M15: change planted secret pattern + note hosted-forge push protection (#109)
Sync course wiki / sync-wiki (push) Successful in 5s
CI / check (push) Successful in 7s

Co-authored-by: claude <claude@jpaul.io>
Co-committed-by: claude <claude@jpaul.io>
This commit was merged in pull request #109.
This commit is contained in:
2026-06-24 21:12:57 -04:00
committed by Claude (agent)
parent 70d91722b7
commit 556b5a7256
2 changed files with 10 additions and 1 deletions
+9
View File
@@ -432,6 +432,15 @@ runs on every push and blocks the merge.
---
### Gate 0: your hosted forge
Most hosted forges run their own secret scanner on every push and reject the push if it finds a
recognized key pattern (GitHub calls this *push protection*; GitLab and others have equivalents).
That happens **before** any CI you wrote runs, so it is effectively *Gate 0* in this module. The
planted `SYNC_API_KEY` in `lab/config.py` uses a generic high-entropy value (not an issuer
pattern) so the lab can ship; in your real repo, treat your forge's push protection as the
earliest gate and never paper over a bypass.
## Where it breaks
The honest limits (these gates are necessary, not sufficient):