vestige/.github/workflows
Sam Valladares 2b50bf5d53 ci: guard against private cloud service code in public repo
Vestige Cloud is split: the public client (a thin HTTP sync backend that
only moves encrypted bytes) belongs here, but the hosted service — billing,
sync-key->namespace mapping, per-user isolation, Lemon Squeezy webhooks,
transactional email — must live only in the private repo.

Add scripts/check-no-private-cloud.sh, which git-greps tracked files for
distinctive private-service signatures (service crate identity, module
headers, billing/provider internals, server-side sync-key mapping SQL). The
patterns are chosen so the legitimate public client — including its
VESTIGE_CLOUD_* client env vars — does not match.

Wired into CI via guard-no-private-cloud.yml on push/PR. Verified both
directions: passes on the clean repo, fails (naming the markers) when real
private webhook.rs/keys.rs are introduced.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 18:19:01 -05:00
..
ci.yml fix(#41): restore Intel Mac build via ort-dynamic + Homebrew ONNX Runtime (#43) 2026-04-23 02:03:45 -05:00
guard-no-private-cloud.yml ci: guard against private cloud service code in public repo 2026-06-21 18:19:01 -05:00
pages.yml fix(pages): serve dashboard at site root, drop double /vestige nesting 2026-06-21 17:50:10 -05:00
release.yml fix: make windows release build and add manual rerun path 2026-06-18 23:39:38 -05:00
test.yml Prepare agent-neutral hardening release 2026-05-24 16:09:44 -05:00