auto-sync: [Sun Mar 15 01:47:22 PM -03 2026]

Author: guiledo

.github/workflows/secret-scanning.yml

@@ -0,0 +1,21 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks Scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.ignore_stow/git_push_dotfiles.sh

@@ -5,6 +5,14 @@
 # Change to your dotfiles directory
 cd $HOME/dotfiles || exit
 
+# Scan for secrets before doing anything
+echo "Running secret scan..."
+./scripts/security/scan_secrets.sh
+if [ $? -ne 0 ]; then
+    echo " Sync aborted: Secrets detected!"
+    exit 1
+fi
+
 # Add all changes
 git add -A
 

README.md

@@ -0,0 +1,28 @@
+# Dotfiles Security
+
+This repository includes automated secret scanning to prevent sensitive information (API keys, passwords, private keys) from being pushed to GitHub.
+
+## Security Measures
+
+- **Secret Scanner Script**: `scripts/security/scan_secrets.sh` - Uses `git grep` with robust regex patterns to find potential secrets.
+- **Git Hooks**:
+    - `pre-commit`: Scans tracked files before every commit.
+    - `pre-push`: Scans tracked files before every push.
+- **GitHub Action**: `.github/workflows/secret-scanning.yml` - Runs Gitleaks on every push to the remote.
+- **Enhanced Sync Script**:
+    - `.ignore_stow/git_push_dotfiles.sh`
+    This script explicitly runs the secret scanner before proceeding.
+
+## Installation of Git Hooks
+
+Ensure the git hooks are executable to activate the local protection:
+```bash
+chmod +x .git/hooks/pre-commit .git/hooks/pre-push
+```
+The hooks are configured to call `scripts/security/scan_secrets.sh` before every commit and push.
+
+## How to handle false positives
+
+If the scanner finds a false positive (a string that looks like a secret but isn't), you can:
+1.  **Refine the regex** in `scripts/security/scan_secrets.sh`.
+2.  **Add the file or directory** to the `EXCLUDE` list in `scripts/security/scan_secrets.sh`.

git/.config/git/hooks/pre-push

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Global Gitleaks Pre-push Hook
+# This will prevent any push that contains potential secrets
+
+if command -v gitleaks >/dev/null 2>&1; then
+    echo -e "\033[1;33m[Gitleaks] Scanning your commits for secrets...\033[0m"
+    
+    # --staged: scan what's about to be pushed
+    # --verbose: show details on match
+    # --redact: hide the actual secret in the output
+    gitleaks protect --staged --verbose --redact
+    
+    EXIT_CODE=$?
+    
+    if [[ $EXIT_CODE -ne 0 ]]; then
+        echo -e "\033[0;31m[Gitleaks] PUSH REJECTED: Potential secrets detected.\033[0m"
+        echo -e "\033[0;33mPlease remove the secrets from your git history before pushing.\033[0m"
+        exit 1
+    fi
+    
+    echo -e "\033[0;32m[Gitleaks] Scan passed. Proceeding with push.\033[0m"
+else
+    # Only show warning if not in a known repo where gitleaks is already ignored
+    echo -e "\033[0;33m[Gitleaks] Warning: gitleaks is not installed. Skipping local secret scan.\033[0m"
+fi
+
+exit 0

opencode/.config/opencode/opencode.json

@@ -23,10 +23,10 @@
         "edit": false,
       }
     },
-    "professor": {
+    "mentor": {
       "mode": "primary",
       "instructions": [
-        "~/.config/opencode/rules/cs-professor.md"
+        "~/.config/opencode/rules/cs-mentor.md"
       ],
       "tools": {
         "write": false,

…e/.config/opencode/rules/cs-professor.md …code/.config/opencode/rules/cs-mentor.mdopencode/.config/opencode/rules/cs-professor.md renamed to opencode/.config/opencode/rules/cs-mentor.md opencode/.config/opencode/rules/cs-professor.md renamed to opencode/.config/opencode/rules/cs-mentor.md

@@ -1,4 +1,4 @@
-# Role: CS Professor
+# Role: CS Mentor
 You are a distinguished Computer Scientist and Professor with decades of experience in academia and industry. Your knowledge spans the entire stack, from low-level systems (VHDL, kernels, compilers) to high-level architecture (microservices, cloud-native design), cybersecurity, and robotics/mechatronics.
 
 ## Objective: Mentorship

scripts/.local/bin/scripts/git-minor-change

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 # Quickly add all changes, commit with an auto-message, and push
+
 git add -A
 git commit -m "[auto] Minor change in the codebase."
 git push

scripts/.local/bin/scripts/git-repo-init

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 # Initialize a new Git repository and create it on GitHub
+
 git init -b main && \
 gh repo create --private --source=. --remote=origin && \
 git add . && \

scripts/security/scan_secrets.sh

@@ -1,82 +1,57 @@
 #!/usr/bin/env bash
 
 # Secret Scanning Script for Dotfiles
-# This script searches for common patterns that might indicate secrets or sensitive info.
+# This script searches for common patterns that might indicate secrets or sensitive info using git grep.
 
 # Define the colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 
-# Define the patterns to search for
+# Define the patterns to search for (using extended regex for git grep)
+# Note: we use -E for extended regex in git grep
 PATTERNS=(
-    # AWS Access Key ID
-    'AKIA[0-9A-Z]{16}'
-    # AWS Secret Access Key
-    '[^a-zA-Z0-9/+=][a-zA-Z0-9/+=]{40}[^a-zA-Z0-9/+=]'
-    # GitHub Personal Access Token
-    'ghp_[a-zA-Z0-9]{36}'
-    # GitHub OAuth Token
-    'gho_[a-zA-Z0-9]{36}'
-    # Slack Token
-    'xox[bap]-[a-zA-Z0-9-]{10,}'
-    # Stripe API Key
-    'sk_live_[0-9a-zA-Z]{24}'
-    # Google API Key
-    'AIza[0-9A-Za-z\\-_]{35}'
-    # Generic Private Key
-    '-----BEGIN [A-Z ]*PRIVATE KEY-----'
-    # Potential passwords/secrets in config files
-    '(password|passphrase|token|secret|key|api|auth|cred|ident|account|user|private|ssh-)[^=]*[=:][^ \n]{8,}'
+    'AKIA[0-9A-Z]{16}'                                          # AWS Access Key ID
+    'ghp_[a-zA-Z0-9]{36}'                                       # GitHub Personal Access Token
+    'gho_[a-zA-Z0-9]{36}'                                       # GitHub OAuth Token
+    'xox[bap]-[a-zA-Z0-9-]{10,}'                                # Slack Token
+    'sk_live_[0-9a-zA-Z]{24}'                                   # Stripe API Key
+    'AIza[0-9A-Za-z\-_]{35}'                                    # Google API Key
+    '-----BEGIN [A-Z ]*PRIVATE KEY-----'                         # Generic Private Key
+    '(password|passphrase|token|secret|api|auth|cred|ssh-)[^=]*[=:][^ \/\n]{12,}' # Potential secrets (excluding URLs)
 )
 
-# Files to exclude (like this script itself)
-EXCLUDE_PATTERNS=(
-    'scripts/security/scan_secrets.sh'
-    '*.png'
-    '*.jpg'
-    '*.jpeg'
-    '*.gif'
-    '*.svg'
-    '*.ico'
-    '*.woff'
-    '*.woff2'
-    '*.ttf'
-    '*.otf'
-    '*.lock'
-    '*.json'
+# Files/Directories to exclude (relative to repo root)
+EXCLUDE=(
+    ':(exclude).git'
+    ':(exclude)oh-my-zsh'
+    ':(exclude)node_modules'
+    ':(exclude).cache'
+    ':(exclude)scripts/security/scan_secrets.sh'
+    ':(exclude).ignore_stow/default-cursor'
+    ':(exclude).ignore_stow/default-vscode'
+    ':(exclude)*.png'
+    ':(exclude)*.jpg'
+    ':(exclude)*.jpeg'
+    ':(exclude)*.gif'
+    ':(exclude)*.svg'
+    ':(exclude)*.ico'
+    ':(exclude)*.lock'
+    ':(exclude)*.json'
 )
 
-# Directories to exclude
-EXCLUDE_DIRS=(
-    '.git'
-    'oh-my-zsh'
-    'node_modules'
-    '.cache'
-)
-
-# Build the exclude arguments for grep
-EXCLUDE_ARGS=()
-for pattern in "${EXCLUDE_PATTERNS[@]}"; do
-    EXCLUDE_ARGS+=(--exclude="$pattern")
-done
-
-for dir in "${EXCLUDE_DIRS[@]}"; do
-    EXCLUDE_ARGS+=(--exclude-dir="$dir")
-done
-
-echo -e "${YELLOW}Scanning for potential secrets...${NC}"
+echo -e "${YELLOW}Scanning tracked files for potential secrets...${NC}"
 
 FOUND_SECRETS=0
 
 for pattern in "${PATTERNS[@]}"; do
-    # Search for the pattern in all files, excluding some
-    # Use -E for extended regex
-    # Use -r for recursive
-    # Use -n for line numbers
-    # Use -I to skip binary files
-    MATCHES=$(grep -rEnI "${EXCLUDE_ARGS[@]}" "$pattern" . 2>/dev/null)
+    # Use git grep to search only tracked files
+    # -E: extended regex
+    # -n: line numbers
+    # -i: ignore case for some patterns if needed (but here we stay case sensitive for tokens)
+    # -I: don't match in binary files
+    MATCHES=$(git grep -EnI "$pattern" -- . "${EXCLUDE[@]}" 2>/dev/null)
 
     if [[ -n "$MATCHES" ]]; then
         echo -e "${RED}Found potential secret for pattern: $pattern${NC}"
@@ -89,6 +64,6 @@ if [[ $FOUND_SECRETS -eq 1 ]]; then
     echo -e "${RED}ERROR: Potential secrets found! Please review before pushing.${NC}"
     exit 1
 else
-    echo -e "${GREEN}No potential secrets found.${NC}"
+    echo -e "${GREEN}No potential secrets found in tracked files.${NC}"
     exit 0
 fi