feat(lab3): secure git signing and secret scanning

[Nopef]

Goal

Set up secure Git for Lab 3: SSH commit signing, gitleaks in pre-commit, and a sandbox history rewrite with git filter-repo.

Changes

• Added submissions/lab3.md — SSH signing evidence, gitleaks block test, tune-out notes, bonus filter-repo results
• Added .pre-commit-config.yaml — gitleaks v8.30.1, detect-private-key, check-added-large-files (500 KB max)

Testing

Task 1 — SSH signing

• gpg.format → ssh
• user.signingkey → /root/.ssh/id_ed25519.pub
• commit.gpgsign → true
• Local: git log --show-signature -1 → Good "git" signature (ED25519)
• GitHub: commit 1bfbc80 — Verified badge (screenshot)

Task 2 — pre-commit + gitleaks

• pre-commit install → pre-commit installed at .git/hooks/pre-commit
• pre-commit run --all-files — gitleaks passed; detect-private-key failed on course file labs/lab6/.../configure.yml (expected)
• Fake PAT in submissions/leak-attempt.txt — commit blocked: RuleID: github-pat; file unstaged and removed

Bonus — filter-repo (sandbox /tmp/lab3-bonus, not in this PR)

• Before: git log -p | grep -c 'ghp_' → 2
• After: ghp_ → 0, REDACTED → 2
• Second step in a real incident: rotate/revoke the exposed secret

Artifacts & Screenshots

• submissions/lab3.md
• .pre-commit-config.yaml
• Verified badge: Yandex link in submission
• Blocked gitleaks output + bonus before/after: in submissions/lab3.md

Checklist

• Title is clear (feat(lab3): SSH signing + gitleaks pre-commit)
• No secrets/large temp files committed
• Submission file at submissions/lab3.md exists

---

• Task 1 — SSH signing + Verified badge
• Task 2 — .pre-commit-config.yaml + gitleaks blocking
• Bonus — filter-repo documented in submissions/lab3.md