feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice

[witch2256]

Goal

Complete Lab 3 — Secure Git: Signed Commits, Secret Scanning, and History Hygiene

Changes

• Added submissions/lab3.md with detailed answers for:
  • SSH commit signing configuration, local verification output, GitHub Verified badge link, and STRIDE‑R reflection
  • Pre‑commit + gitleaks setup, blocked commit evidence, and tune‑out tradeoffs
• Added .pre-commit-config.yaml — pins pre-commit-hooks (detect-private-key, check-added-large-files) and gitleaks v8.21.2
• Added submissions/verified-badge.png showing green Verified badge on GitHub

Testing & Verification

• Local signing works: git log --show-signature -1 shows Good "git" signature
• GitHub commit displays green Verified badge (screenshot attached / link provided in lab3.md)
• Pre‑commit hook successfully blocks a commit with a fake GitHub PAT (rule github-pat)

Artifacts & Screenshots

• submissions/lab3.md
• .pre-commit-config.yaml
• submissions/verified-badge.png (if applicable)

Checklist

• Title is clear
• No secrets committed (test file removed before final commit)
• Submission file exists

---

• Task 1 — SSH signing configured, Verified badge shown, STRIDE‑R reflection included
• Task 2 — .pre-commit-config.yaml created, gitleaks block demonstrated, tune‑out exercise answered
• Bonus — History rewrite documented with before/after greps, rotation identified as mandatory second step, two gotchas listed