Add CI secret tripwire and vault guard

.gitlab-ci.yml

@@ -0,0 +1,36 @@
+stages: [verify]
+
+verify:no_secrets:
+  stage: verify
+  image: alpine:latest
+  script:
+    - apk add --no-cache git grep
+
+    # Global secret scan (cheap but effective)
+    - |
+      set +e
+      secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})'
+      git grep -nE "$secret_re" -- .
+      status=$?
+      set -e
+
+      if [ "$status" -eq 0 ]; then
+        echo "❌ Potential secret detected. Remove it or encrypt it into vault/."
+        exit 1
+      elif [ "$status" -ne 1 ]; then
+        echo "❌ Secret scan failed (git grep exit $status)."
+        exit "$status"
+      fi
+
+    # Vault plaintext guard (tracked files only)
+    - |
+      set -eu
+
+      allowed_vault_re='(^vault/README\.md$|^vault/\.gitkeep$|^vault/tmp/\.gitignore$|\.age$|\.sops\.)'
+      bad_vault_files="$(git ls-files vault | grep -vE "$allowed_vault_re" || true)"
+
+      if [ -n "$bad_vault_files" ]; then
+        echo "❌ Plaintext file detected in vault/. Encrypt before commit:"
+        echo "$bad_vault_files"
+        exit 1
+      fi

vault/README.md

@@ -10,3 +10,15 @@ Rules:
 
 Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.
 
+## Allowed files
+
+The vault is for ciphertext, plus documentation.
+
+Allowed:
+
+- `*.age`
+- `*.sops.*`
+- `README.md`
+- `.gitkeep` (if used)
+
+Anything else under `vault/` is treated as plaintext and is blocked by CI.