From 97ec347b3a0e7aac368212196ba5e4509e5882a0 Mon Sep 17 00:00:00 2001
From: Xen <xen@openclaw.ai>
Date: Mon, 2 Mar 2026 10:55:17 +0000
Subject: [PATCH] chore: add missing repo policy files (auto-enforced)

Applied 7 policy files via audit-repo-policies.sh.
Repo type: shell
Files: Makefile .editorconfig .prettierrc .prettierignore .dockerignore .gitignore tools/secret-scan.sh
---
 .dockerignore        |  5 ++++
 .editorconfig        | 15 ++++++++++
 .gitignore           | 10 +++++++
 .prettierignore      |  4 +++
 .prettierrc          |  6 ++++
 Makefile             | 28 ++++++++++++++++++
 tools/secret-scan.sh | 69 ++++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 137 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 .editorconfig
 create mode 100644 .gitignore
 create mode 100644 .prettierignore
 create mode 100644 .prettierrc
 create mode 100644 Makefile
 create mode 100755 tools/secret-scan.sh

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..af75543
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,5 @@
+.git
+node_modules
+coverage
+*.md
+!README.md
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..fddf9c1
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,15 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..651d4b4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+node_modules/
+coverage/
+dist/
+.env
+.env.*
+!.env.example
+*.log
+.DS_Store
+*.swp
+*~
diff --git a/.prettierignore b/.prettierignore
new file mode 100644
index 0000000..e56696c
--- /dev/null
+++ b/.prettierignore
@@ -0,0 +1,4 @@
+node_modules
+*.min.js
+coverage
+dist
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 0000000..c8018ac
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,6 @@
+{
+    "singleQuote": true,
+    "trailingComma": "all",
+    "tabWidth": 4,
+    "proseWrap": "always"
+}
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..2ce3034
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,28 @@
+.PHONY: check test lint fmt fmt-check secret-scan
+
+check: lint fmt-check secret-scan test
+
+test:
+	@echo "Running tests..."
+	@if [ -d tests ] && ls tests/test-*.sh >/dev/null 2>&1; then \
+		for t in tests/test-*.sh; do echo "  $$t"; bash "$$t"; done; \
+	else \
+		echo "  No tests found"; \
+	fi
+
+lint:
+	@echo "Linting..."
+	@if command -v shellcheck >/dev/null 2>&1; then \
+		find . -name '*.sh' -not -path './.git/*' -not -path './node_modules/*' -exec shellcheck {} +; \
+	else \
+		echo "  shellcheck not installed, skipping"; \
+	fi
+
+fmt:
+	@echo "No formatter configured for shell scripts"
+
+fmt-check:
+	@echo "No format check for shell scripts"
+
+secret-scan:
+	bash tools/secret-scan.sh .
diff --git a/tools/secret-scan.sh b/tools/secret-scan.sh
new file mode 100755
index 0000000..c7e5efe
--- /dev/null
+++ b/tools/secret-scan.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# secret-scan.sh — Scans for private keys and high-entropy secrets
+# Usage: bash tools/secret-scan.sh [directory]
+# Uses .secret-scan-allowlist for false positives (one file path per line)
+
+set -e
+
+SCAN_DIR="${1:-.}"
+ALLOWLIST=".secret-scan-allowlist"
+FINDINGS=0
+
+# Build find exclusions
+EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*")
+
+# Load allowlist
+ALLOWLIST_PATHS=()
+if [ -f "$ALLOWLIST" ]; then
+    while IFS= read -r line || [ -n "$line" ]; do
+        [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
+        ALLOWLIST_PATHS+=("$line")
+    done < "$ALLOWLIST"
+fi
+
+is_allowed() {
+    local file="$1"
+    for allowed in "${ALLOWLIST_PATHS[@]}"; do
+        if [[ "$file" == *"$allowed"* ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+echo "Scanning $SCAN_DIR for secrets..."
+
+# Scan for private keys
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then
+        echo "FINDING [private-key]: $file"
+        FINDINGS=$((FINDINGS + 1))
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f)
+
+# Scan for high-entropy hex strings (40+ chars)
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then
+        # Filter out common false positives (git SHAs in lock files, etc.)
+        BASENAME=$(basename "$file")
+        if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then
+            MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true)
+            if [ -n "$MATCHES" ]; then
+                echo "FINDING [high-entropy-hex]: $file"
+                FINDINGS=$((FINDINGS + 1))
+            fi
+        fi
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock")
+
+if [ "$FINDINGS" -gt 0 ]; then
+    echo "secret-scan: $FINDINGS finding(s) — FAIL"
+    exit 1
+else
+    echo "secret-scan: clean — PASS"
+    exit 0
+fi