Files
agentic-dev/docs/work/epics/ci-security-and-supply-chain/07-gitleaks-precommit/_story.md
Danijel Martinek 756e36c720 refactor(work): move epic folders into docs/work/epics/
The previous layout placed epic folders directly under docs/work/
alongside prds/ and _system/. Tightening: epics now live in their
own docs/work/epics/ subfolder, peer to prds/ and _system/. Same
shape as the existing prds/ bucket.

Final docs/work/ layout:
  README.md
  prds/<slug>.prd.md
  _system/_state.json
  epics/<slug>/_epic.md + <story-folder>/_story.md

Renames (git mv preserves history):
- docs/work/binder-wrap-helper/
    -> docs/work/epics/binder-wrap-helper/
- docs/work/library-evaluation-policy/
    -> docs/work/epics/library-evaluation-policy/
- docs/work/ci-security-and-supply-chain/
    -> docs/work/epics/ci-security-and-supply-chain/

Tooling updates:
- state-builder.mjs walks workRoot/epics/ directly; SKIP_FOLDERS
  obsoleted (no more sibling folders to filter out).
- dispatch.mjs's findNextTask, tickStoryBulletInEpic, and
  flipEpicDoneIfAllStoriesDone all join with "epics" segment.
- prd-ship.mjs's deriveShippingCommits walks workRoot/epics/ and
  git-logs docs/work/epics/<epic>/.
- decomposer.prompt.md emits epics under docs/work/epics/<epic-id>/.
- handoff + grill-with-docs glossary references updated.
- Glossary entry for Epic updated.

Reserved future shape: when a task-tracker integration (ClickUp,
Linear) ships, the epics/ subfolder hosts <task-id>-<slug>/
folders. Today it just hosts bare slugs.
2026-05-14 21:21:51 +02:00

2.6 KiB

id, epic, title, type, status, feature, depends-on, blocks, created, updated
id epic title type status feature depends-on blocks created updated
07-gitleaks-precommit ci-security-and-supply-chain Gitleaks pre-commit hook technical-story done tooling
09-ci-security-guide-and-docs
2026-05-14T18:59:12+02:00 2026-05-14T19:21:52.308Z

Goal

Add gitleaks protect --staged --redact as a step in .husky/pre-commit and ship a .gitleaks.toml allowlist that covers test-fixture patterns in __seeds__/**, so a commit containing a known secret pattern is blocked locally before it reaches the remote.

Why

Developer accidents (pasting tokens into config, seeding test fixtures with real-looking keys) are the most common secret-leak vector. A pre-commit hook stops the leak at the earliest possible point — before the secret is ever pushed. GitHub native push protection is the second line of defense (documented in Story 09's guide); the hook is the first. The __seeds__/** allowlist prevents false positives from test fixtures that deliberately use token-shaped strings as dummy data.

Done when

  • .husky/pre-commit has a gitleaks protect --staged --redact step that runs before the existing state-sync guard (or after — order between guards doesn't matter, both must run).
  • .gitleaks.toml exists at repo root with at minimum one allowlist rule scoping __seeds__/** test fixtures (using paths or allowlist.paths depending on the gitleaks version).
  • A smoke test (bash script or vitest) pipes a staged commit containing a Stripe-style test key (sk_test_...) through the hook and asserts non-zero exit code. The smoke test is documented in the story's Done-when but may live as a manual verification step given gitleaks requires a binary; include instructions in docs/guides/ci-security.md (Story 09) for consumers to verify locally.
  • pnpm typecheck && pnpm lint && pnpm test && pnpm conformance && pnpm fallow:audit && pnpm coverage:diff all pass.

In scope

  • .husky/pre-commit — new gitleaks step.
  • .gitleaks.toml — allowlist config.

Out of scope

  • Installing gitleaks as a project devDependency — consumers install it via their OS package manager or brew; the hook exits gracefully with a warning if gitleaks is not found in $PATH (to avoid blocking developers who haven't installed it yet, while still enforcing for those who have).
  • GitHub native push protection configuration — consumer-facing instruction deferred to Story 09's guide.

Tasks

  • Add gitleaks protect --staged --redact step to .husky/pre-commit (exit-gracefully if gitleaks not in $PATH); create .gitleaks.toml at repo root with __seeds__/** allowlist for test-fixture patterns; one commit, all gates pass.