Harden ZIP cache and report path hygiene by svy04 · Pull Request #156 · svy04/metaforge

svy04 · 2026-06-19T22:00:44Z

Summary

Harden plugin ZIP creation so file contents and mode are read from the same opened file descriptor before writing cache entries.
Teach generated public-report sanitization to scrub the current repo root before broader user-home fallbacks, including worktree paths with private/local workspace names.
Extend public artifact hygiene write mode with the same current-root scrub so accidental local-path report output can be repaired before check mode.

bun test src\utils\plugins\zipCache.test.ts scripts\product-report-sanitizer.test.ts scripts\public-artifact-hygiene.test.ts scripts\public-repo-readiness.test.ts
bun run typecheck --pretty false
git diff --check
bun run product:quality
bun run verify:privacy

product:quality passed locally and still records local/protected environment boundaries without turning them into readiness claims.
Generated product-quality report churn from the local run is intentionally not included in this PR.

Harden ZIP cache and report path hygiene

097c22e

github-advanced-security AI found potential problems Jun 19, 2026

View reviewed changes

Comment thread src/utils/plugins/zipCache.ts Fixed

Address CI path audit and CodeQL ZIP flow

9710862

svy04 marked this pull request as ready for review June 19, 2026 22:15

svy04 merged commit 8c565d0 into main Jun 19, 2026
6 checks passed

svy04 deleted the codex/public-feedback-static-proof branch June 19, 2026 22:33