Merge 9c4dde977d into 9d5739d992

test/test-abs-path-leak.js

@@ -67,16 +67,6 @@ test('Windows forward-slash drive path is detected', () => {
   assert(leakCount('See C:/Users/alex/notes.md for details.') === 1, 'C:/Users... not detected');
 });
 
-test('lowercase Windows drive path is detected', () => {
-  assert(leakCount('see c:\\Users\\alex\\notes.md') === 1, 'c:\\Users... not detected');
-  assert(leakCount('see c:/users/alex/notes.md') === 1, 'c:/users... not detected');
-});
-
-test('URLs are not flagged as drive-letter leaks', () => {
-  // https:// also contains "<letter>:/"; the \b in the pattern must exclude it.
-  assert(leakCount('docs at https://github.com/org/repo and http://example.com') === 0, 'URL falsely flagged');
-});
-
 test('Unix /Users path is detected', () => {
   assert(leakCount('open /Users/alex/secret.md') === 1, '/Users path not detected');
 });

tools/validate-file-refs.js

@@ -67,10 +67,9 @@ const STEP_META = /(?:thisStepFile|nextStepFile|continueStepFile|skipToStepFile|
 const LOAD_DIRECTIVE = /Load[:\s]+`(\.[^`]+)`/g;
 
 // Pattern: absolute path leaks
-// Windows drive paths use a single separator (C:\Users or C:/Users) and the drive
+// Windows drive paths use a single separator (C:\Users or C:/Users). In a regex
-// letter can be either case. The leading \b keeps URL schemes like https:// — which
+// literal `\\` already matches one backslash, so the class matches either separator.
-// also contain "<letter>:/" — from matching. In a regex literal `\\` is one backslash.
+const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|[A-Z]:[\\/])/;
-const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|\b[A-Za-z]:[\\/])/;
 
 // --- Output Escaping ---