Address critical and high findings from an external security review.
Critical/high fixes:
- reset-signing no longer treats general-purpose keys (id_ed25519, etc.)
as deletion candidates, defaults the delete prompt to No, and never
deletes files in -y mode
- FIDO2 retry now re-runs the same attempt (for-loop reassignment bug
silently advanced to the next fallback key type)
- core.hooksPath redirection installs dispatch stubs for all client-side
hook types so repo-local hooks (husky, lefthook, pre-commit) keep
running; pre-commit combines gitleaks with dispatch and warns loudly
when gitleaks is absent
- public-key validation everywhere a key path is consumed, preventing
private key material in allowed_signers or user.signingkey
- config backups written mode 600 (may contain tokens)
- SSH config audit/apply is scope-aware (global vs host-specific),
appends new directives at EOF to preserve precedence, scans Include-d
files for keys
- pubkey algorithm restriction guarded against RSA/DSA-only lockout and
chooses the directive name by OpenSSH version
Added:
- audit tiers (security/hygiene/preference); --audit exit 2 reflects
security-tier issues only
- signing smoke test catching No-principal-matched at setup time
- http.sslVerify audit distinguishes unset from insecure override
Docs: correct fsmonitor precedence, log.showSignature and fsckObjects
breakage, SSH scoping semantics in REASONING.md; plan for agent-backed
keys (1Password/Bitwarden/forwarded agents) in docs/specs.
126/126 BATS tests pass; shellcheck clean.
Closes#53
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Document what each setting does, what attack it mitigates, what
could break, and why we chose this default. Covers all git config
settings, SSH directives, and audit-only checks.
Co-Authored-By: Claude <noreply@anthropic.com>
Add safety gate prompt to all interactive tmux scenarios, add new
"safety gate decline" test scenario, update acceptance criteria.
Closes: #10🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fix incorrect CVE reference for core.fsmonitor, clarify bash/zsh
compatibility (shebang is bash, works from zsh sessions), fix -y mode
signing behavior to not break commits when no key exists, clarify
submodule.recurse scope, add pull.rebase conflict warning, improve
SSH config and credential helper detection specifics, add FIDO2
touch prompt, and clarify audit exit code for missing signing keys.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Interactive shell script that audits and hardens global git config
with security-focused defaults: object integrity, protocol restrictions,
filesystem protection, hook control, SSH signing with FIDO2 support,
and credential security.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Flo