RubyGems - jekyll-theme-zer0 - Versions diffs - 1.13.0 → 1.13.1 - Mend

jekyll-theme-zer0 1.13.0 → 1.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/README.md +4 -4
data/_data/backlog.yml +26 -4
data/_plugins/sanitize_config_filter.rb +37 -0
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 300fd839d62b5d716dc62bde6853834fecca0b431871d818511f83b3b118586e
-  data.tar.gz: 7faf9a32a6709bb8bd4cc5c9681910b9595c81761c2582224f71f6623e5573d7
+  metadata.gz: 8ad83858a690a41ecdcffeb9d1666bdb477c74f5dc0e203bc0059a56e7ed68a2
+  data.tar.gz: 88b906b270107cc25861394ff63b9772b9b1758c39315a2758bbe45f42ec00cc
 SHA512:
-  metadata.gz: 5c41e56c171902d054122a1288a10e2a45998cfabd06231d28e78e027ffaa9fc79b7511a3c34a50d7b81ab4f4911797fed2be78891bb45bd0e977aa28d298634
-  data.tar.gz: 143441cff23b9bec1bbf3222d4fcf21fb4949d4a9bf6394aff67c4cefb56e8da1bd71871c76ccdb900a78cc8f8623ce28c4bbcb7004357171e4f032bc02c8242
+  metadata.gz: a24b1b809afaff0913078bbdbf5ba74799c757d330203ef54f0bccc21e8d4fe82920430ce3d981a540bcea0ac89f8e31b1284eb92db60d0f89c3986b16891126
+  data.tar.gz: 01dd7a1a0ae1ab4f82936db64ecd509280c76714e80ae55be46c0f67dbca6c59efd5f7590960d11f46237380b6b680873f816e6bb72845d7726c24137b57e4c6

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.13.1] - 2026-06-11
+### Changed
+- Version bump: patch release
+### Commits in this release
+- 583fa997 fix(infra): sanitize sensitive config keys before DOM injection (T-009) (#141)
+### Security
+- **Admin config page sanitization (T-009)**: the hidden `<pre id="cfg-full-yaml">` element on the admin config page now has values masked for keys matching `api_key`, `secret`, `password`, `token`, and `phc_` (PostHog) prefixes via a new `sanitize_config_yaml` Liquid filter (`_plugins/sanitize_config_filter.rb`); the corresponding Playwright regression guard (`test/visual/security.spec.js`) is promoted from `test.fixme` to a live test
 ## [1.13.0] - 2026-06-11
 ### Changed

data/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 title: zer0-mistakes
 sub-title: AI-Native Jekyll Theme
 description: AI-native Jekyll theme for GitHub Pages — Docker-first development, AI-powered installation, multi-agent integration (Copilot, Codex, Cursor, Claude), AI preview-image generation, and AIEO content optimization with Bootstrap 5.3.
-version: 1.13.0
+version: 1.13.1
 layout: landing
 tags:
   - jekyll
@@ -20,7 +20,7 @@ categories:
   - bootstrap
   - ai-tooling
 created: 2024-02-10T23:51:11.480Z
-lastmod: 2026-06-11T04:16:44.000Z
+lastmod: 2026-06-11T21:37:24.000Z
 draft: false
 permalink: /
 slug: zer0
@@ -909,7 +909,7 @@ git push origin feature/awesome-feature
 | Metric | Value |
 |--------|-------|
-| **Current Version** | 1.13.0 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
+| **Current Version** | 1.13.1 ([RubyGems](https://rubygems.org/gems/jekyll-theme-zer0), [CHANGELOG](/CHANGELOG)) |
 | **Documented Features** | 43 ([Feature Registry](https://github.com/bamr87/zer0-mistakes/blob/main/_data/features.yml)) |
 | **Setup Time** | 2-5 minutes ([install.sh benchmarks](https://github.com/bamr87/zer0-mistakes/blob/main/install.sh)) |
 | **Documentation Pages** | 70+ ([browse docs](https://zer0-mistakes.com/pages/)) |
@@ -964,6 +964,6 @@ And these AI partners that make zer0-mistakes truly AI-native:
 **Built with ❤️ — and a little help from our AI partners — for the Jekyll community**
-**v1.13.0** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)
+**v1.13.1** • [Changelog](CHANGELOG.md) • [License](LICENSE) • [Contributing](CONTRIBUTING.md) • [AI Agent Guide](AGENTS.md)

