6ddadcf3d5
Implement smallest concrete fix for P1 Tower Game: NPCs now have mutual trust values, converse when Timmy is absent, and exhibit one friendship pair (forge master ↔ gardener, trust ~0.8) and one tension pair (bridge keeper ↔ tower sentinel, trust ~-0.6). - Added NPC dataclass with trust dict and get_trust() - Defined 4 NPCs grouped: forge_master+gardener in FORGE; bridge_keeper+tower_sentinel in BRIDGE - Conversation pools: friendship, tension, neutral — selected by trust level - Updated GameState with npcs list - TowerGame tick() generates npc_conversation events when ≥2 NPCs share a room ≠ Timmy's - Expanded tests: TestNPCRelationships verifies relationships and conversation behavior Closes #515
Timmy Home
Timmy Foundation's home repository for development operations and configurations.
Security
Pre-commit Hook for Secret Detection
This repository includes a pre-commit hook that automatically scans for secrets (API keys, tokens, passwords) before allowing commits.
Setup
Install pre-commit hooks:
pip install pre-commit
pre-commit install
What Gets Scanned
The hook detects:
- API Keys: OpenAI (
sk-*), Anthropic (sk-ant-*), AWS, Stripe - Private Keys: RSA, DSA, EC, OpenSSH private keys
- Tokens: GitHub (
ghp_*), Gitea, Slack, Telegram, JWT, Bearer tokens - Database URLs: Connection strings with embedded credentials
- Passwords: Hardcoded passwords in configuration files
How It Works
Before each commit, the hook:
- Scans all staged text files
- Checks against patterns for common secret formats
- Reports any potential secrets found
- Blocks the commit if secrets are detected
Handling False Positives
If the hook flags something that is not actually a secret (e.g., test fixtures, placeholder values), you can:
Option 1: Add an exclusion marker to the line
# Add one of these markers to the end of the line:
api_key = "sk-test123" # pragma: allowlist secret
api_key = "sk-test123" # noqa: secret
api_key = "sk-test123" # secret-detection:ignore
Option 2: Use placeholder values (auto-excluded)
These patterns are automatically excluded:
changeme,password,123456,admin(common defaults)- Values containing
fake_,test_,dummy_,example_,placeholder_ - URLs with
localhostor127.0.0.1
Option 3: Skip the hook (emergency only)
git commit --no-verify # Bypasses all pre-commit hooks
⚠️ Warning: Only use --no-verify if you are certain no real secrets are being committed.
CI/CD Integration
The secret detection script can also be run in CI/CD:
# Scan specific files
python3 scripts/detect_secrets.py file1.py file2.yaml
# Scan with verbose output
python3 scripts/detect_secrets.py --verbose src/
# Run tests
python3 tests/test_secret_detection.py
Excluded Files
The following are automatically excluded from scanning:
- Markdown files (
.md) - Lock files (
package-lock.json,poetry.lock,yarn.lock) - Image and font files
node_modules/,__pycache__/,.git/
Testing the Detection
To verify the detection works:
# Run the test suite
python3 tests/test_secret_detection.py
# Test with a specific file
echo "API_KEY=sk-test123456789" > /tmp/test_secret.py
python3 scripts/detect_secrets.py /tmp/test_secret.py
# Should report: OpenAI API key detected
Development
Running Tests
# Run secret detection tests
python3 tests/test_secret_detection.py
# Run all tests
pytest tests/
Project Structure
.
├── .pre-commit-hooks.yaml # Pre-commit configuration
├── scripts/
│ └── detect_secrets.py # Secret detection script
├── tests/
│ └── test_secret_detection.py # Test cases
└── README.md # This file
Contributing
See CONTRIBUTING.md for contribution guidelines.
License
This project is part of the Timmy Foundation.