Lines 109-149markdown
109**Binary / generated carve-out**: skip binaries. Additionally note (do not auto-suppress) hits inside
110generated artifacts (e.g. `paper/*.html` exported from a private source) — these are real leaks on the
111public surface and must be reported, but the fix is "regenerate from a sanitized source," not "edit the
112HTML by hand." Flag them with a `(generated artifact)` note.
114> **Detail**: See `SKILL_detail.md §Step3-Scan-Script` — the grep-per-pattern bash implementation,
115> flag reference (`-n`/`-I`/`-E`) — read when executing this step.
119## Step 3b. FP Hygiene — Placeholder & Example Exclusion
121A scan that flags its own placeholders erodes trust. Two **value-shape** classes are never real leaks
122and are dropped before the report — imported from `gstack-redact`'s canonical-example allowlist, scoped
123in PSA's direction to the *matched token* (not the whole line, so a real leak sharing a substring still
126- **Angle-bracket placeholders** — the matched token is itself a placeholder (`<your-unix-username>`,
127 `<company-asset>`, `{project}`). PSA dogfoods these in Step 1; the scan must not report them as leaks.
128- **Canonical dummy values** — the matched token is a documented example/dummy (`EXAMPLE`, `dummy`,
129 `changeme`, `REDACTED`, `xxxx`, AWS-doc keys like `AKIAIOSFODNN7EXAMPLE`). A high-entropy *example* is
CriticalCritical Secret
Package contains a critical-looking secret pattern.
plugins/fh-meta/skills/public-surface-audit/SKILL.mdView on unpkg · L129 CriticalSecret Pattern
AWS access key ID in plugins/fh-meta/skills/public-surface-audit/SKILL.md
plugins/fh-meta/skills/public-surface-audit/SKILL.mdView on unpkg · L129 132This differs from the Step 2 allowlist: Step 2 suppresses by **file::token legitimacy**, Step 3b by
133**token value-shape**. Both run — Step 2 then Step 3b. Keep it tight (PSA's "allowlist tight" rule): if a
134token only *contains* an example substring but is otherwise a real private value, it still reports.
136> **Detail**: See `SKILL_detail.md §Step3b-FP-Hygiene-Script` — the token-shape-only extraction bash
137> implementation (never line-level) — read when executing this step.
141## Step 3c. Ignore-Verification — the gitignore-mistake safeguard (root-cause, runs before Step 4)
143Steps 3/3b scan what **is** tracked. This step checks the inverse and the upstream cause: a file you
144*intend* to be private that is **not actually ignored** — the gitignore mistake that becomes tomorrow's
145tracked leak. For each expected-private path, `git check-ignore -v` reports whether it is ignored **and
146by which layer** (committed `.gitignore` · local `.git/info/exclude` · global `core.excludesFile`). A
147path that resolves to no ignore rule is a MISS — surface it before it is ever `git add`ed.
149- **OK** — ignored; the report names which layer covers it (operator-private files should resolve to