Add public boundary scan

durable-workflow-ops · durable-workflow-ops · commit 63205679c514 · 2026-04-22T11:10:27.000Z
diff --git a/.github/workflows/public-boundary.yml b/.github/workflows/public-boundary.yml
@@ -0,0 +1,33 @@
+name: Public Boundary
+
+on:
+  pull_request:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: Scan public boundary
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Scan files and commit metadata
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            range="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+          elif [[ "${{ github.event.before }}" =~ ^0+$ ]]; then
+            range="${{ github.sha }}^..${{ github.sha }}"
+          else
+            range="${{ github.event.before }}..${{ github.sha }}"
+          fi
+
+          PUBLIC_BOUNDARY_GIT_RANGE="$range" scripts/check-public-boundary.sh
diff --git a/README.md b/README.md
@@ -39,3 +39,7 @@ $ GIT_USER=<Your GitHub username> yarn deploy
 ```
 
 If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
+
+## Public Boundary Checks
+
+This is a public repository. Do not add private tracker names, workspace-only absolute paths, or loop/lane metadata to files or new commit metadata. Run `scripts/check-public-boundary.sh` before publishing changes; CI runs the same scan on pushes and pull requests.
diff --git a/scripts/check-public-boundary.sh b/scripts/check-public-boundary.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+root="${1:-.}"
+cd "$root"
+
+status=0
+
+file_patterns=(
+  "zor""poration/"
+  "/home/""vscode"
+  "/home/lab/""workspace-hq"
+)
+
+metadata_patterns=(
+  "${file_patterns[@]}"
+  "Loop""-ID:"
+  ".tmp/""loops/"
+  "loop-""runner"
+)
+
+pathspec=(
+  .
+  ':!.git'
+  ':!vendor'
+  ':!node_modules'
+  ':!build'
+  ':!dist'
+  ':!coverage'
+  ':!storage'
+  ':!bootstrap/cache'
+  ':!public/build'
+  ':!var'
+)
+
+for pattern in "${file_patterns[@]}"; do
+  while IFS=: read -r file line _; do
+    [[ -n "${file:-}" ]] || continue
+    printf 'public-boundary: forbidden file content at %s:%s\n' "$file" "$line" >&2
+    status=1
+  done < <(git grep -n -I -e "$pattern" -- "${pathspec[@]}" || true)
+done
+
+if [[ -n "${PUBLIC_BOUNDARY_GIT_RANGE:-}" ]]; then
+  read -r -a rev_args <<< "$PUBLIC_BOUNDARY_GIT_RANGE"
+else
+  rev_args=(-1 HEAD)
+fi
+
+if mapfile -t commits < <(git rev-list "${rev_args[@]}" 2>/dev/null); then
+  for commit in "${commits[@]}"; do
+    metadata="$(git show -s --format='%an <%ae>%n%s%n%b' "$commit")"
+
+    for pattern in "${metadata_patterns[@]}"; do
+      if grep -Fq -- "$pattern" <<< "$metadata"; then
+        printf 'public-boundary: forbidden commit metadata at %s\n' "${commit:0:12}" >&2
+        status=1
+        break
+      fi
+    done
+  done
+else
+  printf 'public-boundary: unable to inspect commit metadata range: %s\n' "${PUBLIC_BOUNDARY_GIT_RANGE:-HEAD}" >&2
+  status=1
+fi
+
+exit "$status"
