Severity: P2. Confidence: high.
Affected files: internal/email/sender.go:517, internal/email/executed_notification_test.go:39, internal/email/template_renderers_test.go, frontend/src/__tests__/settings-accounts.test.ts:1240-1256, known_issues/23_ux_review_2026_04_22.md, .gitallowed:10
Evidence: git grep -l '540659244915' hits 5 tracked files (comment in sender.go, AccountLabel fixtures, settings-accounts external_id fixtures, a known_issues doc). This is provably the real deployment account: untracked terraform-apply-fargate.txt shows data.aws_caller_identity.current ... [id=540659244915]. The repo's own .gitallowed says: "DO NOT add a real account ID here. If a real account ID lands in the repo, rotate it and treat the leak seriously instead of silencing the scanner." All other fixtures use deliberate placeholders (123456789012 etc.).
Impact: The live account ID is published in a public repo (gh confirms visibility=PUBLIC; 4 of the files carry it on origin/main). Account IDs are not secrets but the repo's own policy treats them as sensitive: targeted phishing, ARN construction, bucket-policy probing, confused-deputy attempts. It also demonstrates the git-secrets gate has a hole - bare 12-digit numbers in labels/comments fall outside the registered regex shape.
Recommendation: Replace 540659244915 with an allowlisted placeholder in all five tracked files; investigate why git-secrets did not flag these commits; decide with the owner whether history scrubbing / treat-as-leak is warranted per the .gitallowed note.
Verifier verdict: confirmed - pushed to public main, not allowlisted, scanner-gap mechanism identified; P2 since account IDs are not credentials but this is a real published policy violation with a demonstrated gate hole.
Source: docs/reviews/codebase-review-2026-06-10.md (automated multi-dimension code review, adversarially verified for P1/P2)
Severity: P2. Confidence: high.
Affected files:
internal/email/sender.go:517,internal/email/executed_notification_test.go:39,internal/email/template_renderers_test.go,frontend/src/__tests__/settings-accounts.test.ts:1240-1256,known_issues/23_ux_review_2026_04_22.md,.gitallowed:10Evidence:
git grep -l '540659244915'hits 5 tracked files (comment in sender.go, AccountLabel fixtures, settings-accounts external_id fixtures, a known_issues doc). This is provably the real deployment account: untracked terraform-apply-fargate.txt showsdata.aws_caller_identity.current ... [id=540659244915]. The repo's own .gitallowed says: "DO NOT add a real account ID here. If a real account ID lands in the repo, rotate it and treat the leak seriously instead of silencing the scanner." All other fixtures use deliberate placeholders (123456789012 etc.).Impact: The live account ID is published in a public repo (gh confirms visibility=PUBLIC; 4 of the files carry it on origin/main). Account IDs are not secrets but the repo's own policy treats them as sensitive: targeted phishing, ARN construction, bucket-policy probing, confused-deputy attempts. It also demonstrates the git-secrets gate has a hole - bare 12-digit numbers in labels/comments fall outside the registered regex shape.
Recommendation: Replace 540659244915 with an allowlisted placeholder in all five tracked files; investigate why git-secrets did not flag these commits; decide with the owner whether history scrubbing / treat-as-leak is warranted per the .gitallowed note.
Verifier verdict: confirmed - pushed to public main, not allowlisted, scanner-gap mechanism identified; P2 since account IDs are not credentials but this is a real published policy violation with a demonstrated gate hole.
Source: docs/reviews/codebase-review-2026-06-10.md (automated multi-dimension code review, adversarially verified for P1/P2)