fix: correct stale backup/transfer privacy copy and add CI guard

README.md said device-to-device transfer was "kept" for the personal
dictionary, but data_extraction_rules.xml has excluded it from both cloud
backup AND D2D transfer since v1.8.85.

- README.md: corrected with accurate exclusion language and migration
  pointer to Settings → Personal dictionary → Export/Import.
- docs/PRIVACY_AND_AI.md: corrected §2 and §3 (local-only, gitignored).
- scripts/check-backup-privacy-copy.sh: new CI guard greps prose files
  for stale "transfer kept/allowed" patterns.
- .github/workflows/android.yml: wired the guard into pre-build checks.

Author: SysAdminDoc

.github/workflows/android.yml

@@ -66,6 +66,9 @@ jobs:
       - name: Check release-front-door drift
         run: bash scripts/check-release-front-door.sh
 
+      - name: Check backup/transfer privacy copy
+        run: bash scripts/check-backup-privacy-copy.sh
+
       - name: Check fork-identity for F-Droid readiness
         run: bash scripts/check-fork-identity.sh
 

README.md

@@ -264,7 +264,7 @@ Published APKs are generated with pinned Gradle, Android Gradle Plugin, Kotlin,
 - **Long-press popups:** suppressed on every `KeyVariation.PASSWORD` (Android 17 password-visibility behavior closed on the IME side as of v1.8.44).
 - **Personalized learning:** clipboard write / dictionary learn paths skip password and `IME_FLAG_NO_PERSONALIZED_LEARNING` fields.
 - **Opt-in addon surfaces (smart-compose, translation, MCP):** every invocation runs through `SensitiveFieldGuard` first; sensitive fields short-circuit to a safe no-result.
-- **Personal dictionary backup:** excluded from cloud-backup paths; device-transfer kept.
+- **Personal dictionary backup:** excluded from both Android cloud backup and device-to-device transfer. The SQLCipher passphrase is wrapped by an Android Keystore key that is non-exportable, so the ciphertext is undecryptable on a new device. Use Settings → Personal dictionary → Export/Import for explicit local migration.
 
 The public posture is simple: no network permission, no telemetry, no account binding, no cloud learning, and explicit user action before sensitive local data is exported or shared with another app.
 

scripts/check-backup-privacy-copy.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# scripts/check-backup-privacy-copy.sh
+#
+# Guard against public prose drifting from the actual data_extraction_rules.xml.
+# The rules exclude the personal dictionary, key material, clipboard history,
+# learned n-grams, SwiftKey traces, and sync identity from BOTH cloud backup
+# and device-to-device transfer. Any prose that says transfer is "kept" or
+# "allowed" for these items is misleading.
+#
+# Exits 0 on pass, 1 on any match.
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+errors=0
+
+fail() {
+  echo "::error::backup-privacy-copy: $*"
+  errors=$((errors + 1))
+}
+
+# Prose files to scan (docs + README).
+FILES=(
+  README.md
+  docs/PRIVACY_AND_AI.md
+  docs/THREAT_MODEL.md
+  docs/SECURITY.md
+  docs/REPRODUCIBLE_BUILDS.md
+)
+
+# Patterns that indicate stale wording about device transfer being preserved.
+PATTERNS=(
+  'device.transfer kept'
+  'device.transfer.* is allowed'
+  'device.transfer.* is preserved'
+  'device.transfer.* is included'
+  'd2d.* transfer.* allowed'
+  'd2d.* transfer.* kept'
+)
+
+for f in "${FILES[@]}"; do
+  [ -f "$f" ] || continue
+  for pat in "${PATTERNS[@]}"; do
+    matches="$(grep -inP "$pat" "$f" || true)"
+    if [ -n "$matches" ]; then
+      while IFS= read -r line; do
+        fail "${f}: stale backup/transfer wording: ${line}"
+      done <<< "$matches"
+    fi
+  done
+done
+
+if [ "$errors" -gt 0 ]; then
+  echo "backup-privacy-copy: FAIL ($errors stale-wording match(es) found)"
+  echo "The data_extraction_rules.xml excludes the personal dictionary from"
+  echo "BOTH cloud backup and device-to-device transfer. Update the prose to match."
+  exit 1
+fi
+
+echo "backup-privacy-copy: OK (no stale transfer wording found)"