chore(security): tighten trufflehog env ignores, drop docs/plans

gaboesquivel · gaboesquivel · commit 234f8be547a3 · 2026-03-23T21:01:44.000Z
- Restrict .trufflehogignore to committed env template paths
- Align scripts/README with block-secret-files and TruffleHog
- Clarify apps/web README env docs; remove docs/plans plan file
diff --git a/.trufflehogignore b/.trufflehogignore
@@ -7,12 +7,10 @@
 ^\.cursor/skills/.*
 ^packages/.*/README\.md$
 
-# Example and sample files
-.*\.example$
-.*\.sample$
+# Committed env templates and defaults (match scripts/block-secret-files.mjs allowlist)
 .*\.env\.[^/]+\.example$
 .*\.env\.schema$
-.*\.env\.test$
+.*\.env\.(development|staging|production|test)$
 
 # Test files
 .*\.test\.(ts|tsx|js|jsx|mjs)$
diff --git a/apps/web/README.md b/apps/web/README.md
@@ -95,7 +95,7 @@ See [E2E Testing](@apps/docu/content/docs/testing/e2e-testing.mdx) for full deta
 
 ### Environment Variables
 
-Optional environment variables (see `.env.local.example`):
+Optional environment variables — see `.env.local.example` (copy to `.env.local`) and `lib/env.ts` for the validated schema:
 
 ## Project Structure
 
diff --git a/docs/plans/env-file-harmonization.md b/docs/plans/env-file-harmonization.md
diff --git a/scripts/README.md b/scripts/README.md
@@ -69,7 +69,7 @@ All security-related pnpm scripts are organized under the `security:` namespace:
 Prevents committing sensitive file types in pre-commit hooks.
 
 **What gets blocked**:
-- `.env` (but `.env.<qualifier>.example`, `.env.schema`, `.env.{development,staging,production,test}` are allowed)
+- `.env` and related sensitive paths (see `block-secret-files.mjs`); allowed committed templates — `.env.<qualifier>.example`, `.env.schema`, `.env.{development,staging,production,test}` — use the same patterns in `.trufflehogignore` for TruffleHog
 - `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`, `*.keystore`
 - `id_rsa*` (SSH private keys)
 - Certificate files: `*.crt`, `*.cer`, `*.der`, `*.p7b`, `*.p7c`, `*.p7m`, `*.p7s`
