Merge 3df821d26e into 9d5739d992

Following review feedback, widen the Windows branch to [A-Za-z] so
lowercase paths (c:\Users\...) are caught too. Kept a \b anchor so URL
schemes like https:// (which also contain "<letter>:/") aren't flagged —
a plain [A-Za-z] would have matched every URL in the docs.

Added lowercase and URL-not-flagged cases to the test (now 8/8).

test/test-abs-path-leak.js

@@ -67,6 +67,16 @@ test('Windows forward-slash drive path is detected', () => {
   assert(leakCount('See C:/Users/alex/notes.md for details.') === 1, 'C:/Users... not detected');
 });
 
+test('lowercase Windows drive path is detected', () => {
+  assert(leakCount('see c:\\Users\\alex\\notes.md') === 1, 'c:\\Users... not detected');
+  assert(leakCount('see c:/users/alex/notes.md') === 1, 'c:/users... not detected');
+});
+
+test('URLs are not flagged as drive-letter leaks', () => {
+  // https:// also contains "<letter>:/"; the \b in the pattern must exclude it.
+  assert(leakCount('docs at https://github.com/org/repo and http://example.com') === 0, 'URL falsely flagged');
+});
+
 test('Unix /Users path is detected', () => {
   assert(leakCount('open /Users/alex/secret.md') === 1, '/Users path not detected');
 });

tools/validate-file-refs.js

@@ -67,9 +67,10 @@ const STEP_META = /(?:thisStepFile|nextStepFile|continueStepFile|skipToStepFile|
 const LOAD_DIRECTIVE = /Load[:\s]+`(\.[^`]+)`/g;
 
 // Pattern: absolute path leaks
-// Windows drive paths use a single separator (C:\Users or C:/Users). In a regex
+// Windows drive paths use a single separator (C:\Users or C:/Users) and the drive
-// literal `\\` already matches one backslash, so the class matches either separator.
+// letter can be either case. The leading \b keeps URL schemes like https:// — which
-const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|[A-Z]:[\\/])/;
+// also contain "<letter>:/" — from matching. In a regex literal `\\` is one backslash.
+const ABS_PATH_LEAK = /(?:\/Users\/|\/home\/|\b[A-Za-z]:[\\/])/;
 
 // --- Output Escaping ---