chore(security): remove historical secret fixtures

This commit is contained in:
Haitao Pan 2026-06-29 12:29:37 +08:00
parent b44b0e7b0c
commit b63a9c1dbb
4 changed files with 34 additions and 73 deletions

View File

@ -1,26 +0,0 @@
# gitleaks config for xworkmate-app
# Keeps all default rules, and allowlists known non-secret findings:
# - vendored third-party code (cargokit ships a *public* verification key)
# - unit-test fixtures (hardcoded "device-1" / "token" test vectors)
# Real leaked credentials are NOT allowlisted here — they are purged from
# history and rotated.
title = "xworkmate-app gitleaks config"
[extend]
useDefault = true
[allowlist]
description = "Vendored third-party code and unit-test fixtures (no real secrets)"
paths = [
# cargokit (super_native_extensions) ships a public binary-verification key
'''third_party/.*''',
# Dart unit-test fixtures: obfuscated "token" / fake TF password assertions
'''test/features/workspace_management/workspace_management_unit_test\.dart''',
# Go unit-test fixtures: hardcoded "device-1" identity key pair
'''go/go_core/internal/gatewayruntime/runtime_test\.go''',
]
regexes = [
# cargokit public key value, in case it is referenced outside third_party/
'''test-public-key-hex''',
]

View File

@ -53,10 +53,10 @@ packages:
dependency: transitive
description:
name: code_assets
sha256: "83ccdaa064c980b5596c35dd64a8d3ecc68620174ab9b90b6343b753aa721687"
sha256: bf394f466ba9205f1812a0433b392d6af280f155f56651eda7c18cc32ed493b8
url: "https://pub.dev"
source: hosted
version: "1.0.0"
version: "1.2.1"
collection:
dependency: transitive
description:
@ -202,11 +202,12 @@ packages:
source: hosted
version: "0.9.4"
file_selector_macos:
dependency: "direct overridden"
dependency: transitive
description:
path: "third_party/file_selector_macos"
relative: true
source: path
name: file_selector_macos
sha256: "5e0bbe9c312416f1787a68259ea1505b52f258c587f12920422671807c4d618a"
url: "https://pub.dev"
source: hosted
version: "0.9.5"
file_selector_platform_interface:
dependency: transitive
@ -302,22 +303,14 @@ packages:
description: flutter
source: sdk
version: "0.0.0"
glob:
dependency: transitive
description:
name: glob
sha256: c3f1ee72c96f8f78935e18aa8cecced9ab132419e8625dc187e1c2408efc20de
url: "https://pub.dev"
source: hosted
version: "2.1.3"
hooks:
dependency: transitive
description:
name: hooks
sha256: e79ed1e8e1929bc6ecb6ec85f0cb519c887aa5b423705ded0d0f2d9226def388
sha256: "9a62a50b50b769a737bc0a8ff381f333529df3ab746b2f6b02e83760231455ba"
url: "https://pub.dev"
source: hosted
version: "1.0.2"
version: "2.0.2"
html:
dependency: transitive
description:
@ -459,21 +452,14 @@ packages:
url: "https://pub.dev"
source: hosted
version: "1.17.0"
native_toolchain_c:
objective_c:
dependency: transitive
description:
name: native_toolchain_c
sha256: "92b2ca62c8bd2b8d2f267cdfccf9bfbdb7322f778f8f91b3ce5b5cda23a3899f"
name: objective_c
sha256: "6cb691c686fa2838c6deb34980d426145c2a5d537491cb83d463c33cdbc726ed"
url: "https://pub.dev"
source: hosted
version: "0.17.5"
objective_c:
dependency: "direct overridden"
description:
path: "third_party/objective_c"
relative: true
source: path
version: "9.3.0"
version: "9.4.1"
package_info_plus:
dependency: "direct main"
description:
@ -602,6 +588,14 @@ packages:
url: "https://pub.dev"
source: hosted
version: "2.2.0"
record_use:
dependency: transitive
description:
name: record_use
sha256: "2551bd8eecfe95d14ae75f6021ad0248be5c27f138c2ec12fcb52b500b3ba1ed"
url: "https://pub.dev"
source: hosted
version: "0.6.0"
shared_preferences:
dependency: "direct main"
description:
@ -704,11 +698,12 @@ packages:
source: hosted
version: "0.9.1"
super_native_extensions:
dependency: "direct overridden"
dependency: transitive
description:
path: "third_party/super_native_extensions"
relative: true
source: path
name: super_native_extensions
sha256: b9611dcb68f1047d6f3ef11af25e4e68a21b1a705bbcc3eb8cb4e9f5c3148569
url: "https://pub.dev"
source: hosted
version: "0.9.1"
sync_http:
dependency: transitive

View File

@ -39,20 +39,6 @@ dev_dependencies:
sdk: flutter
flutter_lints: ^6.0.0
dependency_overrides:
# Keep debug info in the bundled native asset so archive builds can emit
# a matching dSYM for App Store symbol upload.
objective_c:
path: third_party/objective_c
# Patch the macOS file selector plugin to avoid a deprecated API warning
# on current macOS toolchains while preserving older-OS behavior.
file_selector_macos:
path: third_party/file_selector_macos
# Use a local patch so Cargokit can recover from transient GitHub asset
# download failures during macOS packaging.
super_native_extensions:
path: third_party/super_native_extensions
flutter:
uses-material-design: true
assets:

View File

@ -157,7 +157,13 @@ BRIDGE_PORT_443_OPEN=yes
final yaml = controller.exportYaml();
expect(yaml, contains('server_address: 203.0.113.10'));
expect(yaml, contains('ssh_password_fixture: "example"'));
const sshPasswordKey = 'ssh_password';
expect(
yaml,
contains(
'$sshPasswordKey: "${WorkspaceProvisionController.redactedValue}"',
),
);
expect(yaml, contains('extra_configs:'));
expect(yaml, contains('key: DEEPSEEK_API_KEY'));
expect(yaml, contains('value: "__redacted__"'));
@ -407,7 +413,7 @@ ssh_port: 22
install_path: /opt/xworkspace/playbooks
show_advanced: true
logs_expanded: false
ssh_password_fixture: "example"
ssh_password: "${WorkspaceProvisionController.redactedValue}"
extra_configs:
- key: DEEPSEEK_API_KEY
value: "deepseek-new"