keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/.github/workflows/leak-check.yml
Parfii-bot a23910d445 chore(security): scrub username paths from public artefacts + leak-check CI 
Public repo had absolute paths revealing username:
- 5 _manifests/*.toml — companion_memory_files had author-time hardcoded
  ~/.claude/projects/-Users-<user>/memory/... paths
- 5 _generated/*.md — same paths rendered through to public output
- docs/DNA-INDEX.md — 107 absolute paths (kei-dna-index emits absolute
  for atoms but relative for primitives — generator inconsistency)
- skills/escalate-recurrence/SKILL.md — 2 instructional path examples

Substitution:
  ~/.claude/projects/-Users-<user>/memory/  ->  ~/.claude/memory/
  /Users/<user>/Projects/KeiSeiKit-public/  ->  <relative>

Defence-in-depth:
- .github/workflows/leak-check.yml — CI gate (PR + push to main)
- (local) .git/hooks/pre-commit — maintainer-side guard with allowlist
  for legitimate detection-rule files (the hook + the workflow itself)

NOTICE + README byline allowlisted (intentional copyright).
No secrets exposed — only metadata (username + private-memory filenames).
DNA-INDEX root-cause fix in kei-dna-index Rust binary tracked as TODO.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 19:59:29 +08:00

33 lines
1.1 KiB
YAML
Raw Blame History

name: leak-check
on:
push:
branches: [main]
pull_request:
concurrency:
group: leak-${{ github.ref }}
cancel-in-progress: true
jobs:
username-paths:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- name: scan tracked files for absolute home paths
run: |
set -e
PATTERN='denisparfionovich|/Users/[a-z]+/Projects/KeiSeiKit-public/'
hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE '^(NOTICE|README\.md)$' || true)
if [[ -n "$hits" ]]; then
echo "::error::username-path leak detected"
echo "$hits" | sed 's/^/ /'
echo
echo "Replace absolute home paths with placeholders:"
echo " ~/.claude/projects/-Users-<user>/memory/ -> ~/.claude/memory/"
echo " /Users/<user>/Projects/KeiSeiKit-public/ -> <relative path>"
exit 1
fi
echo "OK: no username-path leaks in tracked files"
Reference in a new issue View git blame Copy permalink