fix: narrow launch-safety private path checks

[koltregaskes]

Summary

• narrow Stack Scout launch-safety private path detection to Kol/estate paths
• avoid false positives from public feed text quoting generic Windows paths, escaped markdown underscores, or generic local-first wording

Verification

• npm.cmd run check

Notes

• No generated data files were staged.

Summary by CodeRabbit

• Documentation

  • Environment variables documented for private export and status configuration
  • README updated with guidance on private artifact handling and unattended refresh

• Chores

  • Updated timestamps across catalog, category, and tool pages to 4 Jun 2026
  • Updated manifest and registry metadata timestamps
  • Service worker cache namespace refreshed
  • Git ignore patterns added for local serve logs

• Refactor

  • Build and refresh scripts now derive configuration from environment variables instead of hardcoded paths
  • Private launch safety detection patterns refined

[coderabbitai]

Warning

Review limit reached

@koltregaskes, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 35 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ff92e7e-b195-46c9-992b-f46d43074d69

📥 Commits

Reviewing files that changed from the base of the PR and between 3ffb111 and 4caee1e.

📒 Files selected for processing (37)

• catalog/index.html
• categories/apis/index.html
• categories/clis/index.html
• categories/desktop-apps/index.html
• categories/index.html
• categories/mcps/index.html
• categories/web-apps/index.html
• categories/web-services/index.html
• categories/websites/index.html
• collections/index.html
• data/categories-manifest.json
• data/collections-manifest.json
• data/methodology-manifest.json
• data/page-registry.json
• data/radar-manifest.json
• data/tools-manifest.json
• data/updates-manifest.json
• index.html
• method/index.html
• radar/index.html
• scripts/build-stackscout.js
• service-worker.js
• tools/anthropic-api/index.html
• tools/canvas-planner/index.html
• tools/gh-cli/index.html
• tools/github-mcp-server/index.html
• tools/hugging-face/index.html
• tools/make/index.html
• tools/n8n/index.html
• tools/openai-api/index.html
• tools/perplexity/index.html
• tools/playwright-mcp/index.html
• tools/signal-stack/index.html
• tools/strudel-studio/index.html
• tools/syncpad/index.html
• tools/wrangler/index.html
• updates/index.html

📝 Walkthrough

Walkthrough

PR introduces optional environment-variable-driven private export and refresh status configuration, refactors build and refresh automation away from hardcoded Windows paths, updates documentation, and performs a uniform timestamp refresh across all pages and manifests to 4 Jun 2026.

Changes

Private Export and Refresh Infrastructure

Layer / File(s)	Summary
Private export environment configuration and documentation .env.example, README.md, .gitignore	Three optional StackScout private export environment variables (STACKSCOUT_PRIVATE_EXPORT_DIR, STACKSCOUT_PRIVATE_EXPORT_FILE, STACKSCOUT_PRIVATE_STATUS_DIR) are documented in .env.example and left unset by default. README clarifies that only public content belongs in the repo while local operational artifacts stay private, documents optional private preview export triggered by the export variables, and explains conditional refresh status output via status directory. Local serve log files (.serve.log, .serve.err.log) are added to .gitignore.
Build script private preview export resolver scripts/build-stackscout.js	Removes hardcoded Windows-path candidate list and introduces resolvePrivatePreviewExportPath() function that determines export destination from STACKSCOUT_PRIVATE_EXPORT_FILE (explicit file path) or STACKSCOUT_PRIVATE_EXPORT_DIR (directory + stackscout-publishing.json), returning null when neither is set. The main() function integrates this resolver to set privatePreviewExport, preserving the existing conditional export/write behavior.
PowerShell refresh script environment-variable configuration scripts/refresh-stackscout.ps1	Replaces hardcoded candidate directory resolution with environment-variable-driven selection from STACKSCOUT_PRIVATE_STATUS_DIR or fallback STACKSCOUT_PRIVATE_EXPORT_DIR, creating the directory if missing. Makes $statusFile optional: when no private directory is configured, the script skips status writing instead of throwing. Updates Read-JsonFile to accept non-mandatory Path and return $null when unset. Adds guard in Write-RefreshStatus to early-return when $statusFile is unset.
Launch safety private pattern verification scripts/verify-launch-safety.js	Updates PRIVATE_PATTERNS regex to replace generic Windows drive/UNC patterns with specific detection for Kol user paths, W-drive paths, and estate UNC hosts. Makes the local-only marker pattern case-sensitive with explicitly listed variants instead of case-insensitive flag.
Timestamp and cache namespace refresh catalog/index.html, categories/*/index.html, collections/index.html, index.html, method/index.html, radar/index.html, tools/*/index.html, updates/index.html, data/*-manifest.json, service-worker.js	All page footers, tool pages, manifest JSON metadata (generatedAt, updatedAt), and service worker CACHE_NAME are updated from 25 May 2026 to 4 Jun 2026 (or ISO format 2026-05-25 → 2026-06-04). Service worker cache namespace bump invalidates previously cached assets on activation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A scout refreshes its tools with care, 🔧
From Windows paths to variables fair, 🌳
Private exports find their way,
While public timestamps shift to June's new day. 📅
Environment guides the builder's hand,
And manifests refresh across the land! 🗺️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: narrow launch-safety private path checks' accurately reflects the primary change: updating PRIVATE_PATTERNS in verify-launch-safety.js to use more specific Kol/estate/W-drive patterns instead of broad Windows patterns.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/stackscout-launch-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/verify-launch-safety.js (1)

