toga-ai 1.0.48 → 1.0.49

package/knowledge/2.0/apps/worker2/features/elite-freshservice-sync.md

@@ -36,11 +36,12 @@ Dispatched via action `Elite/Webhook` on the worker queue.
 
 ## Constants
 
-```php
-const CLIENT_UUID_ELITE = '97627e9d-605f-3ded-9e83-97a4ec7a0c15';
-const API_UUID_ELITE    = 'ee08cf3d-caee-462d-adb5-acc5c36b1f01';
-const API_SECRET_ELITE  = 'c2701d21-1908-4895-aaed-2e6456710e8d';
-```
+Defined in `worker2/Worker/Elite.php` — **values not reproduced here (credentials);
+read them from the source/config:**
+
+- `CLIENT_UUID_ELITE` — Elite's TOGA 2 client UUID
+- `API_UUID_ELITE` — API identity UUID
+- `API_SECRET_ELITE` — API secret (sensitive)
 
 ## Freshservice API — gotchas
 

package/knowledge/clients/elite/profile.md

@@ -3,10 +3,10 @@ title: Elite
 framework: "2.0"
 project: Worker
 client: elite
-type: client-feature
+type: profile
 status: active
 updated: 2026-06-10
-owners: []
+owners: [snaredla]
 files:
   - worker2/Worker/Elite.php
   - library/app/api/toga2.php
@@ -23,13 +23,12 @@ keeps Freshservice and TOGA 2 in sync via webhook-driven worker jobs.
 
 ## TOGA 2 API credentials
 
-Constants live in `worker2/Worker/Elite.php`:
+Three constants live in `worker2/Worker/Elite.php` — **values intentionally not reproduced
+here. Read them from the source/config; never paste secret values into knowledge docs.**
 
-```php
-const CLIENT_UUID_ELITE = '97627e9d-605f-3ded-9e83-97a4ec7a0c15';
-const API_UUID_ELITE    = 'ee08cf3d-caee-462d-adb5-acc5c36b1f01';
-const API_SECRET_ELITE  = 'c2701d21-1908-4895-aaed-2e6456710e8d';
-```
+- `CLIENT_UUID_ELITE` — Elite's TOGA 2 client UUID
+- `API_UUID_ELITE` — API identity UUID
+- `API_SECRET_ELITE` — API secret (sensitive; treat as a credential)
 
 The library version of the sync methods (`library/app/api/toga2.php`) passes these in as
 parameters — they are not constants there.

package/knowledge.js

@@ -541,6 +541,37 @@ function relRow(d, baseDir) {
     return `| [${d.data.title || path.basename(d.file, '.md')}](${relLink(d, baseDir)}) | ${firstSentence(d.body)} | ${(d.data.files || []).join(', ')} |`;
 }
 
+/* ------------------------------------------------------------------ */
+/* secret scanner — knowledge docs must never contain credential       */
+/* values. High-confidence patterns only (named secret assignments,    */
+/* AWS keys, PEM blocks) so legitimate UUIDs/IDs don't false-positive.  */
+/* Wired into validate → blocks publish on a hit.                       */
+/* ------------------------------------------------------------------ */
+
+const SECRET_NAME = /(secret|password|passwd|api[_-]?key|apikey|access[_-]?key|client[_-]?secret|private[_-]?key|auth[_-]?token|bearer)/i;
+const SECRET_PLACEHOLDER = /(<[^>]+>|redact|example|placeholder|your[_-]|xxxx|\.\.\.|\*\*\*|changeme|dummy|sensitive|not reproduced)/i;
+
+function scanSecrets(content) {
+    const hits = [];
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const ln = lines[i];
+        if (/-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----/.test(ln)) { hits.push({ line: i + 1, reason: 'private key block' }); continue; }
+        if (/\bAKIA[0-9A-Z]{16}\b/.test(ln)) { hits.push({ line: i + 1, reason: 'AWS access key id' }); continue; }
+        // NAME = "value" or NAME: value where NAME looks like a credential
+        const m = ln.match(/([A-Za-z0-9_]*(?:secret|password|passwd|api[_-]?key|apikey|access[_-]?key|client[_-]?secret|private[_-]?key|auth[_-]?token)[A-Za-z0-9_]*)\s*[:=]\s*['"]?([^'"\s]{8,})['"]?/i);
+        if (m && SECRET_NAME.test(m[1]) && !SECRET_PLACEHOLDER.test(ln)) {
+            // Only flag a literal-looking value (hex/token/base64). Reject code
+            // references like `_Config::database(...)`, `getenv(...)`, `$var` — those
+            // are how secrets SHOULD be loaded, not leaked values.
+            const val = m[2];
+            const looksLiteral = /^[A-Za-z0-9_\-\/+=.]{8,}$/.test(val) && !/^[A-Z][A-Za-z0-9_]*$/.test(val);
+            if (looksLiteral) hits.push({ line: i + 1, reason: `literal value assigned to "${m[1]}"` });
+        }
+    }
+    return hits;
+}
+
 /* ------------------------------------------------------------------ */
 /* command: validate                                                   */
 /* ------------------------------------------------------------------ */
@@ -597,6 +628,10 @@ function cmdValidate() {
             }
         }
         if (ELEVATED_TYPES.includes(d.data.type)) elevated.push(d.rel);
+        for (const s of scanSecrets(fs.readFileSync(d.file, 'utf8'))) {
+            fail(`${d.rel}:${s.line}: possible secret committed — ${s.reason}; redact it (reference the config/constant location, never paste credential values into knowledge docs)`);
+            ok = false;
+        }
     }
 
     if (elevated.length) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "toga-ai",
-  "version": "1.0.48",
+  "version": "1.0.49",
   "description": "TOGA Technology Team Claude Knowledge System — shared AI coding harness with skills, knowledge base CLI, and project installer for Claude Code.",
   "keywords": [
     "claude",

package/skills/capture/SKILL.md

@@ -143,6 +143,12 @@ For a client `profile.md`, the `title:` **is** the client's formal name (e.g. "C
 there is no separate name field; `validate` requires `title`. See New-client onboarding.
 Add `related:` cross-links. Append new repos to `<TEAM_REPO>/knowledge/registry.json`.
 
+**Never paste secret VALUES into a doc** — no API secrets, passwords, private keys, tokens,
+or live credential strings. Document *where* a credential lives (the constant name, the
+config key, the file) but not its value. `validate` (run by Step 6's publish and the
+pre-commit hook) scans for credential literals and **fails the publish** if it finds one, so
+a leaked secret blocks the whole capture until redacted. Reference, never reproduce.
+
 ## Step 6 — Publish (validate → index → mirror → rebase-push, one command)
 
 Finish every capture with the deterministic publisher — **do not** run validate/index/git