secret-preflightlisted

# secret-preflight Part of **shipsafe** — offline deploy-safety skills. Every script is stdlib-only Python 3.8+; nothing leaves the machine. ```bash python3 scripts/scan_secrets.py <project_root> [--json] ``` Two detection layers: 1. High-precision patterns for real key formats: AWS, GitHub, Stripe (live vs test severity), OpenAI, Anthropic, Slack, Google, Supabase, private-key blocks, hardcoded JWTs, Postgres URLs with embedded passwords. JWTs are decoded offline: a payload with `"role":"service_role"` is escalated to a dedicated Supabase SERVICE_ROLE finding — that key bypasses Row Level Security entirely, so anywhere near client code it means the whole database is public. This single mistake is behind the largest documented vibe-coding breaches. 2. Entropy analysis on assignments to secret-named variables (SECRET/TOKEN/API_KEY/...), with placeholder filtering to avoid false positives on 'your-api-key-here'. Also verifies .gitignore actually covers .env files. Local .env contents are intentionally NOT flagged — that's where secrets belong; committed code is what's scanned. Critical follow-ups when something is found: - If the key was EVER committed, removing the line is not enough — it lives in git history. The key must be ROTATED. Say this explicitly. - A finding can be suppressed for a known-safe line by adding the comment `secret-preflight: allow`. Exit codes: 0 clean, 1 findings. All paths below are relative to this skill's directory (secret-preflight/).