162-173: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Service worker cache date is stale.

The pipeline is failing because CACHE_NAME in service-worker.js is set to stackscout-2026-06-04, but the visible issue date in index.html is 2026-06-06. The validation logic at line 171 correctly enforces that the cache name must not be older than the published issue date.

According to the review stack context, timestamps were refreshed to 4 Jun 2026 in layer 5, but the actual index.html content now shows 6 Jun 2026 (today's date). This indicates either:

1. index.html was updated after the timestamp refresh, or
2. The refresh script generated today's date instead of the intended 4 Jun date.

Action required: Update CACHE_NAME in service-worker.js to stackscout-2026-06-06 to match the issue date in index.html, or regenerate all timestamps consistently.

🐛 Proposed fix for service-worker.js

Update the CACHE_NAME constant:

-const CACHE_NAME = 'stackscout-2026-06-04'
+const CACHE_NAME = 'stackscout-2026-06-06'

Alternatively, verify the refresh script and regenerate all timestamps consistently if 4 Jun was the intended date.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/verify-launch-safety.js` around lines 162 - 173, The service worker
cache date is stale: in assertServiceWorkerFreshness() the cache name extracted
by extractCacheName() (CACHE_NAME in service-worker.js) is older than the
visible issue date from extractIssueDate(); update CACHE_NAME in
service-worker.js to "stackscout-2026-06-06" so cacheDateMatch[1] >=
extractIssueDate(), or if 2026-06-04 was intended, regenerate timestamps so
extractIssueDate() and CACHE_NAME are consistent (ensure changes reflect in
service-worker.js and any refresh script).

🧹 Nitpick comments (1)

scripts/verify-launch-safety.js (1)

50-50: ⚡ Quick win

Consider excluding generic localhost/127.0.0.1 from UNC pattern.

The estate UNC pattern includes localhost and 127.0.0.1, which are commonly used in generic examples, tutorials, and documentation. Including them may trigger false positives when the public site content quotes or references generic local development patterns.

The PR objective states the goal is to "avoid false positives caused by public feed text quoting generic Windows paths." If localhost/127.0.0.1 references in public content are intentional examples (not leaks of actual private paths), they should be removed from this pattern.