data/_data/backlog.yml CHANGED Viewed

@@ -55,8 +55,8 @@
 meta:
   title: "zer0-mistakes Backlog"
-  updated: 2026-06-10
-  next_id: 17
+  updated: 2026-06-11
+  next_id: 18
 tasks:
   # --- Housekeeping (seeded so the loop has work on day one) ------------------
@@ -213,7 +213,7 @@ tasks:
   - id: T-009
     title: "Sanitize sensitive config keys from admin config-page DOM injection"
-    status: open
+    status: done
     priority: P1
     area: infra
     risk: standard
@@ -231,7 +231,7 @@ tasks:
       - "The visible config display in the admin UI is unaffected (only the raw hidden element is sanitised)."
     links: { issue: null, pr: null, roadmap: null }
     created: 2026-06-01
-    updated: 2026-06-01
+    updated: 2026-06-11
   - id: T-010
     title: "Complete v1.9 quickstart docs rewrite with getting-started guide and screenshots"
@@ -403,3 +403,25 @@ tasks:
     created: 2026-06-10
     updated: 2026-06-10
+  - id: T-017
+    title: "Fix yamllint violations in .github/workflows/version-bump.yml"
+    status: open
+    priority: P2
+    area: lint
+    risk: low
+    effort: S
+    source: audit
+    summary: >-
+      `.github/workflows/version-bump.yml` has ~30 trailing-space lines, two
+      indentation errors, and one brackets error that cause the `auto-version`
+      integration test (which runs yamllint) to fail in CI on every PR. Discovered
+      while babysitting PR #141 — the file was unchanged by that PR, confirming
+      the failures are pre-existing.
+    acceptance:
+      - "`yamllint -c .github/config/.yamllint.yml .github/workflows/version-bump.yml` exits 0."
+      - "`./scripts/test/integration/auto-version` passes the 'version-bump workflow syntax' check."
+      - "No functional change to the workflow logic."
+    links: { issue: null, pr: null, roadmap: null }
+    created: 2026-06-11
+    updated: 2026-06-11

data/_plugins/sanitize_config_filter.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+# File: sanitize_config_filter.rb
+# Path: _plugins/sanitize_config_filter.rb
+# Purpose: Liquid filter that masks sensitive key-value pairs in raw YAML
+#          before the content is injected into the DOM. Used by the admin
+#          config page to sanitize <pre id="cfg-full-yaml">.
+#
+# Masked patterns:
+#   Key names: api_key, apikey, secret, password, token (case-insensitive)
+#   Value prefix: phc_ (PostHog project API keys)
+module Jekyll
+  module SanitizeConfigFilter
+    # Matches YAML lines whose key name is a common secret identifier.
+    SENSITIVE_KEY_RE = /\A(\s*(?:api[_-]?key|secret|password|token)\s*:)/i.freeze
+    # Matches PostHog project API key values anywhere on a line.
+    PHC_VALUE_RE     = /phc_[A-Za-z0-9]+/.freeze
+    def sanitize_config_yaml(input)
+      return input unless input.is_a?(String)
+      input.each_line.map do |line|
+        if SENSITIVE_KEY_RE.match?(line)
+          # Keep the key name and colon; replace everything after with [REDACTED]
+          line.sub(/(:\s*).*$/, '\1[REDACTED]')
+        elsif PHC_VALUE_RE.match?(line)
+          line.gsub(PHC_VALUE_RE, '[REDACTED]')
+        else
+          line
+        end
+      end.join
+    end
+  end
+end
+Liquid::Template.register_filter(Jekyll::SanitizeConfigFilter)

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-theme-zer0
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.13.1
 platform: ruby
 authors:
 - Amr Abdel
@@ -220,6 +220,7 @@ files:
 - _plugins/content_statistics_generator.rb
 - _plugins/obsidian_links.rb
 - _plugins/preview_image_generator.rb
+- _plugins/sanitize_config_filter.rb
 - _plugins/search_and_sitemap_generator.rb
 - _plugins/theme_version.rb
 - _sass/components/_back-to-top.scss