May 19, 20265 min read

The Hidden Git Branch That Leaked 20,000+ AI Coding Sessions

While tracing the source of an AI coding-agent dataset, we found 20,000+ agent sessions exposed through public Git branches, including API keys, credentials, infrastructure details, and screenshots.

A clean infographic showing a public repository with an entire/checkpoints/v1 branch flowing into agent session logs, screenshots, API keys, database credentials, internal context, and private data

How a question about training data led us to 20,000+ exposed AI coding sessions in public repositories.

While reading a research paper about AI coding agents, a simple question caught my attention:

Where did all of the training data come from?

That question led us to more than 20,000 publicly accessible AI coding sessions spread across hundreds of repositories. The exposed material included API keys, database credentials, internal infrastructure details, proprietary source code, debugging transcripts, and screenshots that were never intended to be public.

Nobody had to break into anything. The data was already available through a Git branch that many developers did not know existed.

Following the Trail

Our investigation started with the research paper SWE-chat: Coding Agent Interactions From Real Users in the Wild, which was built on a large dataset of real-world AI coding agent interactions. As coding agents move deeper into developer workflows, they see far more than source code: terminal output, infrastructure configuration, production logs, debugging context, screenshots, and operational details.

We wanted to understand where such a large dataset came from. The trail eventually led us to Entire, an observability platform designed to capture and preserve AI coding agent activity.

The concept is useful. One of the hardest parts of adopting AI coding agents is understanding how they reached a result. Session recording gives teams visibility into prompts, decisions, commands, and execution history that would otherwise disappear.

The problem was not session recording. The problem was where some of that recorded data ended up.

The Hidden Branch

Entire stores agent session history inside a dedicated Git branch:

entire/checkpoints/v1

That design has practical advantages. Agent metadata stays separate from production code, repositories remain self-contained, and teams can review agent activity using familiar Git workflows.

In many public repositories, though, the checkpoint branch was publicly accessible too. Because it is not part of normal day-to-day development, many teams appeared unaware that the branch existed, or that it contained detailed records of AI agent activity. As developers kept working, agent session history kept accumulating next to the code.

What We Found

At first, we expected to find only a handful of examples. Instead, the numbers kept growing. By the end of the investigation, we identified:

  • 400+ public repositories exposing checkpoint branches
  • 20,000+ recorded AI coding sessions
  • Thousands of sensitive artifacts that were never intended to be public

The contents were often far more sensitive than the source code itself. Examples included:

  • API keys and hardcoded credentials
  • Cloud infrastructure secrets
  • Production database connection details
  • Internal architecture documentation
  • Proprietary source code
  • Production debugging transcripts
  • Screenshots uploaded during troubleshooting

The screenshots were especially concerning. Developers often share screenshots with AI agents while debugging issues, reviewing interfaces, or troubleshooting production systems. Those images can contain customer information, internal dashboards, operational metrics, or sensitive business data. In many cases, they were preserved as part of the agent session history.

We are not publishing repository names or raw sensitive artifacts here. The point is the exposure pattern, not naming affected teams.

Responsible Disclosure

Once we understood the scope, our focus shifted from research to remediation. We contacted affected projects, including independent developers, startups, open-source maintainers, and enterprise organizations.

The response was consistent: most teams had no idea the data was public. Many believed they were exposing only source code through their public repositories. They were surprised to learn that parts of their development process, including AI conversations, terminal output, screenshots, and debugging activity, were accessible too.

Affected organizations began removing public access, reviewing repository configuration, and rotating exposed credentials where necessary.

The Bigger Lesson

This story is not really about one company or one Git branch. It is about a new category of security risk created by AI-powered development tools.

Historically, organizations focused on protecting source code. Today, they also need to protect the operational residue around code: prompt histories, agent reasoning traces, terminal transcripts, infrastructure context, screenshots, debugging sessions, and generated artifacts.

In many cases, this data is more sensitive than the code itself. As AI coding agents become standard development tools, organizations need runtime visibility, governance, and retention controls for agent session data, not only repository access control.

What You Should Check Today

If your team uses AI coding agents, observability platforms, or session recording tools, we recommend:

  • Review all repository branches, not just the default branch.
  • Identify checkpoint, trace, or session-related branches.
  • Audit stored agent logs for sensitive information.
  • Verify repository and branch visibility settings.
  • Rotate any potentially exposed credentials.
  • Treat AI session data as sensitive engineering data.

The most dangerous security issues are often the ones nobody realizes exist. This wasn’t a sophisticated exploit—it was a hidden branch. And for thousands of developers, that was enough.


Have you seen similar blind spots with AI coding agents or observability platforms? Tell us how your team approaches agent security and session management.