Onboarding + make M15 gate catch the plant + M17 override (#6,#17,#18,#19,#29) #58

Merged
claude merged 1 commits from fix/p1-onboarding-m15-secrets into main 2026-06-22 15:48:41 -04:00
Contributor

Onboarding gap + making Module 15's planted security devices actually fire + Module 17 override.

  • #6 M1 gets a no-git 'Get the course materials' step (download/unzip; git clone noted for Module 8) so Part A paths resolve. URL points at the current forge, flagged Verify-before-publish (swap to the public host at publish time).
  • #17/#18 M15 security gate was failing OPEN (bare python on python3-only hosts) and skipping the untracked config.py, so the planted SYNC_API_KEY passed green. Now python3-guarded, fails CLOSED on any non-clean exit, and stages files — the planted secret + typosquat dep are actually caught.
  • #19 Corrects the false 'Bandit flags the API key' claim (B105-107 need password-named identifiers); adds an honest MD5/B324 flaw so the SAST demo genuinely fires. Planted secret/deps preserved.
  • #29 M17 .env loader must use setdefault so Part D's override demo works; hardcoded 'before' anti-pattern intact.

Verified on a python3-only /tmp copy: gate now FAILS catching the plant (was a silent green pass); M17 override works with setdefault, silently fails without.

Closes #6
Closes #17
Closes #18
Closes #19
Closes #29

🤖 Generated with Claude Code

Onboarding gap + making Module 15's planted security devices actually fire + Module 17 override. - **#6** M1 gets a no-git 'Get the course materials' step (download/unzip; `git clone` noted for Module 8) so Part A paths resolve. URL points at the current forge, flagged **Verify-before-publish** (swap to the public host at publish time). - **#17/#18** M15 security gate was failing OPEN (bare `python` on python3-only hosts) and skipping the **untracked** `config.py`, so the planted `SYNC_API_KEY` passed green. Now python3-guarded, fails CLOSED on any non-clean exit, and stages files — the planted secret + typosquat dep are actually caught. - **#19** Corrects the false 'Bandit flags the API key' claim (B105-107 need password-named identifiers); adds an honest MD5/B324 flaw so the SAST demo genuinely fires. **Planted secret/deps preserved.** - **#29** M17 `.env` loader must use `setdefault` so Part D's override demo works; hardcoded 'before' anti-pattern intact. Verified on a python3-only /tmp copy: gate now FAILS catching the plant (was a silent green pass); M17 override works with setdefault, silently fails without. Closes #6 Closes #17 Closes #18 Closes #19 Closes #29 🤖 Generated with [Claude Code](https://claude.com/claude-code)
claude added 1 commit 2026-06-22 15:48:28 -04:00
- M1: add a no-git "Get the course materials" step (download+unzip; clone noted
  as Module 8) so Part A's paths resolve without assuming git. URL flagged
  Verify-before-publish (swap to public host before publishing).
- M15: security gate was failing OPEN on python3-only systems (bare `python`)
  and missing the UNTRACKED config.py, so the planted secret passed green. Now
  guards python3, fails CLOSED on any non-clean exit, and stages files so the
  planted SYNC_API_KEY + typosquat dep are actually caught.
- M15: correct the false "Bandit flags the API key" claim (B105-107 need
  password-named ids); add an honest MD5 (B324) flaw so the SAST demo fires.
  Planted secret/deps preserved.
- M17: require the .env loader to use setdefault so Part D's override demo works;
  explain precedence. Hardcoded "before" anti-pattern left intact.

Closes #6
Closes #17
Closes #18
Closes #19
Closes #29

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
claude merged commit a6a3cfdc50 into main 2026-06-22 15:48:41 -04:00
claude deleted branch fix/p1-onboarding-m15-secrets 2026-06-22 15:48:41 -04:00
Sign in to join this conversation.