name: Security

on:
  push:
    branches: [develop, master]
  pull_request:
    branches: [develop, master]

jobs:
  claude-leak-check:
    name: Claude-leak scan
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v6

      # #S6 — Backs up the local pre-commit hook (#S5) and the publish-boundary
      # gate in prepare_version.js (#S3). Fails the build if any tracked path
      # matches (^|/)(CLAUDE\.md|\.claude[a-z]*). Also retroactively catches
      # leaks that landed before the active defenses were wired.
      - name: Scan tracked files for Claude-related paths
        run: |
          matches=$(git ls-files | grep -iE '(^|/)(CLAUDE\.md|\.claude[a-z]*)' || true)
          if [ -n "$matches" ]; then
            echo "::error::Claude-related paths detected in git index:"
            echo "$matches" | sed 's/^/  - /'
            echo ""
            echo "These paths must never be tracked. Remove with: git rm --cached <path>"
            echo "If pushed already, scrub history with git filter-repo."
            exit 1
          fi
          echo "OK: no Claude-related paths in git index."