From ca1fb12462ed7e96f260a01a0c2e07b691bfba4c Mon Sep 17 00:00:00 2001
From: Val Vladescu <valentin@vvladescu.com>
Date: Wed, 8 Apr 2026 15:53:34 +0300
Subject: [PATCH 1/3] ci: add docs CI workflow (link check + leak guard)

---
 .github/workflows/ci.yml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/ci.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..535c068
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+
+jobs:
+  links:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Lychee link check
+        uses: lycheeverse/lychee-action@v2
+        with:
+          args: >-
+            --no-progress
+            --exclude-mail
+            --exclude-loopback
+            --max-redirects 5
+            --accept '200..=204,206,301..=308,403,429'
+            './**/*.md'
+          fail: true
+
+  leak-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Scan for accidental leaks
+        shell: bash
+        run: |
+          set -e
+          PATTERN='UNKNOWN @ file://|/home/[a-z][a-z0-9_-]+/(orchestrator|models)/|sk-ant-api03-[A-Za-z0-9_-]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY'
+          if git ls-files | grep -vE '^\.github/workflows/' | xargs -r grep -EHn "$PATTERN" 2>/dev/null; then
+            echo "::error::Leak guard found suspicious patterns above"
+            exit 1
+          fi
+          echo "Leak guard clean"

From 2a2beb686addd089d4d1bda1f528016b19f757fe Mon Sep 17 00:00:00 2001
From: Val Vladescu <valentin@vvladescu.com>
Date: Wed, 8 Apr 2026 15:57:09 +0300
Subject: [PATCH 2/3] ci: drop --exclude-mail (removed in lychee v2) + tighten
 PRIVATE KEY regex

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 535c068..ed300b2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
         with:
           args: >-
             --no-progress
-            --exclude-mail
+            
             --exclude-loopback
             --max-redirects 5
             --accept '200..=204,206,301..=308,403,429'
@@ -30,7 +30,7 @@ jobs:
         shell: bash
         run: |
           set -e
-          PATTERN='UNKNOWN @ file://|/home/[a-z][a-z0-9_-]+/(orchestrator|models)/|sk-ant-api03-[A-Za-z0-9_-]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY'
+          PATTERN='UNKNOWN @ file://|/home/[a-z][a-z0-9_-]+/(orchestrator|models)/|sk-ant-api03-[A-Za-z0-9_-]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----'
           if git ls-files | grep -vE '^\.github/workflows/' | xargs -r grep -EHn "$PATTERN" 2>/dev/null; then
             echo "::error::Leak guard found suspicious patterns above"
             exit 1

From cb33f3faa96061674e4ef2b71be988ad6216b35b Mon Sep 17 00:00:00 2001
From: Val Vladescu <valentin@vvladescu.com>
Date: Wed, 8 Apr 2026 15:59:51 +0300
Subject: [PATCH 3/3] ci(links): exclude github.com/zenprocess/switchyard
 (private repo, 404 to unauth)

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ed300b2..779a315 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,7 @@ jobs:
             --exclude-loopback
             --max-redirects 5
             --accept '200..=204,206,301..=308,403,429'
+            --exclude 'github.com/zenprocess/switchyard'
             './**/*.md'
           fail: true