Files
fish-config/conf.d
rootiest bceff8f4ec feat(sponge): add three-layer privacy filtering for shell history
conf.d/sponge_privacy.fish registers patterns and filters that prevent
credentials from reaching fish history:

  Layer 1 (static regex, universal): auth flags, env assignments,
  credential-bearing URLs, Authorization headers, sshpass, docker
  login, openssl -passin/-passout

  Layer 2 (dynamic values, session globals): on the first prompt, after
  secrets.fish has loaded, reads the literal values of all exported
  credential-named vars (TOKEN, PASSWORD, SECRET, etc.), escapes them
  for regex, and merges them with the static patterns as a session
  global — auto-refreshes on login so rotated tokens are never stale

  Layer 3 (per-command filter, sponge_filter_secrets): catches
  credentials in variables exported mid-session (e.g. project .env)

Also exempts functions/sponge_filter_secrets.fish from the sponge_*
gitignore glob so our custom filter is committed alongside the config.
2026-06-08 22:23:29 -04:00
..