feat(pipeline-doctor): assert no set -x in token-bearing ci scripts (#191)

CHANGELOG.md

@@ -5,6 +5,15 @@
 All notable changes to parity-lib are documented here. This project follows
 semantic versioning; the version is a conceptual tag (no git tag is created).
 
+## Unreleased
+
+- `pipeline-doctor` (cluster #191 security sweep): added a scoped per-file check
+  asserting **no `set -x` in token-bearing `ci/*.sh` scripts** going forward — a
+  script that references a registry token (`REGISTRY_TOKEN` / `CI_REGISTRY_TOKEN`
+  / an `Authorization: token` header) must not enable xtrace, which would echo
+  the token to the build log. Token-free helpers (e.g. version parsers) are not
+  flagged.
+
 ## v0.1.0
 
 Initial release (cluster #192/#193/#194, emmett#44).

ci/pipeline-doctor.sh

@@ -89,6 +89,27 @@ else
 	bad "possible token leak: a token var is echo/printf'd un-redacted, or set -x is enabled"
 fi
 
+# 3b. (security sweep, cluster #191) no `set -x` in a TOKEN-BEARING ci/*.sh.
+# Scoped per-file: a script that references a registry token (REGISTRY_TOKEN /
+# CI_REGISTRY_TOKEN / an 'Authorization: token' header) must NOT enable xtrace,
+# which would echo the token to the build log. A `set -x` in a token-free helper
+# (e.g. a pure version parser) is not flagged here.
+xtrace_hits=""
+if [ -d "$REPO/ci" ]; then
+	for s in "$REPO"/ci/*.sh; do
+		[ -f "$s" ] || continue
+		if grep -Eq '(REGISTRY_TOKEN|Authorization: token)' "$s" &&
+			grep -Eq '^[[:space:]]*set -[a-z]*x' "$s"; then
+			xtrace_hits="$xtrace_hits ${s#"$REPO"/}"
+		fi
+	done
+fi
+if [ -z "$xtrace_hits" ]; then
+	ok "no set -x in token-bearing ci/*.sh scripts"
+else
+	bad "set -x in token-bearing ci/*.sh:$xtrace_hits (xtrace would echo the token)"
+fi
+
 # 4. dev-tag guard present.
 if printf '%s' "$token_src" | grep -Eq 'parity_devtag_guard|refusing to publish without an explicit'; then
 	ok "dev-tag guard present"