orbok_fs/
sensitive.rs

1//! Sensitive-directory warnings (RFC-003 §7, external design §18.2).
2//!
3//! Warnings, not blocks: the user may proceed with "Add Anyway", but the
4//! default recommendation is not to index credential-bearing folders.
5
6use std::path::Path;
7
8/// Directory names (final or intermediate components) that very likely
9/// contain credentials or secrets.
10const SENSITIVE_COMPONENTS: &[&str] = &[
11    ".ssh",
12    ".gnupg",
13    ".aws",
14    ".azure",
15    ".kube",
16    ".docker",
17    ".password-store",
18    ".mozilla",
19    ".thunderbird",
20];
21
22/// Absolute prefixes that are system directories.
23#[cfg(unix)]
24const SYSTEM_PREFIXES: &[&str] = &["/etc", "/usr", "/bin", "/sbin", "/boot", "/proc", "/sys"];
25
26#[cfg(not(unix))]
27const SYSTEM_PREFIXES: &[&str] = &[
28    "C:\\Windows",
29    "C:\\Program Files",
30    "C:\\Program Files (x86)",
31];
32
33/// Returns a warning reason when `path` looks like a sensitive location.
34/// `None` means no warning is needed.
35pub fn sensitive_warning(path: &Path) -> Option<&'static str> {
36    let path_str = path.to_string_lossy();
37    for prefix in SYSTEM_PREFIXES {
38        if path_str.starts_with(prefix) {
39            return Some("system_directory");
40        }
41    }
42    for component in path.components() {
43        let name = component.as_os_str().to_string_lossy();
44        if SENSITIVE_COMPONENTS.contains(&name.as_ref()) {
45            return Some("credential_directory");
46        }
47        // `.config` only as the home config root, not arbitrary names.
48        if name == ".config" {
49            return Some("hidden_configuration_directory");
50        }
51    }
52    None
53}
orbok_fs/sensitive.rs

orbok_fs/
sensitive.rs
