mirror of
https://github.com/tiennm99/bsk.git
synced 2026-06-18 11:39:12 +00:00
tiennm99
eeda68c34a
Defense-in-depth check that fails the build (and the local pre-push workflow) if a server secret value is assigned to a NEXT_PUBLIC_* variable — those get bundled into the browser by Next.js. - scripts/check-no-secret-leak.mjs: git grep for the assignment shape, excluding lockfiles and the script itself - package.json: pnpm check:no-secret-leak - .github/workflows/ci.yml: run the guard right after install, before format/lint/typecheck/build - docs/threat-model.md: close the last Unresolved item