#!/usr/bin/env python """Audit the public WiSER release tree before upload.""" from __future__ import annotations import argparse import json import re from pathlib import Path SECRET_PATTERNS = [ re.compile(r"ghp_[A-Za-z0-9_]+"), re.compile(r"github_pat_[A-Za-z0-9_]+"), re.compile(r"gho_[A-Za-z0-9_]+"), re.compile(r"hf_[A-Za-z0-9_]+"), re.compile(r"(?i)\b(password|secret|api[_-]?key|access[_-]?token|auth[_-]?token)\s*=\s*['\"][^'\"]+['\"]"), ] RAW_SCANNET_PATTERNS = [ "mesh_aligned_0.05.ply", "mesh_aligned_0.05_semantic.ply", "segments.json", "segments_anno.json", "/iphone/", "/dslr/", "/scans/", ] def scan(root: Path) -> dict: findings = {"secrets": [], "raw_scannetpp": [], "absolute_data_paths": []} text_suffixes = {".py", ".md", ".txt", ".yml", ".yaml", ".json", ".sh", ".toml"} for path in root.rglob("*"): if path.is_dir(): continue rel = str(path.relative_to(root)) rel_unix = rel.replace("\\", "/") if rel_unix == "scripts/audit_release.py": continue if "__pycache__/" in rel_unix or rel_unix.endswith(".pyc"): continue if any(p in rel_unix or rel_unix.endswith(p) for p in RAW_SCANNET_PATTERNS): findings["raw_scannetpp"].append(rel) if path.suffix.lower() not in text_suffixes: continue try: text = path.read_text(errors="ignore") except OSError: continue for pat in SECRET_PATTERNS: if pat.search(text): findings["secrets"].append(rel) break if re.search(r"(^|[\"'\\s])/(data|home|mnt)/", text): findings["absolute_data_paths"].append(rel) findings["ok"] = not findings["secrets"] and not findings["raw_scannetpp"] return findings def main() -> None: p = argparse.ArgumentParser() p.add_argument("--root", default=".") p.add_argument("--out-json", default=None) args = p.parse_args() root = Path(args.root).resolve() findings = scan(root) text = json.dumps(findings, indent=2) if args.out_json: out = Path(args.out_json) out.parent.mkdir(parents=True, exist_ok=True) out.write_text(text) print(text) raise SystemExit(0 if findings["ok"] else 2) if __name__ == "__main__": main()