KeiSeiKit-1.0

keisei/KeiSeiKit-1.0

Fork 0

Commit graph

Author	SHA1	Message	Date
Parfii-bot	3043188da2	fix(ci): leak-check uses awk instead of sed (shellcheck SC2001) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 21:15:09 +08:00
Parfii-bot	ce3deb43fa	fix(ci): leak-check allowlists itself (workflow contains pattern as detection rule) leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep. On first run after install, it flags itself. Same fix as the local .git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:04:36 +08:00
Parfii-bot	a23910d445	chore(security): scrub username paths from public artefacts + leak-check CI Public repo had absolute paths revealing username: - 5 _manifests/.toml — companion_memory_files had author-time hardcoded ~/.claude/projects/-Users-<user>/memory/... paths - 5 _generated/.md — same paths rendered through to public output - docs/DNA-INDEX.md — 107 absolute paths (kei-dna-index emits absolute for atoms but relative for primitives — generator inconsistency) - skills/escalate-recurrence/SKILL.md — 2 instructional path examples Substitution: ~/.claude/projects/-Users-<user>/memory/ -> ~/.claude/memory/ /Users/<user>/Projects/KeiSeiKit-public/ -> <relative> Defence-in-depth: - .github/workflows/leak-check.yml — CI gate (PR + push to main) - (local) .git/hooks/pre-commit — maintainer-side guard with allowlist for legitimate detection-rule files (the hook + the workflow itself) NOTICE + README byline allowlisted (intentional copyright). No secrets exposed — only metadata (username + private-memory filenames). DNA-INDEX root-cause fix in kei-dna-index Rust binary tracked as TODO. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 19:59:29 +08:00

Author

SHA1

Message

Date

Parfii-bot

3043188da2

fix(ci): leak-check uses awk instead of sed (shellcheck SC2001)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 21:15:09 +08:00

Parfii-bot

ce3deb43fa

fix(ci): leak-check allowlists itself (workflow contains pattern as detection rule)

leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep.
On first run after install, it flags itself. Same fix as the local
.git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 20:04:36 +08:00

Parfii-bot

a23910d445

chore(security): scrub username paths from public artefacts + leak-check CI

Public repo had absolute paths revealing username:
- 5 _manifests/*.toml — companion_memory_files had author-time hardcoded
  ~/.claude/projects/-Users-<user>/memory/... paths
- 5 _generated/*.md — same paths rendered through to public output
- docs/DNA-INDEX.md — 107 absolute paths (kei-dna-index emits absolute
  for atoms but relative for primitives — generator inconsistency)
- skills/escalate-recurrence/SKILL.md — 2 instructional path examples

Substitution:
  ~/.claude/projects/-Users-<user>/memory/  ->  ~/.claude/memory/
  /Users/<user>/Projects/KeiSeiKit-public/  ->  <relative>

Defence-in-depth:
- .github/workflows/leak-check.yml — CI gate (PR + push to main)
- (local) .git/hooks/pre-commit — maintainer-side guard with allowlist
  for legitimate detection-rule files (the hook + the workflow itself)

NOTICE + README byline allowlisted (intentional copyright).
No secrets exposed — only metadata (username + private-memory filenames).
DNA-INDEX root-cause fix in kei-dna-index Rust binary tracked as TODO.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 19:59:29 +08:00

3 commits