feat: v0.2.0 expanded hardening

Add gitleaks pre-commit hook, global gitignore, plaintext credential detection, SSH key hygiene audit, 8 new git config settings, and safe.directory wildcard detection. Fix ssh-keygen macOS compatibility, FIDO2 detection via ioreg, and interactive test isolation. Implements docs/specs/2026-03-31-v0.2.0-expanded-hardening.md Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-31 14:03:29 +02:00
parent 0e6d04fefb
commit 8037cb7908
11 changed files with 2019 additions and 65 deletions
--- a/test/interactive/helpers.sh
+++ b/test/interactive/helpers.sh
@@ -6,7 +6,7 @@ set -o nounset
 set -o pipefail
 IFS=$'\n\t'

-readonly TMUX_SESSION="test"
+TMUX_SESSION="test-$$"
 readonly SCRIPT_PATH="${HOME}/git-harden.sh"

 # Colors
@@ -43,10 +43,24 @@ send() {
    tmux send-keys -t "$TMUX_SESSION" "$@"
 }

-# Start git-harden.sh in a tmux session
+# Start git-harden.sh in a tmux session.
+# Explicitly pass HOME and GIT_CONFIG_GLOBAL — tmux spawns a login shell
+# which resets HOME from the passwd entry, breaking the isolated test env.
 start_session() {
    tmux kill-session -t "$TMUX_SESSION" 2>/dev/null || true
-    tmux new-session -d -s "$TMUX_SESSION" "bash ${SCRIPT_PATH}"
+    sleep 0.5
+    tmux new-session -d -s "$TMUX_SESSION" \
+        "export HOME='${HOME}'; export GIT_CONFIG_GLOBAL='${GIT_CONFIG_GLOBAL:-}'; bash '${SCRIPT_PATH}'"
+    # Keep the pane alive after the script exits so capture_output can read it
+    tmux set-option -t "$TMUX_SESSION" remain-on-exit on
+    sleep 0.5
+    # Verify session started
+    if ! tmux has-session -t "$TMUX_SESSION" 2>/dev/null; then
+        printf 'ERROR: tmux session "%s" failed to start\n' "$TMUX_SESSION" >&2
+        printf 'SCRIPT_PATH=%s\n' "$SCRIPT_PATH" >&2
+        printf 'HOME=%s\n' "$HOME" >&2
+        return 1
+    fi
 }

 # Wait for the script to exit and capture final output
--- a/test/interactive/test-full-accept.sh
+++ b/test/interactive/test-full-accept.sh
@@ -26,9 +26,11 @@ main() {
    wait_for "Proceed with hardening"
    send "y" Enter

-    # Accept each setting prompt by sending "y" + Enter repeatedly
+    # Accept each setting prompt by sending "y" + Enter repeatedly.
+    # v0.2.0 adds more prompts (pre-commit hook, gitignore, core.symlinks),
+    # so we need enough iterations to get through all of them.
    local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
        sleep 0.3
        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -41,7 +43,7 @@ main() {
    done

    # Signing wizard — skip
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
    send "s" Enter

    # Wait for completion
--- a/test/interactive/test-signing-generate.sh
+++ b/test/interactive/test-signing-generate.sh
@@ -29,9 +29,9 @@ main() {
    wait_for "Proceed with hardening"
    send "y" Enter

-    # Accept settings until signing wizard
+    # Accept settings until signing wizard (v0.2.0 adds more prompts)
    local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
        sleep 0.3
        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -44,7 +44,7 @@ main() {
    done

    # Signing wizard — option 1: generate ed25519
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
    send "1" Enter

    # ssh-keygen prompts for passphrase — enter empty twice
@@ -53,6 +53,10 @@ main() {
    wait_for "Enter same passphrase" 10
    send "" Enter

+    # Signing wizard asks "Enable commit and tag signing?" — accept
+    wait_for "Enable commit and tag signing" 10
+    send "y" Enter
+
    # Wait for completion
    sleep 3
    capture_output >/dev/null 2>&1 || true
--- a/test/interactive/test-signing-skip.sh
+++ b/test/interactive/test-signing-skip.sh
@@ -16,6 +16,12 @@ main() {

    printf 'Test: Signing wizard - skip\n' >&2

+    # Remove any keys from prior tests so wizard shows key generation options
+    rm -f "${HOME}/.ssh/id_ed25519" "${HOME}/.ssh/id_ed25519.pub"
+    rm -f "${HOME}/.ssh/id_ed25519_sk" "${HOME}/.ssh/id_ed25519_sk.pub"
+    git config --global --unset user.signingkey 2>/dev/null || true
+    git config --global --unset commit.gpgsign 2>/dev/null || true
+
    start_session

    # Safety review gate
@@ -26,9 +32,9 @@ main() {
    wait_for "Proceed with hardening"
    send "y" Enter

-    # Accept settings until signing wizard
+    # Accept settings until signing wizard (v0.2.0 adds more prompts)
    local pane_content
-    for _ in $(seq 1 30); do
+    for _ in $(seq 1 50); do
        sleep 0.3
        pane_content="$(tmux capture-pane -t "$TMUX_SESSION" -p 2>/dev/null || true)"
        if printf '%s' "$pane_content" | grep -qF "Signing key options"; then
@@ -41,7 +47,7 @@ main() {
    done

    # Signing wizard — skip
-    wait_for "Signing key options" 15
+    wait_for "Signing key options" 20
    send "s" Enter

    # Wait for completion