Skip to content

chore(security): scrub production Call SID and competitor lineage from public files#129

Merged
nicolotognoni merged 1 commit into
mainfrom
worktree-security-scrub-changelog-comment
May 31, 2026
Merged

chore(security): scrub production Call SID and competitor lineage from public files#129
nicolotognoni merged 1 commit into
mainfrom
worktree-security-scrub-changelog-comment

Conversation

@nicolotognoni
Copy link
Copy Markdown
Collaborator

@nicolotognoni nicolotognoni commented May 30, 2026

Summary

Two public-repo policy violations found during a full-tree audit, scrubbed from the working tree:

  1. Production Twilio Call SID in CHANGELOG.md (0.6.1 release notes) — security.md forbids real call SIDs in the repo. Also removed two private acceptance-repo path crumbs (releases/0.6.0/.../outbound-cartesia-cerebras-elevenlabs.ts) from the same two entries.
  2. Competitor lineage + non-English text in a stream-handler.ts pacing comment — referenced a competitor's frame serializer and a Twilio sample, and quoted a user complaint in Italian. Rewritten to neutral English, same technical content. Comment-only, no behaviour change. The Python twin was already clean.

Breaking change?

No — comment + release-notes text only.

Note on git history

Per maintainer decision, this is a working-tree scrub only; the strings remain reachable in git history. The Call SID is an opaque, non-credential resource ID (querying it requires the account auth token), accepted as low-risk — no history rewrite.

Test plan

  • No code paths touched (comment + CHANGELOG prose only) → no new tests, no CHANGELOG entry required.
  • Verified no residual Call SID / acceptance crumb / competitor lineage anywhere in the tracked tree.
  • CI green (pre-commit / hygiene).

@nicolotognoni @claude
chore(security): scrub production Call SID and competitor lineage fro…
2736984 
…m public files

- CHANGELOG.md: remove a live Twilio Call SID and two private
  acceptance-repo path crumbs from the 0.6.1 release notes. A Call SID
  is production-call PII that security.md forbids in the public repo.
- stream-handler.ts: rewrite a pacing comment to drop a competitor
  lineage reference (TwilioFrameSerializer / call-gpt sample) and two
  non-English user-complaint quotes, restating the rationale in neutral
  English. Comment-only; no behaviour change.

The Python stream_handler twin was already clean. These strings remain
in git history (working-tree scrub only) — the Call SID is an opaque,
non-credential resource ID, accepted as low-risk per maintainer review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@nicolotognoni nicolotognoni merged commit dee7610 into main May 31, 2026
10 checks passed
@nicolotognoni nicolotognoni mentioned this pull request May 31, 2026
Merged
5 tasks
@github-actions github-actions Bot deleted the worktree-security-scrub-changelog-comment branch May 31, 2026 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicolotognoni