check-no-secretslisted

# Check for Secrets Skill ## Purpose Scans codebase for accidentally committed secrets, credentials, API keys, and sensitive data. Prevents catastrophic security breaches. ## CLAUDE.md Compliance - ✅ Enforces no hardcoded secrets - ✅ Validates environment variable usage - ✅ Checks git history for leaked credentials - ✅ Security-critical validation ## Usage Run this skill: - Before every commit - Before pull requests - After adding new integrations - Weekly security scans - Before production deployments ## Prerequisites - ripgrep (`rg`) - git ## Commands ### Quick Secret Scan ```bash # Run automated secret detection ./scripts/ci/validate-no-secrets.sh ``` ### Comprehensive Secret Detection ```bash # 1. Check for API keys echo "🔑 Checking for API keys..." rg -i "api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,}" src/ --type rust -n # 2. Check for passwords echo "🔒 Checking for hardcoded passwords..." rg -i "password.*=.*['\"][^'\"]{8,}" src/ --type rust -n | grep -v "example" # 3. Check for tokens echo "🎫 Checking for access tokens..." rg -i "token.*=.*['\"][a-zA-Z0-9]{40,}" src/ --type rust -n # 4. Check for database URLs echo "🗄️ Checking for database URLs..." rg "postgres://|mysql://|mongodb://" src/ --type rust -n # 5. Check for OAuth secrets echo "🔐 Checking for OAuth client secrets..." rg "client_secret.*=.*['\"]" src/ --type rust -n | grep -v "env\|config" # 6. Check for encryption keys echo "🔓 Checking for hardcoded encryption keys..." rg "const.*KEY.*=.*['\"][A-Z