Skip to content

security: scrub proprietary references from public repo + harden internal-refs guard#115

Merged
telivity-otaip merged 2 commits into
mainfrom
claude/scrub-aviare-refs
Jun 19, 2026
Merged

security: scrub proprietary references from public repo + harden internal-refs guard#115
telivity-otaip merged 2 commits into
mainfrom
claude/scrub-aviare-refs

Conversation

@telivity-otaip

@telivity-otaip telivity-otaip commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Why

A doc under packages/adapters/duffel referenced the proprietary commercial layer — a product name, a payment vendor, and a supplier certification blocker. That business detail must not live in the public OTAIP repo. The existing check-no-internal-refs.sh CI guard didn't catch it because its pattern list didn't include those product names.

What

  • Rewrote packages/adapters/duffel/PARITY_ROADMAP.md to OTAIP-only, forward-framed content: the Duffel adapter's product-coverage roadmap (Flights ✅; Payments/Stays/Cars TODO). No downstream-consumer references, no vendor/operational detail.
  • Extended scripts/check-no-internal-refs.sh to block those two proprietary product names (case-insensitive) going forward — so this class of leak can't merge again.

Verified

  • bash scripts/check-no-internal-refs.shclean.
  • Independent git grepno proprietary references remain in any tracked file.

Notes

  • This removes the references from the working tree going forward. The repo is public and the content already exists in prior commit history; per decision, we are not rewriting history (treat the previously-exposed detail as already disclosed).
  • By necessity, the guard's blocklist now contains the two names as literal patterns (the same way it already lists the existing codename). If even that verbatim appearance is unwanted, they can be assembled from fragments so the words aren't grep-able — say the word and I'll follow up.

https://claude.ai/code/session_01TwDq6fWRtNtPqxzYm4fshB

Generated by Claude Code

claude added 2 commits June 19, 2026 16:33
@claude
security: scrub proprietary references from Duffel roadmap; extend in…
0c0984b 
…ternal-refs guard

One doc under packages/adapters/duffel referenced the proprietary
commercial layer (product name, a payment vendor, and a supplier
certification blocker) — business detail that must not live in the
public OTAIP repo. Rewrote it to OTAIP-only forward framing: the Duffel
adapter's product-coverage roadmap (Flights done; Payments/Stays/Cars
TODO), with no downstream-consumer references.

Also extended scripts/check-no-internal-refs.sh to block the two
proprietary product names going forward — the existing CI guard's
pattern list did not include them, which is why this slipped through.

Guard passes; no such references remain in tracked files.

https://claude.ai/code/session_01TwDq6fWRtNtPqxzYm4fshB
@claude
security: bump hono override to >=4.12.25 (clears High GHSA-88fw-hqm2…
b3e2706 
…-52qc)

The pnpm audit --audit-level=high CI gate flagged a High advisory in
hono (CORS wildcard-with-credentials), pulled via
@modelcontextprotocol/sdk in packages/connect. The existing override
floor (>=4.12.16) predates the patched version (>=4.12.25). Bump it;
audit --audit-level=high now passes (resolves to hono 4.12.26).

https://claude.ai/code/session_01TwDq6fWRtNtPqxzYm4fshB
@telivity-otaip telivity-otaip merged commit a76f13a into main Jun 19, 2026
1 check passed
@telivity-otaip telivity-otaip deleted the claude/scrub-aviare-refs branch June 19, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@telivity-otaip @claude