You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Generated Go coverage profiles and test upload blobs are tracked in Git and are not currently ignored. This is separate from #69, which only covers the Desktop Rollup/Vite bundle visualizer HTML.
git check-ignore -v -- 'edge-server/cov_full' 'edge-server/$covPath' 'hub-server/tests/uploads/...' does not match an ignore rule for those generated paths.
edge-server/cov_full and edge-server/$covPath are Go coverage profile outputs, not source.
hub-server/tests/uploads/... contains files produced by attachment/upload tests, not hand-authored fixtures with descriptive names.
docs/security-risk-register.md already tracks this as AH-SR-012 alongside the Desktop analyzer artifact.
Impact
The repository carries generated local test/build artifacts. That makes diffs noisy, increases the chance of accidentally publishing local test data in future runs, and weakens the signal of intentional test fixtures. It also caused broad code searches to pick up coverage profile entries as if they were source paths.
Suggested fix
Remove the generated coverage profiles from the Git index.
Remove the generated upload blobs unless they are intentionally required fixtures; if fixtures are needed, replace them with small named files and a README explaining their purpose.
Add ignore rules for Edge coverage profile outputs and Hub test upload directories.
Summary
Generated Go coverage profiles and test upload blobs are tracked in Git and are not currently ignored. This is separate from #69, which only covers the Desktop Rollup/Vite bundle visualizer HTML.
Evidence
git ls-files -- 'edge-server/cov_full' 'edge-server/$covPath' 'hub-server/tests/uploads/*'returns:edge-server/$covPathedge-server/cov_fullhub-server/tests/uploads/...git check-ignore -v -- 'edge-server/cov_full' 'edge-server/$covPath' 'hub-server/tests/uploads/...'does not match an ignore rule for those generated paths.edge-server/cov_fullandedge-server/$covPathare Go coverage profile outputs, not source.hub-server/tests/uploads/...contains files produced by attachment/upload tests, not hand-authored fixtures with descriptive names.docs/security-risk-register.mdalready tracks this asAH-SR-012alongside the Desktop analyzer artifact.Impact
The repository carries generated local test/build artifacts. That makes diffs noisy, increases the chance of accidentally publishing local test data in future runs, and weakens the signal of intentional test fixtures. It also caused broad code searches to pick up coverage profile entries as if they were source paths.
Suggested fix
app/desktop/stats.html, or close both issues together from one cleanup PR if convenient.Acceptance criteria
git ls-files -- 'edge-server/cov_full' 'edge-server/$covPath' 'hub-server/tests/uploads/*'returns no generated local artifacts.hub-server/tests/has a stable, documented purpose and is not a raw upload output directory.