Remove committed PostHog keys from Unstuck demo

[simongonzalezdc]

Pull Request

Empower Orchestrator checklist

• I checked whether this PR reveals a repeatable task or recurring agent failure.
• If it does, I either shipped the smallest durable improvement or documented why not.
• Any automation or durable system change included the scale/severity/reversibility/predictability blast-radius check.
• Workers/subagents stayed inside their assigned scope and verification evidence is included before completion claims.

Summary

• move browser PostHog project keys out of source and into runtime/deploy config
• make the VPS compose use environment variables for PostHog settings
• expose the nested EF-COACH test suite from the repo root and add root CI with tests plus gitleaks
• pin CI actions to immutable SHAs and disable checkout credential persistence

Verification

• npm test: root guard + 44 nested live-demo tests passed
• gitleaks dir . --redact --exit-code 1: no leaks found
• CheckYourself scan: P0=0, P1=0, P2=0, P3=0
• CheckYourself score with coverage: 100/high, no caps, coverage_complete=true
• PR checks: agent-law, test-and-secret-scan, and CodeRabbit passed

Notes

• Any real previously exposed PostHog project key should still be rotated in PostHog/deploy settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactors PostHog analytics to use runtime/deploy-time configuration, adds CI (tests + gitleaks) and a root test script, updates deployment compose and README, and expands tests to ensure no embedded PostHog keys in build artifacts.

Changes

Analytics Configuration Externalization

Layer / File(s)	Summary
Project setup and CI automation package.json, .github/workflows/ci.yml, .gitignore, tests/root-test-surface.test.js	Root package.json adds test orchestration; GitHub Actions workflow runs tests and a locally installed gitleaks secret scan; .gitignore ignores .worktrees/; root test asserts test script wiring and presence of nested tests.
Landing analytics externalization EF-COACH/landing/posthog.js	Replaces hardcoded PostHog key with getPosthogKey() (reads window.UnstuckAnalyticsConfig or meta[name="posthog-project-key"]), makes sendViaBeacon fail-fast when unconfigured and return boolean success, updates track() fallback to return that boolean, and exposes window.UnstuckAnalytics.budget.configured.
Live demo analytics externalization EF-COACH/live-demo/public/posthog.js	Mirrors landing changes: dynamic key resolution, sendViaBeacon early-exit and boolean outcomes, track() fallback returning send result, and budget.configured flag.
Deployment environment configuration EF-COACH/live-demo/deploy/docker-compose.vps.yml	PostHog settings use ${VAR:-default} environment variable expansions (POSTHOG_ENABLED, POSTHOG_PROJECT_API_KEY, POSTHOG_HOST), defaulting to disabled/blank/default host.
Configuration documentation EF-COACH/README.md	Adds "Live Demo Configuration" section documenting deploy-time PostHog environment variables and runtime key-resolution options (window config or meta tag).
Analytics security validation tests EF-COACH/live-demo/test/chat-ui.test.mjs, EF-COACH/live-demo/test/compose.test.mjs	Adds assertions that bundled app.js and tracker files contain no phc_* keys and that trackers read runtime configuration and include an early-return guard when unconfigured; compose test validates docker-compose uses env var fallbacks.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Remove committed PostHog keys from Unstuck demo' accurately and concisely describes the primary change: moving PostHog keys from source code to runtime/deploy configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the Empower Orchestrator template, completes all checklist items, and provides clear summary, verification, and notes sections addressing the changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/checkyourself-p0-telemetry-secrets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 22-36: Update the CI workflow to pin referenced actions to
immutable commit SHAs and disable checkout credential persistence: replace the
tag-based usages (actions/checkout@v4 and actions/setup-node@v4) with their
respective full commit SHAs, and add with: persist-credentials: false to the
actions/checkout step; ensure the step names ("Checkout" and "Set up Node") and
the "uses:" entries are updated accordingly (and do the same for any other
tag-based actions like actions/setup-go@v5 if present).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0abf5179-a178-409f-987e-8a0e40abfa6f

📥 Commits

Reviewing files that changed from the base of the PR and between 0205949 and c51a581.

📒 Files selected for processing (10)

• .github/workflows/ci.yml
• .gitignore
• EF-COACH/README.md
• EF-COACH/landing/posthog.js
• EF-COACH/live-demo/deploy/docker-compose.vps.yml
• EF-COACH/live-demo/public/posthog.js
• EF-COACH/live-demo/test/chat-ui.test.mjs
• EF-COACH/live-demo/test/compose.test.mjs
• package.json
• tests/root-test-surface.test.js