Skip to content

chore: ignore sdk/*/.cryptoserve.json init artifact#46

Merged
thebenignhacker merged 1 commit into
mainfrom
chore/ignore-sdk-init-artifact
May 15, 2026
Merged

chore: ignore sdk/*/.cryptoserve.json init artifact#46
thebenignhacker merged 1 commit into
mainfrom
chore/ignore-sdk-init-artifact

Conversation

@thebenignhacker

Copy link
Copy Markdown
Contributor

Summary

  • Running cryptoserve init inside an SDK source tree (during dev or release-smoke) writes a .cryptoserve.json stub. One had been sitting untracked in sdk/javascript/ since 2026-03-17.
  • Scoped ignore to sdk/*/ so it does not silently hide real .cryptoserve.json files in user projects that vendor or fork this repo. End users are expected to commit their own.

Test plan

  • git status clean after deleting the existing artifact.
  • cryptoserve init inside sdk/javascript/ recreates the file and it is now ignored.

Running `cryptoserve init` inside an SDK source tree (during dev or
release-smoke) writes a `.cryptoserve.json` stub. End users are
expected to commit `.cryptoserve.json` in their own projects, so the
ignore is scoped to `sdk/*/` rather than the file name globally.
@github-actions

github-actions Bot commented May 15, 2026

Copy link
Copy Markdown

Claude finished @thebenignhacker's task —— View job


Security Review ✅

  • Read changed files
  • Analyze security implications
  • Post review findings

Security Analysis

I've reviewed this PR against all security criteria. This change adds a single line to .gitignore:

+sdk/*/.cryptoserve.json

Findings

No security issues found. This is a low-risk change that only modifies .gitignore to exclude build artifacts.

Detailed Assessment

✅ Injection vulnerabilities: N/A - No code execution paths modified

✅ Authentication/authorization bypasses: N/A - No auth logic touched

✅ Insecure deserialization: N/A - No serialization code modified

✅ Hardcoded credentials: N/A - Actually improves security posture by ensuring the ignore is scoped to sdk/*/ only, preventing accidental hiding of real user .cryptoserve.json files that may contain credentials

✅ SSRF/open redirects: N/A - No network code modified

✅ Cryptographic misuse: N/A - No crypto code modified

✅ Prototype pollution: N/A - No JavaScript object manipulation modified

✅ ReDoS: N/A - The gitignore pattern sdk/*/.cryptoserve.json uses simple glob matching, not regex, and is not user-controlled

✅ Command injection: N/A - No command execution modified

✅ Logic bugs (scoring/gating): N/A - No scoring or gating logic modified

✅ Filter predicates: N/A - No filter logic modified

✅ Boolean expressions: N/A - No boolean logic modified

Positive Security Observations

  1. Proper scoping: The pattern sdk/*/.cryptoserve.json is correctly scoped to only ignore these files within sdk/*/ subdirectories, not globally
  2. No credential leakage risk: The scoped ignore prevents accidentally hiding user-space .cryptoserve.json files that might contain actual credentials
  3. Consistent with existing patterns: Placed in the "Credentials and secrets" section at line 72, right after .cryptoserve/

FINDINGS_COUNT=0


@github-actions

Copy link
Copy Markdown

Manual review required. This PR did not meet auto-merge criteria:

  • Security review found issues (findings: unknown)
  • PR author 'thebenignhacker' is not in the trusted auto-merge list
  • PR is too new (1 min < 5 min minimum)

@thebenignhacker thebenignhacker merged commit fe0d4f5 into main May 15, 2026
12 checks passed
@thebenignhacker thebenignhacker deleted the chore/ignore-sdk-init-artifact branch May 15, 2026 01:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant