fix: remove committed private keys and add gitleaks CI

- Remove all cert files from git tracking (git rm --cached) - crates/pm-agent-client/certs/client.key (private key) - crates/pm-agent-client/certs/client.crt (public cert) - crates/pm-agent-client/certs/ca.crt (public cert) - Add .gitignore patterns for *.key, *.key.pem, certs/*.crt, certs/*.pem - Update pm-agent-client doc examples to use std::fs::read() instead of include_bytes! - Add gitleaks secret scanning job to CI workflow - Update security-review.md with critical finding for Issue #12 - Add README.md to crates/pm-agent-client/certs/ explaining runtime cert generation Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
2026-06-06 13:20:52 -05:00
parent e6dd1b8489
commit 5fa1fef6c8
9 changed files with 89 additions and 53 deletions
--- a/crates/pm-agent-client/src/lib.rs
+++ b/crates/pm-agent-client/src/lib.rs
@ -10,12 +10,17 @@
 //! use pm_agent_client::AgentClient;
 //!
 //! # async fn run() -> Result<(), pm_agent_client::AgentClientError> {
+//! // Load certificates from files (never hardcode or include_bytes! private keys)
+//! let client_cert = std::fs::read("/etc/patch-manager/certs/client.crt")?;
+//! let client_key = std::fs::read("/etc/patch-manager/certs/client.key")?;
+//! let ca_cert = std::fs::read("/etc/patch-manager/ca/ca.crt")?;
+//!
 //! let client = AgentClient::new(
 //!     "10.0.1.5",
 //!     12443,
-//!     include_bytes!("../certs/client.crt"),
-//!     include_bytes!("../certs/client.key"),
-//!     include_bytes!("../certs/ca.crt"),
+//!     &client_cert,
+//!     &client_key,
+//!     &ca_cert,
 //! )?;
 //!
 //! let health = client.health().await?;