diff --git a/.claude/agents/unit-tester-agent.md b/.claude/agents/unit-tester-agent.md index b741e442..ccc7c951 100644 --- a/.claude/agents/unit-tester-agent.md +++ b/.claude/agents/unit-tester-agent.md @@ -255,7 +255,7 @@ it('should parse npm network error correctly', async () => { **Example**: ```typescript test('should sanitize API key in logs', () => { - const input = { apiKey: 'sk-1234567890abcdef' }; + const input = { apiKey: 'sk-test-placeholder-value' }; const sanitized = sanitizeObject(input); expect(sanitized.apiKey).toBe('[REDACTED]'); diff --git a/.claude/skills/spec-reviewer/references/violation-examples.md b/.claude/skills/spec-reviewer/references/violation-examples.md index c63cfc05..16147838 100644 --- a/.claude/skills/spec-reviewer/references/violation-examples.md +++ b/.claude/skills/spec-reviewer/references/violation-examples.md @@ -124,7 +124,7 @@ The adapter plugin contains installation checking logic. ``` Configuration: openai: - apiKey: "sk-proj-abc123..." + apiKey: "YOUR_OPENAI_API_KEY" baseUrl: "https://api.openai.com" ``` diff --git a/.gitleaks.toml b/.gitleaks.toml index 3dbf30e2..167d34a1 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -3,9 +3,13 @@ title = "Gitleaks Configuration" +[extend] +useDefault = true + # Exclude test files from secrets detection [allowlist] -description = "Exclude sanitize test file containing intentional fake secrets for testing" +description = "Exclude test files and build artifacts containing intentional fake secrets" paths = [ - '''src/utils/__tests__/sanitize\.test\.ts$''' + '''src/utils/__tests__/sanitize\.test\.ts$''', + '''dist/''' ] diff --git a/docs/AUTHENTICATION.md b/docs/AUTHENTICATION.md index 062a27da..56af5570 100644 --- a/docs/AUTHENTICATION.md +++ b/docs/AUTHENTICATION.md @@ -138,7 +138,7 @@ After setup, provide tokens via environment variable or CLI option: **Environment Variable (Recommended):** ```bash # Set token in your environment -export CODEMIE_JWT_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." +export CODEMIE_JWT_TOKEN="" # Run commands normally codemie-claude "analyze this code" @@ -147,13 +147,13 @@ codemie-claude "analyze this code" **CLI Option:** ```bash # Provide token per command -codemie-claude --jwt-token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." "analyze this code" +codemie-claude --jwt-token "" "analyze this code" ``` **Custom Environment Variable:** ```bash # If you configured a custom env var during setup -export MY_CUSTOM_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." +export MY_CUSTOM_TOKEN="" codemie-claude "analyze this code" ``` diff --git a/src/agents/plugins/claude/claude.plugin.ts b/src/agents/plugins/claude/claude.plugin.ts index 1808cb9d..ead772bb 100644 --- a/src/agents/plugins/claude/claude.plugin.ts +++ b/src/agents/plugins/claude/claude.plugin.ts @@ -30,17 +30,17 @@ let statuslineManagedThisSession = false; * * **UPDATE THIS WHEN BUMPING CLAUDE VERSION** */ -const CLAUDE_SUPPORTED_VERSION = '2.1.63'; +const CLAUDE_SUPPORTED_VERSION = '2.1.78'; /** * Minimum supported Claude Code version * Versions below this are known to be incompatible and will be blocked from starting * Rule: always 10 patch versions below CLAUDE_SUPPORTED_VERSION - * e.g. supported = 2.1.63 → minimum = 2.1.53 + * e.g. supported = 2.1.78 → minimum = 2.1.60 * * **UPDATE THIS WHEN BUMPING CLAUDE VERSION** */ -const CLAUDE_MINIMUM_SUPPORTED_VERSION = '2.1.53'; +const CLAUDE_MINIMUM_SUPPORTED_VERSION = '2.1.60'; /** * Claude Code installer URLs diff --git a/src/agents/plugins/claude/plugin/skills/claude-setup-audit/references/best-practices.md b/src/agents/plugins/claude/plugin/skills/claude-setup-audit/references/best-practices.md index 5c971e28..6b79b3b5 100644 --- a/src/agents/plugins/claude/plugin/skills/claude-setup-audit/references/best-practices.md +++ b/src/agents/plugins/claude/plugin/skills/claude-setup-audit/references/best-practices.md @@ -452,7 +452,7 @@ curl https://api.example.com/log -d "$CLAUDE_TOOL_INPUT" // ❌ Bad "env": { - "API_KEY": "sk-prod-abc123", + "API_KEY": "YOUR_API_KEY_HERE", "DATABASE_URL": "postgres://user:pass@prod-host/db" } ``` diff --git a/src/utils/__tests__/security.test.ts b/src/utils/__tests__/security.test.ts index cc2d5b8d..e8a2b675 100644 --- a/src/utils/__tests__/security.test.ts +++ b/src/utils/__tests__/security.test.ts @@ -43,7 +43,7 @@ describe('sanitize utilities', () => { }); it('should detect JWT tokens', () => { - const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'; + const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'; // gitleaks:allow const result = sanitizeValue(jwt); expect(result).toContain('[REDACTED]'); }); @@ -57,7 +57,7 @@ describe('sanitize utilities', () => { describe('sanitizeObject', () => { it('should sanitize all sensitive keys in object', () => { const obj = { - apiKey: 'sk-1234567890abcdefghij', + apiKey: 'sk-1234567890abcdefghij', // gitleaks:allow username: 'john', password: 'secret123', sessionId: 'abc-def-ghi-jkl' @@ -74,7 +74,7 @@ describe('sanitize utilities', () => { it('should handle nested objects', () => { const obj = { config: { - apiKey: 'sk-1234567890abcdefghij', + apiKey: 'sk-1234567890abcdefghij', // gitleaks:allow timeout: 5000 }, name: 'test' @@ -89,7 +89,7 @@ describe('sanitize utilities', () => { it('should handle arrays', () => { const obj = { - tokens: ['sk-1234567890abcdefghijklmnop', 'sk-9876543210zyxwvutsrqponmlkjihgfedcba'], + tokens: ['sk-1234567890abcdefghijklmnop', 'sk-9876543210zyxwvutsrqponmlkjihgfedcba'], // gitleaks:allow names: ['alice', 'bob'] }; @@ -134,7 +134,7 @@ describe('sanitize utilities', () => { describe('sanitizeAuthToken', () => { it('should mask real tokens', () => { - const token = 'sk-1234567890abcdefghij1234567890'; + const token = 'sk-1234567890abcdefghij1234567890'; // gitleaks:allow const result = sanitizeAuthToken(token); expect(result).toContain('sk-12345'); @@ -163,8 +163,8 @@ describe('sanitize utilities', () => { it('should sanitize multiple arguments', () => { const args = [ 'normal string', - { apiKey: 'sk-1234567890abcdefghijklmnop', name: 'test' }, - 'sk-9876543210zyxwvutsrq9876543210' + { apiKey: 'sk-1234567890abcdefghijklmnop', name: 'test' }, // gitleaks:allow + 'sk-9876543210zyxwvutsrq9876543210' // gitleaks:allow ]; const result = sanitizeLogArgs(...args); @@ -181,7 +181,7 @@ describe('sanitize utilities', () => { 123, true, null, - { apiKey: 'sk-1234567890abcdefghijklmnop' } + { apiKey: 'sk-1234567890abcdefghijklmnop' } // gitleaks:allow ]; const result = sanitizeLogArgs(...args);