Address critical and high findings from an external security review.
Critical/high fixes:
- reset-signing no longer treats general-purpose keys (id_ed25519, etc.)
as deletion candidates, defaults the delete prompt to No, and never
deletes files in -y mode
- FIDO2 retry now re-runs the same attempt (for-loop reassignment bug
silently advanced to the next fallback key type)
- core.hooksPath redirection installs dispatch stubs for all client-side
hook types so repo-local hooks (husky, lefthook, pre-commit) keep
running; pre-commit combines gitleaks with dispatch and warns loudly
when gitleaks is absent
- public-key validation everywhere a key path is consumed, preventing
private key material in allowed_signers or user.signingkey
- config backups written mode 600 (may contain tokens)
- SSH config audit/apply is scope-aware (global vs host-specific),
appends new directives at EOF to preserve precedence, scans Include-d
files for keys
- pubkey algorithm restriction guarded against RSA/DSA-only lockout and
chooses the directive name by OpenSSH version
Added:
- audit tiers (security/hygiene/preference); --audit exit 2 reflects
security-tier issues only
- signing smoke test catching No-principal-matched at setup time
- http.sslVerify audit distinguishes unset from insecure override
Docs: correct fsmonitor precedence, log.showSignature and fsckObjects
breakage, SSH scoping semantics in REASONING.md; plan for agent-backed
keys (1Password/Bitwarden/forwarded agents) in docs/specs.
126/126 BATS tests pass; shellcheck clean.
Closes#53
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Add 20 BATS tests and 1 interactive test for v0.5.0 edge-case
fixes. FIDO2 keygen now prompts to retry on "device not found"
instead of exiting. Remove stale Qubes vhci_hcd warning. Update
hardware test matrix in README.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Guard user.useConfigOnly behind identity check, offer to unset
conflicting pull.rebase, use dedicated signing key names to avoid
colliding with auth keys, back up SSH config before changes, place
new SSH directives in Host * blocks, and prompt for email in
allowed_signers setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Detect GCM (Git Credential Manager) as preferred cross-platform helper
- Recognize osxkeychain, GCM, libsecret, gnome-keyring as keychain-backed
- Print distro-specific install hints when no keychain helper found
- Refactor apply_setting_group and apply_ssh_directive_group to use bash
arrays instead of sed-indexed newline-delimited strings
- Extract get_ssh_directive_value() to deduplicate SSH config parsing
- Fix stale function name in tests (apply_ssh_directive → apply_single_ssh_directive)
- Remove orphan comment in detect_existing_keys
- Bump version to 0.4.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use Homebrew ssh-keygen for FIDO2 key generation on macOS instead of
searching for libsk-libfido2.dylib (removed in modern openssh). Group
interactive apply prompts into 6 categories with explanations. Fix
Linux gitleaks install hint to show apt/dnf instead of brew.
Co-Authored-By: Claude <noreply@anthropic.com>
Add security items from post-bump hygiene fixes to the 0.1.0
changelog entry.
Closes: #16🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Flo