From 4f49895abd8e59eb019780b87531d3ffd3f38765 Mon Sep 17 00:00:00 2001 From: Morgan Lunt Date: Mon, 8 Jun 2026 16:42:03 -0700 Subject: [PATCH] code-modernization: assess writes the full quarantine ignore set assess only added SECRETS.local.md to analysis/.gitignore, leaving *.local.patch uncovered until harden's own Step 0 ran. Both patterns are now written by whichever command runs first. --- plugins/code-modernization/commands/modernize-assess.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/code-modernization/commands/modernize-assess.md b/plugins/code-modernization/commands/modernize-assess.md index b098f02a..692bb643 100644 --- a/plugins/code-modernization/commands/modernize-assess.md +++ b/plugins/code-modernization/commands/modernize-assess.md @@ -151,8 +151,10 @@ need explained. discovered credential values must never appear in it. If the security-auditor found any hardcoded credentials: -1. Ensure `analysis/.gitignore` exists and contains the line - `SECRETS.local.md` (create or append as needed). If the project is a +1. Ensure `analysis/.gitignore` exists and contains the lines + `SECRETS.local.md` and `*.local.patch` (create or append as needed — + the patch pattern is used by `/modernize-harden`; writing both now + means the ignore set is complete from first contact). If the project is a git repo, verify with `git check-ignore -q analysis/$1/SECRETS.local.md` — do not write any findings until the check passes. If there is **no git repo** (check for `.svn`/`.hg`/`CVS` too — a `.gitignore` protects