chore: add missing repo policy files (auto-enforced)

Applied 7 policy files via audit-repo-policies.sh.
Repo type: shell
Files: Makefile .editorconfig .prettierrc .prettierignore .dockerignore .gitignore tools/secret-scan.sh

.dockerignore

@@ -0,0 +1,5 @@
+.git
+node_modules
+coverage
+*.md
+!README.md

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab

.gitignore

@@ -0,0 +1,10 @@
+node_modules/
+coverage/
+dist/
+.env
+.env.*
+!.env.example
+*.log
+.DS_Store
+*.swp
+*~

.prettierignore

@@ -0,0 +1,4 @@
+node_modules
+*.min.js
+coverage
+dist

.prettierrc

@@ -0,0 +1,6 @@
+{
+    "singleQuote": true,
+    "trailingComma": "all",
+    "tabWidth": 4,
+    "proseWrap": "always"
+}

Makefile

@@ -0,0 +1,28 @@
+.PHONY: check test lint fmt fmt-check secret-scan
+
+check: lint fmt-check secret-scan test
+
+test:
+	@echo "Running tests..."
+	@if [ -d tests ] && ls tests/test-*.sh >/dev/null 2>&1; then \
+		for t in tests/test-*.sh; do echo "  $$t"; bash "$$t"; done; \
+	else \
+		echo "  No tests found"; \
+	fi
+
+lint:
+	@echo "Linting..."
+	@if command -v shellcheck >/dev/null 2>&1; then \
+		find . -name '*.sh' -not -path './.git/*' -not -path './node_modules/*' -exec shellcheck {} +; \
+	else \
+		echo "  shellcheck not installed, skipping"; \
+	fi
+
+fmt:
+	@echo "No formatter configured for shell scripts"
+
+fmt-check:
+	@echo "No format check for shell scripts"
+
+secret-scan:
+	bash tools/secret-scan.sh .

tools/secret-scan.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# secret-scan.sh — Scans for private keys and high-entropy secrets
+# Usage: bash tools/secret-scan.sh [directory]
+# Uses .secret-scan-allowlist for false positives (one file path per line)
+
+set -e
+
+SCAN_DIR="${1:-.}"
+ALLOWLIST=".secret-scan-allowlist"
+FINDINGS=0
+
+# Build find exclusions
+EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*")
+
+# Load allowlist
+ALLOWLIST_PATHS=()
+if [ -f "$ALLOWLIST" ]; then
+    while IFS= read -r line || [ -n "$line" ]; do
+        [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
+        ALLOWLIST_PATHS+=("$line")
+    done < "$ALLOWLIST"
+fi
+
+is_allowed() {
+    local file="$1"
+    for allowed in "${ALLOWLIST_PATHS[@]}"; do
+        if [[ "$file" == *"$allowed"* ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+echo "Scanning $SCAN_DIR for secrets..."
+
+# Scan for private keys
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then
+        echo "FINDING [private-key]: $file"
+        FINDINGS=$((FINDINGS + 1))
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f)
+
+# Scan for high-entropy hex strings (40+ chars)
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then
+        # Filter out common false positives (git SHAs in lock files, etc.)
+        BASENAME=$(basename "$file")
+        if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then
+            MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true)
+            if [ -n "$MATCHES" ]; then
+                echo "FINDING [high-entropy-hex]: $file"
+                FINDINGS=$((FINDINGS + 1))
+            fi
+        fi
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock")
+
+if [ "$FINDINGS" -gt 0 ]; then
+    echo "secret-scan: $FINDINGS finding(s) — FAIL"
+    exit 1
+else
+    echo "secret-scan: clean — PASS"
+    exit 0
+fi