Add comprehensive security protections for credentials

Enhanced .gitignore to protect: - Configuration files with secrets (config.yaml, .env files) - Mastodon credential files (*_clientcred.secret, *_usercred.secret) - API keys and tokens (*.key, *.token, *.pem, credentials.json) - Database files (may contain user data) - Backup files (may contain sensitive data) - LLM API key directories (.llm/, .openai/, .anthropic/) Added SECURITY.md documentation covering: - Where secrets are stored - What is/isn't committed to git - Best practices for credential management - Production secret management options - What to do if secrets are accidentally committed - Pre-commit hook examples - Security audit checklist Verified all patterns with test suite - all sensitive files properly ignored. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 17:14:35 -07:00
parent fbc37ecb8f
commit ff5ac21f68
2 changed files with 393 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -32,21 +32,44 @@ ENV/
 *.swo
 *~

-# Configuration
+# Configuration with secrets
 config/config.yaml
+config/config.local.yaml
 .env
+.env.local
+.env.*.local

-# Database
+# Mastodon credentials
+*_clientcred.secret
+*_usercred.secret
+govbot_clientcred.secret
+govbot_usercred.secret
+
+# API keys and tokens
+*.key
+*.token
+*.pem
+credentials.json
+secrets.json
+api_keys.json
+
+# Database (contains governance data)
 *.db
 *.sqlite
 *.sqlite3

-# Logs
+# Backups (may contain sensitive data)
+*.backup
+*.bak
+
+# Logs (may contain tokens in debug output)
 *.log

-# AI/LLM
+# AI/LLM (API keys stored here)
 .llm/
 embeddings/
+.openai/
+.anthropic/

 # Testing
 .pytest_cache/