Skip to content

Review repo-sentinel baseline before enabling a remote gate #5

Description

@stacknil

Context

repo-sentinel-lite is currently available only as a pre-push/manual full-repository hook in this repository. Promoting it directly to a required remote check would not create a trustworthy publication boundary yet.

Measured evidence

All output was kept redacted; this issue records counts only.

Decision

Do not add a blocking remote gate and do not regenerate the baseline automatically. A baseline refresh without review could suppress a real secret, while the current full scan would create excessive false-positive noise.

Acceptance criteria

  • Consume a reviewed release that contains changed-files scanning, baseline audit, redacted output, and fingerprint deduplication, or explicitly pin an immutable reviewed commit.
  • Manually classify ambiguous and unmatched findings without exposing token values in logs or issues.
  • Confirm no real credential is present; rotate first if any real secret is found.
  • Define the blocking policy: error-level changed-file findings fail; baseline drift remains a separate audit signal.
  • Ensure the workflow runs for all relevant file changes with contents: read only.
  • Add a synthetic pass/fail/redaction integration test before making the check required.
  • Record rollback as removal of the remote job while retaining the local pre-push hook.

Non-goals

  • No bulk baseline refresh for metric reduction.
  • No claim that repo-sentinel replaces human authorization, PII review, or the canonical placeholder validator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions