#!/usr/bin/env python3 """Scan release manifest entries for known accidental environment leaks.""" from __future__ import annotations import argparse from pathlib import Path KNOWN_ENV_LEAK_MARKERS = [ "ANTHROPIC_" + "AUTH_TOKEN", "ANTHROPIC_" + "BASE_URL=https://api.apexpoc.com", "CODEX_" + "THREAD_ID=", "CODEX_" + "SANDBOX_NETWORK_DISABLED=", ] def manifest_entries(path: Path) -> list[str]: entries: list[str] = [] for line in path.read_text(encoding="utf-8").splitlines(): if line.startswith("- `") and line.endswith("`"): entries.append(line[3:-1]) return entries def main() -> int: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument("--root", required=True, type=Path) parser.add_argument("--manifest", required=True, type=Path) args = parser.parse_args() root = args.root.resolve() hits: list[tuple[str, str]] = [] for rel in manifest_entries(args.manifest): path = root / rel if not path.is_file(): continue try: text = path.read_text(encoding="utf-8", errors="ignore") except OSError: continue for marker in KNOWN_ENV_LEAK_MARKERS: if marker in text: hits.append((rel, marker)) if hits: print("ERROR: known environment leak markers found in release manifest entries:") for rel, marker in hits: print(f"- {rel}: {marker}") return 1 print("OK: no known environment leak markers found in release manifest entries") return 0 if __name__ == "__main__": raise SystemExit(main())