♻️ Proposed fix to exclude generic localhost references

-  { label: 'estate UNC path', pattern: /\\\\(?:\?\\)?(?:nas_storage_1|MINI-PC|localhost|127\.0\.0\.1)[\\/][^\s"'<>)]*/i },
+  { label: 'estate UNC path', pattern: /\\\\(?:\?\\)?(?:nas_storage_1|MINI-PC)[\\/][^\s"'<>)]*/i },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/verify-launch-safety.js` at line 50, Update the UNC detection regex
for the entry with label 'estate UNC path' to remove the generic hosts
"localhost" and "127.0.0.1" from the alternation so the pattern only matches
specific machine names like "nas_storage_1" or "MINI-PC"; locate the object with
label 'estate UNC path' and edit its pattern property to drop the
localhost/127.0.0.1 alternatives while preserving the rest of the UNC matching
(leading backslashes and path segment matching).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/verify-launch-safety.js`:
- Line 51: The regex in PRIVATE_PATTERNS for the "local-only surface marker" is
case-sensitive and misses the lowercase "local-only"; update the
PRIVATE_PATTERNS entry (the object with label 'local-only surface marker') to
either include the lowercase variant (e.g., add 'local-only' to the alternation)
or apply the case-insensitive /i flag so it matches all case forms, and then
remove or correct the accompanying comment/assertion about a CACHE_NAME vs
index.html "Updated …" date mismatch (referencing CACHE_NAME and the
'index.html' Updated line) so it reflects the actual checked-in filenames/dates
or drops the incorrect claim.

---

Outside diff comments:
In `@scripts/verify-launch-safety.js`:
- Around line 162-173: The service worker cache date is stale: in
assertServiceWorkerFreshness() the cache name extracted by extractCacheName()
(CACHE_NAME in service-worker.js) is older than the visible issue date from
extractIssueDate(); update CACHE_NAME in service-worker.js to
"stackscout-2026-06-06" so cacheDateMatch[1] >= extractIssueDate(), or if
2026-06-04 was intended, regenerate timestamps so extractIssueDate() and
CACHE_NAME are consistent (ensure changes reflect in service-worker.js and any
refresh script).

---

Nitpick comments:
In `@scripts/verify-launch-safety.js`:
- Line 50: Update the UNC detection regex for the entry with label 'estate UNC
path' to remove the generic hosts "localhost" and "127.0.0.1" from the
alternation so the pattern only matches specific machine names like
"nas_storage_1" or "MINI-PC"; locate the object with label 'estate UNC path' and
edit its pattern property to drop the localhost/127.0.0.1 alternatives while
preserving the rest of the UNC matching (leading backslashes and path segment
matching).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f399a950-fe1c-4dbc-98d9-9cc414028996

📥 Commits

Reviewing files that changed from the base of the PR and between 2ee5a39 and 3ffb111.

📒 Files selected for processing (42)

• .env.example
• .gitignore
• README.md
• catalog/index.html
• categories/apis/index.html
• categories/clis/index.html
• categories/desktop-apps/index.html
• categories/index.html
• categories/mcps/index.html
• categories/web-apps/index.html
• categories/web-services/index.html
• categories/websites/index.html
• collections/index.html
• data/categories-manifest.json
• data/collections-manifest.json
• data/methodology-manifest.json
• data/page-registry.json
• data/radar-manifest.json
• data/tools-manifest.json
• data/updates-manifest.json
• index.html
• method/index.html
• radar/index.html
• scripts/build-stackscout.js
• scripts/refresh-stackscout.ps1
• scripts/verify-launch-safety.js
• service-worker.js
• tools/anthropic-api/index.html
• tools/canvas-planner/index.html
• tools/gh-cli/index.html
• tools/github-mcp-server/index.html
• tools/hugging-face/index.html
• tools/make/index.html
• tools/n8n/index.html
• tools/openai-api/index.html
• tools/perplexity/index.html
• tools/playwright-mcp/index.html
• tools/signal-stack/index.html
• tools/strudel-studio/index.html
• tools/syncpad/index.html
• tools/wrangler/index.html
• updates/index.html

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Search for lowercase 'local-only' in public output that might be missed by the case-sensitive pattern

rg -n --type html --type js --type json -g '!verify-launch-safety.js' '\blocal-only\b'

Repository: koltregaskes/stackscout

Length of output: 49

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the exact PRIVATE_PATTERNS entries + where assertNoPrivateLeaks applies them.
sed -n '1,120p' scripts/verify-launch-safety.js | cat -n
sed -n '120,220p' scripts/verify-launch-safety.js | cat -n

# 2) Repo-wide occurrences of the marker variants (not just html/js/json)
rg -n --hidden --no-ignore-vcs --glob '!.git/*' '\b(local-only|LOCAL-ONLY|_local)\b' . || true

# 3) Also check for just "tools-hub-local" and "LOCAL-ONLY" as plain strings (case-sensitive)
rg -n --hidden --no-ignore-vcs --glob '!.git/*' 'tools-hub-local|LOCAL-ONLY|_local' . || true

