name: leak-check

on:
  push:
    branches: [main]
  pull_request:

concurrency:
  group: leak-${{ github.ref }}
  cancel-in-progress: true

jobs:
  username-paths:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 1
      - name: scan tracked files for absolute home paths
        run: |
          set -e
          PATTERN='denisparfionovich|/Users/[a-z]+/Projects/KeiSeiKit-public/'
          # Allowlist: byline files (intentional copyright) + this workflow
          # itself (it contains the pattern as a literal detection rule).
          ALLOWLIST='^(NOTICE|README\.md|\.github/workflows/leak-check\.yml)$'
          hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE "$ALLOWLIST" || true)
          if [[ -n "$hits" ]]; then
            echo "::error::username-path leak detected"
            echo "$hits" | awk '{print "  " $0}'
            echo
            echo "Replace absolute home paths with placeholders:"
            echo "  ~/.claude/projects/-Users-<user>/memory/  ->  ~/.claude/memory/"
            echo "  /Users/<user>/Projects/KeiSeiKit-public/  ->  <relative path>"
            exit 1
          fi
          echo "OK: no username-path leaks in tracked files"