feat: v0.2.0 expanded hardening

Add gitleaks pre-commit hook, global gitignore, plaintext credential
detection, SSH key hygiene audit, 8 new git config settings, and
safe.directory wildcard detection. Fix ssh-keygen macOS compatibility,
FIDO2 detection via ioreg, and interactive test isolation.

Implements docs/specs/2026-03-31-v0.2.0-expanded-hardening.md

Co-Authored-By: Claude <noreply@anthropic.com>

test/git-harden.bats

@@ -515,6 +515,37 @@ SSHEOF
     grep -q "HashKnownHosts no" "${TEST_HOME}/.ssh/config"
 }
 
+@test "audit recognises SSH directives using = separator" {
+    source_functions
+
+    cat > "${TEST_HOME}/.ssh/config" <<'SSHEOF'
+StrictHostKeyChecking=accept-new
+HashKnownHosts = yes
+SSHEOF
+
+    run audit_ssh_directive "StrictHostKeyChecking" "accept-new"
+    assert_output --partial "[OK]"
+
+    run audit_ssh_directive "HashKnownHosts" "yes"
+    assert_output --partial "[OK]"
+}
+
+@test "apply skips SSH directives using = separator when value matches" {
+    cat > "${TEST_HOME}/.ssh/config" <<'SSHEOF'
+StrictHostKeyChecking=accept-new
+SSHEOF
+
+    source_functions
+    AUTO_YES=true
+
+    apply_ssh_directive "StrictHostKeyChecking" "accept-new"
+
+    # Should still have exactly one occurrence
+    local count
+    count="$(grep -c "StrictHostKeyChecking" "${TEST_HOME}/.ssh/config")"
+    [ "$count" -eq 1 ]
+}
+
 # ===========================================================================
 # Signing: key detection
 # ===========================================================================
@@ -820,3 +851,302 @@ SSHEOF
     assert_output --partial "branch protection"
     assert_output --partial "vigilant mode"
 }
+
+# ===========================================================================
+# v0.2.0: New git config settings
+# ===========================================================================
+
+@test "audit reports new v0.2.0 settings as MISS on fresh config" {
+    source_functions
+    detect_platform
+    detect_credential_helper
+
+    run audit_git_config
+    assert_output --partial "user.useConfigOnly"
+    assert_output --partial "transfer.bundleURI"
+    assert_output --partial "fetch.prune"
+    assert_output --partial "protocol.version"
+    assert_output --partial "init.defaultBranch"
+    assert_output --partial "gc.reflogExpire"
+    assert_output --partial "gc.reflogExpireUnreachable"
+    assert_output --partial "core.symlinks"
+}
+
+@test "-y mode applies new v0.2.0 settings" {
+    run bash "$SCRIPT" -y
+    assert_success
+
+    [ "$(git config --global user.useConfigOnly)" = "true" ]
+    [ "$(git config --global transfer.bundleURI)" = "false" ]
+    [ "$(git config --global fetch.prune)" = "true" ]
+    [ "$(git config --global protocol.version)" = "2" ]
+    [ "$(git config --global init.defaultBranch)" = "main" ]
+    [ "$(git config --global gc.reflogExpire)" = "180.days" ]
+    [ "$(git config --global gc.reflogExpireUnreachable)" = "90.days" ]
+}
+
+@test "-y mode does NOT apply core.symlinks" {
+    run bash "$SCRIPT" -y
+    assert_success
+
+    local symlinks
+    symlinks="$(git config --global --get core.symlinks 2>/dev/null || echo "unset")"
+    [ "$symlinks" = "unset" ]
+}
+
+# ===========================================================================
+# v0.2.0: safe.directory wildcard detection
+# ===========================================================================
+
+@test "audit detects safe.directory = * wildcard" {
+    source_functions
+    detect_platform
+    detect_credential_helper
+
+    git config --global safe.directory '*'
+
+    run audit_git_config