Repository: koltregaskes/stackscout

Length of output: 8923

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Extract CACHE_NAME and index.html "Updated" date (what assertServiceWorkerFreshness compares)
echo "== service-worker.js CACHE_NAME =="
rg -n "const CACHE_NAME" service-worker.js
cache_name="$(rg -o "const CACHE_NAME = ['\"]([^'\"]+)['\"]" service-worker.js | sed -E "s/.*='([^']+)'.*/\1/" | head -n1)"
echo "CACHE_NAME=$cache_name"

echo
echo "== index.html Updated date string =="
updated_line="$(rg -n "Updated ([0-9]{1,2}) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{4})" index.html | head -n1 || true)"
echo "$updated_line"

# Parse into YYYY-MM-DD using same mapping as script (quick inline)
python3 - <<'PY'
import re, pathlib
text = pathlib.Path("index.html").read_text(encoding="utf-8", errors="ignore")
m = re.search(r"Updated\s+([0-9]{1,2})\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+([0-9]{4})", text)
month_map={"Jan":"01","Feb":"02","Mar":"03","Apr":"04","May":"05","Jun":"06","Jul":"07","Aug":"08","Sep":"09","Oct":"10","Nov":"11","Dec":"12"}
if not m:
    print("ISSUE_DATE=auto-today (no match)")
else:
    day=int(m.group(1))
    issue=f"{m.group(3)}-{month_map[m.group(2)]}-{day:02d}"
    print("ISSUE_DATE="+issue)
PY

# 2) Search only in paths that are scanned by collectPublicTextFiles():
# PUBLIC_ENTRIES = index.html, catalog, categories, collections, data, method, radar, tools, updates, app.js, pwa.js, service-worker.js, manifest.json, styles.css, sitemap.xml, icon.svg
# TEXT_EXTENSIONS = .css .html .js .json .svg .txt .xml

echo
echo "== Markers in scanned public text files (local-only / LOCAL-ONLY / tools-hub-local / _local) =="
rg -n --hidden --no-ignore-vcs \
  -g '*.css' -g '*.html' -g '*.js' -g '*.json' -g '*.svg' -g '*.txt' -g '*.xml' \
  -e '\b(local-only|LOCAL-ONLY|tools-hub-local|_local)\b' \
  index.html catalog categories collections data method radar tools updates \
  app.js pwa.js service-worker.js manifest.json styles.css sitemap.xml icon.svg || true

Repository: koltregaskes/stackscout

Length of output: 438

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n --hidden --no-ignore-vcs --glob '!.git/*' \
  '\b(local-only|LOCAL-ONLY|tools-hub-local|_local)\b' . \
  || true

Repository: koltregaskes/stackscout

Length of output: 743

---

Fix case-sensitive local-only marker detection in PRIVATE_PATTERNS

scripts/verify-launch-safety.js uses a case-sensitive regex for the “local-only surface marker” (/\b(?:tools-hub-local|LOCAL-ONLY|_local)\b/), so it will not match lowercase local-only. Current public output doesn’t contain these marker strings, but this gap could allow a local-only leak through if it ever appears. Include the lowercase variant (or add an /i flag) to make detection consistent.

Also, the CACHE_NAME vs index.html “Updated …” date mismatch claim doesn’t apply to the checked-in files here (stackscout-2026-06-04 vs Updated 4 Jun 2026 → 2026-06-04).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/verify-launch-safety.js` at line 51, The regex in PRIVATE_PATTERNS
for the "local-only surface marker" is case-sensitive and misses the lowercase
"local-only"; update the PRIVATE_PATTERNS entry (the object with label
'local-only surface marker') to either include the lowercase variant (e.g., add
'local-only' to the alternation) or apply the case-insensitive /i flag so it
matches all case forms, and then remove or correct the accompanying
comment/assertion about a CACHE_NAME vs index.html "Updated …" date mismatch
(referencing CACHE_NAME and the 'index.html' Updated line) so it reflects the
actual checked-in filenames/dates or drops the incorrect claim.

[koltregaskes]

Closing in favour of clean replacement branch fix/stackscout-launch-validation-clean. The original branch picked up noisy generated-data history during repair.