Four candidate controls. The Uber 2016 leak chain was: engineer hardcodes an AWS key in source → commits it → key sits in a private repo → attacker logs in with reused credentials and grabs it.
Which control would have caught the leak EARLIEST in the chain (i.e., closest to the moment the developer's mistake happened)?