chore: harden .env allowlist in commit-msg hook + add **/.cache/ ignore

jdalton · jdalton · commit f7edf8483053 · 2026-04-25T03:05:43.000-04:00
Switches the commit-msg .env check to basename-based matching so nested
.env.test files (e.g., .env.precommit, packages/&lt;pkg&gt;/.env.test) are
not blocked, and adds .env.precommit to the allowlist alongside
.env.example and .env.test. Previous regex was anchored to the repo
root and let through nested .env files entirely.

Adds **/.cache/ to .gitignore as a defensive ignore for stray writers
(Node compile-cache, corepack, pnpm RC). Tools we control already
write to node_modules/.cache/ which is covered by **/node_modules.
diff --git a/.git-hooks/commit-msg b/.git-hooks/commit-msg
@@ -23,8 +23,11 @@ if [ -n "$COMMITTED_FILES" ]; then
         ERRORS=$((ERRORS + 1))
       fi
 
-      # Check for .env files.
-      if echo "$file" | grep -qE '^\.env(\.[^/]+)?$' && ! echo "$file" | grep -qE '^\.env\.(example|test)$'; then
+      # Check for .env files. Allow committed templates (.env.example,
+      # .env.test, .env.precommit) at any depth — they're tooling
+      # config, not secrets. Block bare .env / .env.local at any depth.
+      base=$(basename "$file")
+      if echo "$base" | grep -qE '^\.env(\.[^/]+)?$' && ! echo "$base" | grep -qE '^\.env\.(example|test|precommit)$'; then
         printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
diff --git a/.gitignore b/.gitignore
@@ -59,6 +59,9 @@ desktop.ini
 # store scratch dirs — cleared by pnpm install automatically).
 node_modules
 **/node_modules
+# Defensive cache ignore — Node compile-cache, corepack, and other
+# tools occasionally drop scratch dirs into a project-local .cache/.
+**/.cache/
 
 # Misc temporary/generated files
 Do
