Security & secret guard
A built-in guard that stops secrets, keys, env files, and your own private data from ever being committed or published — across all content, every time.
cckit’s guard checks code, docs, the cookbook, examples, and templates. It runs in the local gate and as a pre-commit hook, so a leak is caught before it leaves your machine.
What it blocks
Section titled “What it blocks”- Forbidden files —
.env*(including.env.example),*.pem/*.key/ keystores,id_rsa,.netrc,*.tfvars, project id dumps. - Secret content — provider key prefixes, private-key blocks, JWTs, and secret-looking assignments. Placeholders like
<...>,${...}, andYOUR_…are allowed. - Your private terms — a denylist you control (below).
Your private denylist (agnostic)
Section titled “Your private denylist (agnostic)”Nothing project-specific is hardcoded in cckit. You declare what is private to you.
-
Copy the example —
cp privacy-denylist.example .cckit/privacy-denylist(the target is gitignored). -
List your terms — org names, hosts, emails, anything private to you, one per line.
-
Commit something — the guard fails if any term appears in a tracked file.
cckit ships the list empty — it never guesses what is yours.
Enforcement
Section titled “Enforcement”The guard runs in two places:
| Where | What it is | How to enable |
|---|---|---|
| Local gate | scripts/check.sh | Runs as part of the check suite |
| Pre-commit hook | githooks/pre-commit | git config core.hooksPath githooks |
A finding blocks the commit. The guard is not optional and is not bypassed by the permission consent described in Config & permissions.
Reporting a vulnerability
Section titled “Reporting a vulnerability”Open a private security advisory on the repository (Security → Advisories), or a regular issue if it is low-risk. Do not include secrets or exploit details in a public issue.
Independent, educational project — not affiliated with or endorsed by Anthropic. Claude and Claude Code are trademarks of Anthropic PBC. Disclaimer & trademarks ·
From Mexico with love by josegtz