From ffcc0fccf32e085b3e7b049676487bfe5df20bb5 Mon Sep 17 00:00:00 2001
From: Rodin <rodin@forgedthought.ai>
Date: Thu, 30 Apr 2026 15:49:25 -0700
Subject: [PATCH] chore: remove leftover tooling artifacts (watermark,
 changelog)

---
 .watermark.json         |  7 ----
 changelog/.gitkeep      |  0
 changelog/2026-04-30.md | 91 -----------------------------------------
 3 files changed, 98 deletions(-)
 delete mode 100644 .watermark.json
 delete mode 100644 changelog/.gitkeep
 delete mode 100644 changelog/2026-04-30.md

diff --git a/.watermark.json b/.watermark.json
deleted file mode 100644
index 3abc657..0000000
--- a/.watermark.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  "source_repo": "golang/go",
-  "last_digest_sha": "0e9a844b0d110deb6821df45b260332b923615f3",
-  "last_digest_at": "2026-04-30T14:01:00Z",
-  "last_refresh_sha": null,
-  "last_refresh_at": null
-}
diff --git a/changelog/.gitkeep b/changelog/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/changelog/2026-04-30.md b/changelog/2026-04-30.md
deleted file mode 100644
index c3ddf87..0000000
--- a/changelog/2026-04-30.md
+++ /dev/null
@@ -1,91 +0,0 @@
-# Go Daily Digest — 2026-04-30
-
-13 commits merged to master. Security-heavy day with 3 CVEs fixed.
-
-## Security Fixes
-
-### html/template: fix escaping of URLs in meta content attributes
-- **CVE:** CVE-2026-39823
-- **Issue:** [#78913](https://github.com/golang/go/issues/78913)
-- **Author:** Neal Patel
-- **Reviewed by:** Roland Shoemaker
-- **What:** Bypass of CVE-2026-27142 fix. WHATWG shared declarative refresh steps algorithm skips ASCII whitespace between `url` and `=` in meta content; escaper didn't account for that.
-- **Impact:** XSS via meta refresh redirect templates. Update if using html/template with meta redirects.
-
-### html/template: fix escaper bypass via empty script type
-- **CVE:** CVE-2026-39826
-- **Issue:** [#78981](https://github.com/golang/go/issues/78981)
-- **Author:** Neal Patel
-- **Reviewed by:** Roland Shoemaker
-- **What:** `<script type="">`, `<script type=" ">`, and `<script type="\t">` execute as JavaScript per spec, but escaper treated them as non-JS.
-- **Impact:** XSS vector. Browser quirks continue to be security bugs.
-
-### net/mail: fix quadratic consumePhrase behavior
-- **CVE:** CVE-2026-42499
-- **Issue:** [#78987](https://github.com/golang/go/issues/78987)
-- **Author:** Neal Patel
-- **Reviewed by:** Nicholas Husin
-- **What:** O(n²) string concatenation in email address parsing.
-- **Impact:** CPU exhaustion on untrusted email headers.
-
-## Tooling
-
-### cmd/go: set a HTTP user agent
-- **Author:** Sean Liao
-- **Issue:** [#78891](https://github.com/golang/go/issues/78891), Updates [#35699](https://github.com/golang/go/issues/35699)
-- **What:** cmd/go now sends a fixed user-agent string. Original proposal declined for privacy (no version info), but static identifier useful for module proxies/CDNs.
-
-### cmd/go: add go1.24 requirement when running go get with tools
-- **Author:** Olivier Mengué
-- **Issue:** Fixes [#74739](https://github.com/golang/go/issues/74739)
-- **What:** Tool directives enforce minimum go1.24 in go.mod. Prevents confusing failures with older toolchains.
-
-### cmd/go: loosen go work sync version requirements
-- **Author:** Michael Matloob
-- **Issue:** Fixes [#65363](https://github.com/golang/go/issues/65363)
-- **What:** Workspace replace directives could hide requirements causing conflicts during sync. Requirements are now additive; errors surfaced properly instead of silently dropped.
-
-## Compiler & Linker
-
-### cmd/compile, go/types: disable constant string size check
-- **Author:** Cherry Mui
-- **Issue:** Updates [#78346](https://github.com/golang/go/issues/78346)
-- **What:** Recently-added string constant size check eagerly constructed strings via constant.StringVal, causing massive memory usage with exponential doubling patterns. Rolled back pending lazy-length API.
-- **Lesson:** Performance-sensitive checks need lazy evaluation.
-
-### cmd/link: make -f flag actually ignore version mismatch
-- **Author:** Cherry Mui
-- **What:** The -f flag was documented as "ignore version mismatch" but didn't. Now it does.
-
-## Crypto
-
-### crypto/fips140: add package docs
-- **Author:** Filippo Valsorda
-- **Issue:** Fixes [#77879](https://github.com/golang/go/issues/77879)
-- **What:** FIPS 140 package now has proper documentation.
-
-### crypto/sha3: ensure unwrapped *sha3.Digest are usable
-- **Author:** Neal Patel
-- **Issue:** Updates [#75154](https://github.com/golang/go/issues/75154)
-
-### crypto/mlkem: enrich DecapsulationKey768|1024 doc comments
-- **Author:** Neal Patel
-- **What:** Better docs for post-quantum ML-KEM decapsulation key types.
-
-## Documentation
-
-### os/signal: add Notify windows documentation
-- **Author:** Alex Brainman
-- **Issue:** Updates [#77076](https://github.com/golang/go/issues/77076)
-- **What:** Clarifies that only os.Interrupt is supported on Windows.
-
-### encoding/json/jsontext: add TODO about removing Internal symbol
-- **Author:** Joe Tsai
-- **Issue:** Updates [#73435](https://github.com/golang/go/issues/73435)
-- **What:** Internal symbol is a hack for module-only visibility. TODO to replace with type aliases when pkgsite supports forwarded symbol docs.
-
-## Patterns to Extract
-
-- **Browser quirk security:** Any HTML spec edge case (whitespace handling, empty attributes) that browsers implement literally is a potential escaper bypass. The html/template package keeps getting hit by these.
-- **Lazy evaluation for safety checks:** When adding correctness checks to compilers, the check itself must not trigger the expensive operation it's guarding against (see constant string size check OOM).
-- **"Works as documented" audit:** The linker -f flag bug shows value in periodically verifying that documented behavior actually works. Fuzz the docs, not just the code.