+    assert_output --partial "safe.directory = * disables ownership checks"
+}
+
+@test "audit does not warn without safe.directory wildcard" {
+    source_functions
+    detect_platform
+    detect_credential_helper
+
+    git config --global safe.directory "/some/path"
+
+    run audit_git_config
+    refute_output --partial "safe.directory = * disables"
+}
+
+@test "-y mode removes safe.directory = * wildcard" {
+    git config --global safe.directory '*'
+
+    run bash "$SCRIPT" -y
+    assert_success
+
+    local safe_dirs
+    safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || echo "none")"
+    refute [ "$safe_dirs" = "*" ]
+}
+
+# ===========================================================================
+# v0.2.0: Pre-commit hook
+# ===========================================================================
+
+@test "audit reports MISS when no pre-commit hook exists" {
+    source_functions
+
+    run audit_precommit_hook
+    assert_output --partial "No pre-commit hook"
+}
+
+@test "audit reports OK when gitleaks hook exists" {
+    source_functions
+
+    mkdir -p "${HOME}/.config/git/hooks"
+    cat > "${HOME}/.config/git/hooks/pre-commit" << 'EOF'
+#!/usr/bin/env bash
+gitleaks protect --staged
+EOF
+    chmod +x "${HOME}/.config/git/hooks/pre-commit"
+
+    run audit_precommit_hook
+    assert_output --partial "[OK]"
+    assert_output --partial "gitleaks"
+}
+
+@test "audit reports WARN for non-gitleaks hook" {
+    source_functions
+
+    mkdir -p "${HOME}/.config/git/hooks"
+    printf '#!/usr/bin/env bash\necho custom hook\n' > "${HOME}/.config/git/hooks/pre-commit"
+    chmod +x "${HOME}/.config/git/hooks/pre-commit"
+
+    run audit_precommit_hook
+    assert_output --partial "does not reference gitleaks"
+}
+
+@test "apply does not overwrite existing pre-commit hook" {
+    source_functions
+    AUTO_YES=true
+
+    mkdir -p "${HOME}/.config/git/hooks"
+    printf '#!/usr/bin/env bash\necho my hook\n' > "${HOME}/.config/git/hooks/pre-commit"
+
+    run apply_precommit_hook
+    assert_output --partial "not overwriting"
+
+    # Verify original content preserved
+    run cat "${HOME}/.config/git/hooks/pre-commit"
+    assert_output --partial "my hook"
+}
+
+# ===========================================================================
+# v0.2.0: Global gitignore
+# ===========================================================================
+
+@test "audit reports MISS when no excludesFile configured" {
+    source_functions
+
+    run audit_global_gitignore
+    assert_output --partial "no global gitignore configured"
+}
+
+@test "audit reports OK when excludesFile has security patterns" {
+    source_functions
+
+    mkdir -p "${HOME}/.config/git"
+    printf '.env\n*.pem\n*.key\n' > "${HOME}/.config/git/ignore"
+    git config --global core.excludesFile "~/.config/git/ignore"
+
+    run audit_global_gitignore
+    assert_output --partial "[OK]"
+    assert_output --partial "contains security patterns"
+}
+
+@test "audit warns when excludesFile lacks security patterns" {
+    source_functions
+
+    mkdir -p "${HOME}/.config/git"
+    printf '*.log\n*.tmp\n' > "${HOME}/.config/git/ignore"
+    git config --global core.excludesFile "~/.config/git/ignore"
+
+    run audit_global_gitignore
+    assert_output --partial "lacks secret patterns"
+}
+
+@test "-y mode creates global gitignore" {
+    run bash "$SCRIPT" -y
+    assert_success
+
+    [ -f "${HOME}/.config/git/ignore" ]
+    run cat "${HOME}/.config/git/ignore"
+    assert_output --partial ".env"
+    assert_output --partial "*.pem"
+    assert_output --partial "*.key"
+    assert_output --partial "!.env.example"
