feat(redact): semantic-pass eval + CLAUDE.md docs + size/parity baselines

- test/redact-semantic-pass.eval.ts: periodic-tier paid eval (EVALS=1) with 10
  should-flag / should-clean fixtures + an injection-resistance case, the only
  way to detect semantic-pass model drift.
- CLAUDE.md: "Redaction guard" section — engine/CLI/hook locations, the
  guardrail-not-enforcement framing, scan-at-sink, no-tier-promotion, the
  tool-attributed-fence convention, the config keys, and the audit log.
- /cso uses the compact (HIGH-tier) taxonomy table so it fits under BOTH the
  v1.47 and the older v1.44.1 parity ceilings; full MEDIUM/LOW lives in
  lib/redact-patterns.ts. Alignment test asserts the HIGH-tier contract.
- Refresh the ship golden baselines (claude/codex/factory) for the PR-body
  redaction wiring.

Full free suite green (incl. skill-size-budget + parity 10/10).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-29 07:40:12 -07:00
parent dd4dd9e1f5
commit 02f848dde4
8 changed files with 231 additions and 52 deletions
+3 -3
View File
@@ -160,10 +160,10 @@ INFRASTRUCTURE SURFACE
Scan git history for leaked credentials, check tracked `.env` files, find CI configs with inline secrets.
**Canonical pattern catalog** (shared with `/spec`'s in-flight redaction, generated
from `lib/redact-patterns.ts` — the archaeology greps below target the HIGH-tier
prefixes from this table):
from `lib/redact-patterns.ts` — the archaeology greps below target these HIGH-tier
prefixes; full MEDIUM/LOW taxonomy is in `lib/redact-patterns.ts`):
{{REDACT_TAXONOMY_TABLE}}
{{REDACT_TAXONOMY_TABLE:compact}}
**Git history — known secret prefixes:**
```bash