za-z_-]{35}\|ghp_[A-Za-z0-9]{36}\|xox[baprs]-[A-Za-z0-9-]{10,}\|-----BEGIN (RSA\|DSA\|EC\|OPENSSH\|PGP) PRIVATE KEY-----\|authorization:[[:space:]]bearer[[:space:]]+[A-Za-z0-9._-]{8,}\|api[_-]?key[[:space:]][:=][[:space:]]*[A-Za-z0-9._-]{8,})'`
			`local excludes=(`
			`'--exclude=verify_phase6.sh'`
			`'--exclude=secret_gate_lib.sh'`
			`'--exclude=secret_gate_test.sh'`
			`'--exclude=.env.example'`
			`'--exclude=README.md'`
			`'--exclude=CONFIGURATION.md'`
			`'--exclude=DEPLOYMENT.md'`
			`'--exclude-dir=.git'`
			`'--exclude-dir=.serena'`
			`'--exclude-dir=node_modules'`
			`'--exclude-dir=dist'`
			`'--exclude-dir=logs'`
			`'--exclude-dir=reports'`
			`)`

			`if grep -R -n -E -i "$patterns" "$scan_root" "$@" \`
			`--include='*.go' \`
			`--include='*.ts' \`
			`--include='*.tsx' \`
			`--include='*.js' \`
			`--include='*.jsx' \`
			`--include='*.sh' \`
			`--include='*.yml' \`
			`--include='*.yaml' \`
			`"${excludes[@]}"; then`
			`return 1`
			`fi`

			`return 0`
			`}`

			`secret_env_files() {`
			`local dockerignore_path="$1"`

			`if [ ! -f "$dockerignore_path" ]; then`
			`echo "missing dockerignore: $dockerignore_path" >&2`
			`return 1`
			`fi`

			`if ! grep -Eq '^\.env(\..*)?$' "$dockerignore_path"; then`
			`echo "missing .env ignore rule in $dockerignore_path" >&2`
			`return 1`
			`fi`

			`if ! grep -Eq '^!\.env\.example$' "$dockerignore_path"; then`
			`echo "missing explicit .env.example allow rule in $dockerignore_path" >&2`
			`return 1`
			`fi`

			`return 0`
			`}`