+
+    [ "$(git config --global core.excludesFile)" = "~/.config/git/ignore" ]
+}
+
+@test "-y mode skips gitignore when excludesFile already set" {
+    git config --global core.excludesFile "/some/other/path"
+
+    run bash "$SCRIPT" -y
+    assert_success
+
+    [ "$(git config --global core.excludesFile)" = "/some/other/path" ]
+}
+
+# ===========================================================================
+# v0.2.0: Credential hygiene
+# ===========================================================================
+
+@test "audit warns about ~/.git-credentials" {
+    source_functions
+
+    printf 'https://user:token@github.com\n' > "${HOME}/.git-credentials"
+
+    run audit_credential_hygiene
+    assert_output --partial "git-credentials"
+    assert_output --partial "plaintext"
+}
+
+@test "audit warns about ~/.netrc" {
+    source_functions
+
+    printf 'machine github.com\nlogin user\npassword token\n' > "${HOME}/.netrc"
+
+    run audit_credential_hygiene
+    assert_output --partial ".netrc"
+}
+
+@test "audit warns about ~/.npmrc with auth token" {
+    source_functions
+
+    printf '//registry.npmjs.org/:_authToken=npm_abcdef123456\n' > "${HOME}/.npmrc"
+
+    run audit_credential_hygiene
+    assert_output --partial "npm registry token"
+}
+
+@test "audit does not warn about ~/.npmrc without token" {
+    source_functions
+
+    printf 'registry=https://registry.npmjs.org/\n' > "${HOME}/.npmrc"
+
+    run audit_credential_hygiene
+    refute_output --partial "npm registry token"
+}
+
+@test "audit warns about ~/.pypirc with password" {
+    source_functions
+
+    printf '[pypi]\nusername = user\npassword = secret123\n' > "${HOME}/.pypirc"
+
+    run audit_credential_hygiene
+    assert_output --partial "PyPI credentials"
+}
+
+@test "audit no warnings with clean credential state" {
+    source_functions
+
+    run audit_credential_hygiene
+    refute_output --partial "[WARN]"
+}
+
+# ===========================================================================
+# v0.2.0: SSH key hygiene
+# ===========================================================================
+
+@test "SSH key hygiene: ed25519 reported as OK" {
+    source_functions
+
+    ssh-keygen -t ed25519 -f "${HOME}/.ssh/test_ed25519" -N "" -q
+    run audit_ssh_key_hygiene
+    assert_output --partial "[OK]"
+    assert_output --partial "ed25519"
+}
+
+@test "SSH key hygiene: RSA key reported as WARN" {
+    source_functions
+
+    ssh-keygen -t rsa -b 2048 -f "${HOME}/.ssh/test_rsa" -N "" -q
+    run audit_ssh_key_hygiene
+    assert_output --partial "[WARN]"
+    assert_output --partial "RSA"
+    assert_output --partial "migrating to ed25519"
+}
+
+@test "SSH key hygiene: no keys produces info message" {
+    source_functions
+
+    # Remove the default keys created in setup (there are none)
+    rm -f "${HOME}/.ssh/"*.pub
+
+    run audit_ssh_key_hygiene
+    assert_output --partial "No SSH public keys found"
+}
+
+@test "SSH key hygiene: picks up keys from IdentityFile in ssh config" {
+    source_functions
+
+    mkdir -p "${HOME}/.ssh/custom"
+    ssh-keygen -t ed25519 -f "${HOME}/.ssh/custom/my_key" -N "" -q
+    printf 'IdentityFile ~/.ssh/custom/my_key\n' > "${HOME}/.ssh/config"
+
+    run audit_ssh_key_hygiene
+    assert_output --partial "[OK]"
+    assert_output --partial "my_key"
+}
+
+# ===========================================================================
+# v0.2.0: Version bump
+# ===========================================================================
+
+@test "--version reports 0.2.0" {
+    run bash "$SCRIPT" --version
+    assert_output --partial "0.2.0"
+}

