6bed9e3e0d
Initial release of git-harden.sh with audit/apply modes, SSH signing wizard, FIDO2 support, SSH config hardening, safety review gate, and 64 BATS tests. Closes: #13 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1.8 KiB
1.8 KiB
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.
[0.1.0] - 2026-03-31
Added
- Interactive shell script that audits and hardens global git config
- Audit mode (
--audit) with color-coded report and CI-friendly exit codes - Auto-apply mode (
-y) for unattended hardening - Object integrity checks (
transfer.fsckObjects,fetch.fsckObjects,receive.fsckObjects) - Protocol restrictions with default-deny policy (blocks
git://andext://) - Filesystem protection (
core.protectNTFS,core.protectHFS,core.fsmonitor=false) - Hook execution control via
core.hooksPathredirection - Repository safety (
safe.bareRepository=explicit,submodule.recurse=false) - Pull/merge hardening (
pull.ff=only,merge.ff=only) withpull.rebaseconflict detection - Transport security (HTTP-to-HTTPS rewrite,
http.sslVerify=true) - Platform-detected credential helper (
osxkeychainon macOS,libsecreton Linux) - SSH signing setup wizard with two tiers: software ed25519 and FIDO2 hardware keys
- SSH config hardening (
StrictHostKeyChecking,HashKnownHosts,IdentitiesOnly, algorithm restrictions) - Allowed signers file management
- Pre-execution safety review gate with AI assistant review instructions
- OSINT privacy advisory about signing key reuse across orgs
- Admin/org-level recommendations printed at end of every run
- Config backup before applying changes
- BATS test suite with 64 tests
Security
- Safe tilde expansion without
eval - SSH config value parsing handles inline comments and quoted paths
- Version comparison uses base-10 arithmetic to prevent octal interpretation
- Containers run with
--network=noneand non-root user (e2e spec)