chore: harden .env allowlist in commit-msg hook + add **/.cache/ ignore

jdalton · jdalton · commit dd31532e4279 · 2026-04-25T03:02:15.000-04:00
Switches the commit-msg .env check to basename-based matching so nested
.env.test files are not blocked, and adds .env.precommit to the
allowlist alongside .env.example and .env.test. The previous regex
only blocked bare .env / .env.local at the repo root and would have
let through .env.production etc. — now blocks anything that doesn't
match the template allowlist at any depth.

Adds **/.cache/ to .gitignore as a defensive ignore for stray writers.
diff --git a/.git-hooks/commit-msg b/.git-hooks/commit-msg
@@ -23,8 +23,11 @@ if [ -n "$COMMITTED_FILES" ]; then
         ERRORS=$((ERRORS + 1))
       fi
 
-      # Check for .env files.
-      if echo "$file" | grep -qE '^\.env(\.local)?$'; then
+      # Check for .env files. Allow committed templates (.env.example,
+      # .env.test, .env.precommit) at any depth — they're tooling
+      # config, not secrets. Block bare .env / .env.local at any depth.
+      base=$(basename "$file")
+      if echo "$base" | grep -qE '^\.env(\.[^/]+)?$' && ! echo "$base" | grep -qE '^\.env\.(example|test|precommit)$'; then
         printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,10 @@ Thumbs.db
 .nvm
 .pnpmfile.cjs
 node_modules/
+# Defensive cache ignore — Node compile-cache, corepack, and other
+# tools occasionally drop scratch dirs into a project-local .cache/.
+# node_modules/.cache/ is the canonical home for tools we control.
+**/.cache/
 npm-debug.log*
 pnpm-debug.log*
 yarn-error.log*