test/interactive/helpers.sh

@@ -6,7 +6,7 @@ set -o nounset
 set -o pipefail
 IFS=$'\n\t'
 
-readonly TMUX_SESSION="test"
+TMUX_SESSION="test-$$"
 readonly SCRIPT_PATH="${HOME}/git-harden.sh"
 
 # Colors
@@ -43,10 +43,24 @@ send() {
     tmux send-keys -t "$TMUX_SESSION" "$@"
 }
 
-# Start git-harden.sh in a tmux session
+# Start git-harden.sh in a tmux session.
+# Explicitly pass HOME and GIT_CONFIG_GLOBAL — tmux spawns a login shell
+# which resets HOME from the passwd entry, breaking the isolated test env.
 start_session() {
     tmux kill-session -t "$TMUX_SESSION" 2>/dev/null || true
-    tmux new-session -d -s "$TMUX_SESSION" "bash ${SCRIPT_PATH}"
+    sleep 0.5
+    tmux new-session -d -s "$TMUX_SESSION" \
+        "export HOME='${HOME}'; export GIT_CONFIG_GLOBAL='${GIT_CONFIG_GLOBAL:-}'; bash '${SCRIPT_PATH}'"
+    # Keep the pane alive after the script exits so capture_output can read it
+    tmux set-option -t "$TMUX_SESSION" remain-on-exit on
+    sleep 0.5
+    # Verify session started
+    if ! tmux has-session -t "$TMUX_SESSION" 2>/dev/null; then
+        printf 'ERROR: tmux session "%s" failed to start\n' "$TMUX_SESSION" >&2
+        printf 'SCRIPT_PATH=%s\n' "$SCRIPT_PATH" >&2
+        printf 'HOME=%s\n' "$HOME" >&2
+        return 1
+    fi
 }
 
 # Wait for the script to exit and capture final output

test/interactive/test-full-accept.sh

@@ -26,9 +26,11 @@ main() {
     wait_for "Proceed with hardening"
     send "y" Enter
 
-    # Accept each setting prompt by sending "y" + Enter repeatedly
+    # Accept each setting prompt by sending "y" + Enter repeatedly.
+    # v0.2.0 adds more prompts (pre-commit hook, gitignore, core.symlinks),
+    # so we need enough iterations to get through all of them.
     local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
         sleep 0.3
         pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
         if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -41,7 +43,7 @@ main() {
     done
 
     # Signing wizard — skip
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
     send "s" Enter
 
     # Wait for completion

test/interactive/test-signing-generate.sh

@@ -29,9 +29,9 @@ main() {
     wait_for "Proceed with hardening"
     send "y" Enter
 
-    # Accept settings until signing wizard
+    # Accept settings until signing wizard (v0.2.0 adds more prompts)
     local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
         sleep 0.3
         pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
         if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -44,7 +44,7 @@ main() {
     done
 
     # Signing wizard — option 1: generate ed25519
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
     send "1" Enter
 
     # ssh-keygen prompts for passphrase — enter empty twice
@@ -53,6 +53,10 @@ main() {
     wait_for "Enter same passphrase" 10
     send "" Enter
 
+    # Signing wizard asks "Enable commit and tag signing?" — accept
+    wait_for "Enable commit and tag signing" 10
+    send "y" Enter
+
     # Wait for completion
     sleep 3
     capture_output >/dev/null 2>&1 || true

test/interactive/test-signing-skip.sh

@@ -16,6 +16,12 @@ main() {
 
     printf 'Test: Signing wizard - skip\n' >&2
 
+    # Remove any keys from prior tests so wizard shows key generation options
+    rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
+    rm -f "${HOME}/.ssh/id_ed25519_sk" "${HOME}/.ssh/id_ed25519_sk.pub"
+    git config --global --unset user.signingkey 2>/dev/null || true
+    git config --global --unset commit.gpgsign 2>/dev/null || true
+
     start_session
 
     # Safety review gate
@@ -26,9 +32,9 @@ main() {
     wait_for "Proceed with hardening"
     send "y" Enter
 
-    # Accept settings until signing wizard
+    # Accept settings until signing wizard (v0.2.0 adds more prompts)
     local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
         sleep 0.3
         pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
         if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -41,7 +47,7 @@ main() {
     done
 
     # Signing wizard — skip
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
     send "s" Enter
 
     # Wait for completion