Address critical and high findings from an external security review.
Critical/high fixes:
- reset-signing no longer treats general-purpose keys (id_ed25519, etc.)
as deletion candidates, defaults the delete prompt to No, and never
deletes files in -y mode
- FIDO2 retry now re-runs the same attempt (for-loop reassignment bug
silently advanced to the next fallback key type)
- core.hooksPath redirection installs dispatch stubs for all client-side
hook types so repo-local hooks (husky, lefthook, pre-commit) keep
running; pre-commit combines gitleaks with dispatch and warns loudly
when gitleaks is absent
- public-key validation everywhere a key path is consumed, preventing
private key material in allowed_signers or user.signingkey
- config backups written mode 600 (may contain tokens)
- SSH config audit/apply is scope-aware (global vs host-specific),
appends new directives at EOF to preserve precedence, scans Include-d
files for keys
- pubkey algorithm restriction guarded against RSA/DSA-only lockout and
chooses the directive name by OpenSSH version
Added:
- audit tiers (security/hygiene/preference); --audit exit 2 reflects
security-tier issues only
- signing smoke test catching No-principal-matched at setup time
- http.sslVerify audit distinguishes unset from insecure override
Docs: correct fsmonitor precedence, log.showSignature and fsckObjects
breakage, SSH scoping semantics in REASONING.md; plan for agent-backed
keys (1Password/Bitwarden/forwarded agents) in docs/specs.
126/126 BATS tests pass; shellcheck clean.
Closes#53
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Document what each setting does, what attack it mitigates, what
could break, and why we chose this default. Covers all git config
settings, SSH directives, and audit-only checks.
Co-Authored-By: Claude <noreply@anthropic.com>
Flo