Please do not open a public GitHub issue.

Email: lfzds4399@gmail.com with subject [security] cleanup-harness:.

This tool reads your filesystem and may quarantine files. The risks worth thinking about:

• False-positive deletion — a file you needed gets moved to _quarantine/. Mitigation: safe_guard.py whitelist + --execute opt-in + reversible quarantine. Reports go before any move.
• Malicious config — a tampered cleanup.config.yaml could broaden scan targets or shrink protected roots. Mitigation: don't run unverified configs; review the diff if your config came from someone else.
• Symlink traversal — the scanner does not follow symlinks across filesystems by default; it walks per-target only.

• Always run python run.py (dry-run) first and read REVIEW.md before adding --execute.
• Add your secret-bearing directories to protected_roots even if they're already covered by sensitive_fragments.
• Keep _quarantine/ for at least 30 days before manual purge — that's your undo buffer.