From 1e8f73a2e932b3f24465e565c9d81b1736b1ad06 Mon Sep 17 00:00:00 2001
From: ysyneu <ysyneu@gmail.com>
Date: Thu, 28 May 2026 16:20:30 +0800
Subject: [PATCH] feat(env): skip .kube in default grep ignore to keep
 kubeconfig tokens out of greps

---
 environment/environment.go      | 1 +
 environment/environment_test.go | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/environment/environment.go b/environment/environment.go
index ee0ce21..fd1b570 100644
--- a/environment/environment.go
+++ b/environment/environment.go
@@ -295,6 +295,7 @@ var defaultGrepIgnoreDirs = map[string]struct{}{
 	".git":         {},
 	"node_modules": {},
 	".flashduty":   {}, // covers .flashduty/.work and friends
+	".kube":        {}, // read-only kubeconfigs placed by /init; keep tokens out of greps
 }
 
 // Grep searches for a pattern in files.
diff --git a/environment/environment_test.go b/environment/environment_test.go
index 02c99fc..de4a0cf 100644
--- a/environment/environment_test.go
+++ b/environment/environment_test.go
@@ -215,6 +215,9 @@ func TestEnvironment_Grep_DefaultIgnore(t *testing.T) {
 	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), "node_modules", "pkg"), 0o755))
 	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), ".git"), 0o755))
 
+	require.NoError(t, os.MkdirAll(filepath.Join(ws.Root(), ".kube"), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), ".kube", "prod.config"), []byte("token: needle\n"), 0o600))
+
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), "src", "a.txt"), []byte("needle\n"), 0o644))
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), "node_modules", "pkg", "b.txt"), []byte("needle\n"), 0o644))
 	require.NoError(t, os.WriteFile(filepath.Join(ws.Root(), ".git", "c.txt"), []byte("needle\n"), 0o644))
@@ -225,6 +228,7 @@ func TestEnvironment_Grep_DefaultIgnore(t *testing.T) {
 	for _, m := range res.Matches {
 		assert.NotContains(t, m.Path, "node_modules", "node_modules must be ignored, got %s", m.Path)
 		assert.NotContains(t, m.Path, ".git", ".git must be ignored, got %s", m.Path)
+		assert.NotContains(t, m.Path, ".kube", ".kube must be ignored, got %s", m.Path)
 	}
 
 	// The src/ hit must still be present.