fix(security): harden output and release verification

.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "Nightward gitleaks config"
+
+[[allowlists]]
+description = "Synthetic provider parser fixtures with fake redacted values"
+paths = [
+  '''^testdata/providers/gitleaks\.json$''',
+  '''^testdata/providers/trufflehog\.jsonl$''',
+  '''^testdata/providers/trivy\.json$''',
+]

Makefile

@@ -13,7 +13,7 @@ CARGO_AUDIT_VERSION ?= 0.22.1
 CARGO_DENY_VERSION ?= 0.19.4
 CARGO_LLVM_COV_VERSION ?= 0.8.5
 
-.PHONY: doctor install-dev-tools test test-fast test-security test-ux test-release test-local test-prepush test-release-install fmt clippy cargo-test cargo-nextest cargo-doc cargo-audit cargo-deny cargo-llvm-cov coverage-check fuzz-smoke test-junit trunk-check trunk-fix trunk-flaky-validate ci-scripts-test gitleaks raycast-install raycast-test raycast-test-junit raycast-audit raycast-lint raycast-build raycast-store-check raycast-verify npm-package-install npm-package-test npm-package-audit npm-package-pack npm-package-verify docs-reference docs-reference-check docs-freshness docs-qa site-install site-audit site-build site-verify demo-assets tui-media release-snapshot verify build install-local clean-reports
+.PHONY: doctor install-dev-tools test test-fast test-security test-ux test-release test-local test-prepush test-release-install fmt clippy cargo-test cargo-nextest cargo-doc cargo-audit cargo-deny cargo-llvm-cov coverage-check fuzz-smoke test-junit trunk-check trunk-fix trunk-flaky-validate ci-scripts-test gitleaks raycast-install raycast-test raycast-test-junit raycast-audit raycast-lint raycast-build raycast-store-check raycast-verify npm-package-install npm-package-test npm-package-audit npm-package-pack npm-package-verify docs-reference docs-reference-check docs-freshness docs-qa demo-ids-check site-install site-audit site-build site-verify demo-assets tui-media release-snapshot verify build install-local clean-reports
 
 doctor:
 	bash scripts/dev-doctor.sh
@@ -149,7 +149,10 @@ docs-reference-check:
 docs-freshness:
 	node scripts/check-docs-freshness.mjs
 
-docs-qa: docs-reference-check docs-freshness
+docs-qa: docs-reference-check docs-freshness demo-ids-check
+
+demo-ids-check:
+	node scripts/check-demo-ids.mjs
 
 site-verify: docs-qa site-install site-audit site-build
 

crates/nightward-core/src/analysis.rs

@@ -324,7 +324,7 @@ fn append_provider_signals(out: &mut Report, scan: &ScanReport, options: &Option
                         path: root.display().to_string(),
                         message: format!("{provider} provider execution failed."),
                         evidence: redact_text(&error.to_string()),
-                        severity: RiskLevel::Low,
+                        severity: RiskLevel::High,
                         category: SignalCategory::Unknown,
                     },
                 );

crates/nightward-core/src/fixplan.rs

@@ -1,3 +1,4 @@
+use crate::inventory::redact_text;
 use crate::{Finding, FixKind, Report as ScanReport, RiskLevel};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
@@ -154,22 +155,26 @@ fn action_from_finding(finding: &Finding) -> Action {
         steps: if finding.fix_steps.is_empty() {
             vec![
                 "Inspect the redacted finding evidence.".to_string(),
-                finding.recommended_action.clone(),
+                redact_text(&finding.recommended_action),
                 "Re-run Nightward and compare the next report.".to_string(),
             ]
         } else {
-            finding.fix_steps.clone()
+            finding
+                .fix_steps
+                .iter()
+                .map(|step| redact_text(step))
+                .collect()
         },
         preview,
     }
 }
 
 fn preview_for(finding: &Finding) -> String {
     let Some(hint) = &finding.patch_hint else {
-        return format!(
+        return redact_text(&format!(
             "# plan-only review\n# {}\n# {}",
             finding.path, finding.recommended_action
-        );
+        ));
     };
     match hint.kind {
         Some(FixKind::ExternalizeSecret) => {
@@ -178,19 +183,22 @@ fn preview_for(finding: &Finding) -> String {
             } else {
                 &hint.env_key
             };
-            format!(
+            redact_text(&format!(
                 "- inline secret value in {}\n+ external reference to ${}\n# review required before editing",
                 finding.path, key
-            )
+            ))
         }
-        Some(FixKind::PinPackage) => format!(
+        Some(FixKind::PinPackage) if !hint.package.is_empty() => redact_text(&format!(
             "- {}\n+ {}@<reviewed-version>\n# choose and review an explicit version",
             hint.package, hint.package
-        ),
+        )),
+        Some(FixKind::PinPackage) => {
+            "# choose and review an explicit package version manually".to_string()
+        }
         Some(FixKind::NarrowFilesystem) => {
             "- broad filesystem path\n+ <specific-reviewed-path>".to_string()
         }
-        _ => format!("# review required for {}", finding.path),
+        _ => redact_text(&format!("# review required for {}", finding.path)),
     }
 }