security: redact leaked GitHub PAT, tighten .gitignore, pin Flask deps

[racmac57]

Summary

Closes the security checklist from the chat:

Task	Status
Redact leaked GitHub PAT from current HEAD	✅
Confirm Flask is on a version that patches CVE-2023-30861 + the fallback session key issue	✅ — Flask==3.1.0 already patched both; bumped floor to >=3.1.1
Tighten .gitignore to prevent future secret commits	✅
Generate dependency audit report	✅ — docs/DEPENDENCY_AUDIT.md

The owner has already revoked the token on github.com/settings/tokens. Git history was deliberately NOT rewritten — once the token is revoked, history rewrite gives marginal benefit and would have invalidated open PRs #52, #53 plus every existing clone. See docs/DEPENDENCY_AUDIT.md for the full rationale.

What's in the diff

1. Token redaction (6 occurrences, 1 unique token, 2 files):

• source/2025_10_28_23_19_14_2025_10_28_22_11_53_claude_chat_chunker_chunk17.txt
• 99_doc/legacy/ClaudeExportFixer_20251029_215403/cursor_create_python_cli_project_struct.md

The 40-character ghp_… strings are replaced with the literal <REDACTED-GITHUB-PAT>.

2. .gitignore additions — secret-prone file patterns:

• .env, .env.* (with !.env.example allowlist)
• *.pem, *.key, *.p12, *.pfx
• credentials.json, client_secret*.json, service_account*.json, *_credentials.json
• .netrc, .pypirc
• secrets.{yml,yaml,toml}
• .aws/, .gcp/, .azure/
• AI chat-export patterns: chat_export*.{txt,md}, *_chat_chunker_chunk*.txt, cursor_*.md

Already-tracked chunk files in source/ are unaffected — gitignore only filters newly-added paths.

3. grok_review_package/Dependencies/requirements.txt — switched from exact pins (==X.Y.Z) to range pins (>=X.Y.Z,<MAJOR+1). Lets Dependabot's existing patch/minor auto-merge (from PR #43) apply future security patches without manual edits. Header comment + Flask block carry inline notes about the CVEs.

4. docs/DEPENDENCY_AUDIT.md — new doc capturing what was checked, what was deliberately not done, and follow-ups (live pip-audit in CI, GitHub Push Protection).

Honest limitations

• No live CVE scan was run — I don't have internet access in this session. An earlier draft pinned gunicorn, eventlet, and scikit-learn to specific "fixed-in" versions citing CVE IDs I couldn't verify; those speculative claims were stripped out before commit. Run pip-audit -r grok_review_package/Dependencies/requirements.txt locally to confirm/refute.
• Git history still contains the token — searchable via git log -p. Mitigated only by the revocation, which is done.

Test plan

• ruff check . → All checks passed!
• pytest tests/test_smoke.py → 3 passed
• grep -rE "ghp_[A-Za-z0-9]{36}|AKIA[A-Z0-9]{16}" --exclude-dir=.git . → no matches
• New .gitignore rules verified to catch new chunk-style files but leave tracked ones alone
• CI test-fast green

Follow-ups (not in this PR)

1. Add pip-audit step to .github/workflows/ci.yml so dependency CVEs fail PRs at merge time.
2. Enable GitHub Push Protection (Settings → Code security → Push protection) to block secret-pattern commits at push.
3. Optional: gitleaks or trufflehog pre-commit hook for local pre-push catches.

---

Generated by Claude Code