bceff8f4ec
conf.d/sponge_privacy.fish registers patterns and filters that prevent credentials from reaching fish history: Layer 1 (static regex, universal): auth flags, env assignments, credential-bearing URLs, Authorization headers, sshpass, docker login, openssl -passin/-passout Layer 2 (dynamic values, session globals): on the first prompt, after secrets.fish has loaded, reads the literal values of all exported credential-named vars (TOKEN, PASSWORD, SECRET, etc.), escapes them for regex, and merges them with the static patterns as a session global — auto-refreshes on login so rotated tokens are never stale Layer 3 (per-command filter, sponge_filter_secrets): catches credentials in variables exported mid-session (e.g. project .env) Also exempts functions/sponge_filter_secrets.fish from the sponge_* gitignore glob so our custom filter is committed alongside the config.