Daily Coding Audit — 2026-05-04

Headline

Risk level: HIGH. Live operational credentials are sitting in committed history of two private repos:

sail-knowledge (Notion-wiki): WP App Password in 40 files, Cloudways SSH password in 10 files, Semrush API key in 2 files.
sail-seo: WP App Password in 2 files (.claude/skills/wp-content-deployer/SKILL.md), committed 3 weeks ago in initial scaffold.

Both repos are private, but rotation is the only true mitigation.

Also today:

Wiki — Structural Refresh workflow has failed daily for 10 consecutive days (Apr 25 → May 4). Same failing step as last week: Ingest Notion database. Concept Enhancement also failed yesterday — points at a revoked Notion token rather than schema drift.
Dependabot alerts disabled across all 10 repos. No vulnerability monitoring on any active codebase.
sail-litify has 20 uncommitted files on codex/roundtable-qa-2026-04-25 for 34 days — unchanged from May 2 audit.
sail-seo scope-scan-daily workflow now formally disabled_manually. Resolved.

Per-repo state

10 repos audited. Detail in Codex log.

Repo	Branch	Uncommitted	Oldest unstaged	Last commit
------	--------	------------:	----------------:	-------------
ghost-os	main	0	—	2026-03-23
ha-law	main	15	20d	2026-04-16
sail-cases	main	2	11d	2026-04-07
sail-hr	main	5	27d	2026-04-07
sail-infrastructure	agent/projects-reorg-04-18	6	14d	2026-04-23
sail-knowledge	agent/living-wiki-refresh-04-24	1	9d	2026-04-24
sail-litify	codex/roundtable-qa-04-25	20	34d	2026-04-24
sail-marketing	agent/projects-reorg-04-18	7	11d	2026-04-23
sail-seo	agent/visual-normalize-04-23	800	12d	2026-04-23
sail-templates	agent/trust-strip-04-19	13	27d	2026-04-23

Diverged branches >7 days (active)

The agent/projects-reorg-2026-04-18 branch persists across infrastructure, marketing, and litify. The agent/trust-strip-sitewide-2026-04-19 branch persists across sail-seo and sail-templates. Both are 11–16 days old. Decision needed: merge or abandon.

Secret exposure detail

Secret	Repo	Files in HEAD	Distinct commits
--------	------	--------------:	-----------------:
WordPress App Password	sail-knowledge	40	2
WordPress App Password	sail-seo	2	2
Cloudways SSH Password	sail-knowledge	10	2
Semrush API Key	sail-knowledge	2	2

No sk-, sk-ant-, ghp_, github_pat_, xoxb-, or AKIA token literals found in any committed file or recent diff. Anthropic, OpenAI, GitHub, Slack, AWS credentials are clean.

QA Recommendations Pending Approval

Five items awaiting Sam's decision (full A/B/C/D options in the Codex log):