Hardcode Cleanliness Audit · 02 Secret / Credential Scan

doc 2 of 7 · 2026-05-20 · G1 gate

phase                : G1 — secret / credential scan
outcome              : G1 PASS — zero secret values found in repo
production_mutation  : NONE

1. Patterns searched

All five searches ran against *.py, *.sql, *.yaml, *.yml, *.md, *.json (excluding .git/). Results were captured exactly as emitted by grep -rnE; an empty section below means zero matches.

1.1 DSN with embedded credentials

grep -rnE 'postgres(ql)?://[^/\s"\']*:[^@\s"\']+@' --include='*.py' ...
→ (zero hits)

1.2 Bearer / API key / secret / token / password literal assignments

grep -rniE '(bearer|api[_-]?key|secret|token|password)\s*[=:]\s*["\'][A-Za-z0-9/+_=-]{16,}["\']' ...
(excluding {secret_id, secret_name, /secrets/, secret_version, stub, test,
 fake, REDACTED, REPLACE, <…>, SECRET_PATTERNS, empty})
→ (zero hits)

1.3 Explicit credential-env-var assignments

grep -rnE '\b(PGPASSWORD|DATABASE_URL|PG_DSN)\s*=\s*["\'][^"\']+["\']' --include='*.py' ...
→ (zero hits)

1.4 IPv4 production addresses

grep -rnE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' --include='*.py' --include='*.yaml'
(excluding loopback / null / RFC1918 / 1.2.3 / spec / test)
→ (zero hits)

1.5 Private keys / certs embedded in source

grep -rnE '(BEGIN (RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY|BEGIN CERTIFICATE)' .
→ (zero hits)

2. Cross-check against legitimate env-var-NAME uses

The token PGPASSWORD does appear in source — but only inside DB_ENV_GUARD tuples whose semantic is "refuse to start if this env var is set". These are explicitly allowed by the hardcode policy ("env var names in refusal guards") and were re-tested in the prior B-DB-ENV-GUARD-BASELINE-CLEAN macro (commit d7ea6d1).

cutter_agent/cutwrite.py:54           DB_ENV_GUARD = ("PG_DSN", ..., "PGPASSWORD", ...)
cutter_agent/cutprod.py:47           _DB_ENV_GUARD = (... "PGPASSWORD" ...)
cutter_agent/cutplan.py:50            DB_ENV_GUARD = (... "PGPASSWORD" ...)
cutter_agent/cutprod_canonical.py:48 _DB_ENV_GUARD = (... "PGPASSWORD" ...)
cutter_agent/dryrun.py:474            for bad in (... "PGPASSWORD"):

Each is followed by if os.environ.get(bad): … REFUSED — i.e. they forbid secrets being passed in, they don't contain one.

3. Verdict

g1_outcome             : PASS
secrets_in_repo        : 0
credentials_in_repo    : 0
api_keys_in_repo       : 0
private_keys_in_repo   : 0
production_ips_in_repo : 0
env_var_NAME_refusal_uses : 5 files (allowed by policy)

No remediation action required for G1.