Skip to content

Purge committed SQLite WAL/SHM blobs (Composio account IDs) from git history #359

Description

@nolanmak

Severity: Low — the leaked values are Composio reference identifiers, not credentials (useless without the Composio API key, which is not in the repo), and no OAuth tokens / message bodies / third-party PII are present. Parent: #306. Related: #305.

Problem

data.db-wal and data.db-shm (SQLite write-ahead-log sidecars) were committed in the initial setup commit d851160 and removed in 35a4999 — but they remain reachable in git history and are checkout-able from the public repo. (.gitignore already excludes *.db / *.db-wal / *.db-shm, so current HEAD is clean and this can't recur.)

Decoded blob contents (verified; values redacted here):

  • gmail_accounts table → gmail_connected_account_id = ca_Oxz…, ca_eEf…; gmail_pending_connection_id = ca_8h3…; auth_config_gmail = ac_qsg…; gmail_pending_entity_id = augmentagent-…
  • schema for actions / config / emails / senders / gmail_accounts
  • the emails table was empty (freshly-initialized DB) — confirmed no message bodies, contact emails/names/phones, or OAuth/refresh/access tokens.

Exposure is limited to internal Composio identifiers + table schema. Low impact, but real and shouldn't sit in public history.

Fix

  • Purge the blobs: git filter-repo --path data.db-wal --path data.db-shm --invert-paths — bundle into the single history rewrite alongside the companion path/authorship issues in this batch.
  • Force-push (safe per PUBLISH.md: no forks/PRs).
  • Defense-in-depth (optional): rotate the Gmail/Composio connection so the old ca_… / ac_… IDs are dead references.
  • Verify: git log --all --diff-filter=A -- 'data.db-wal' 'data.db-shm' → empty after rewrite.

Acceptance

No data.db* blob is reachable from any ref; the identifiers no longer appear anywhere in history.


Filed from a manual publish-safety audit, 2026-06-24.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securitySecurity hardeningself-audit-secSecurity finding from a self-audit probeseverity:lowLow security severity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions