feat(spec,cso): wire shared redaction — semantic pass + scan-at-sink + taxonomy

/spec Phase 4.5 rewrite:
- Phase 4.5a: in-conversation semantic content review (named-criticism,
  customer complaints, unannounced strategy, NDA, codename bleed). Injection-
  hardened (a body containing the SEMANTIC_REVIEW marker forces flagged).
  Content-free audit trail to ~/.gstack/security/semantic-reviews.jsonl.
- Phase 4.5b: replaces the inline 7-regex prose with the shared gstack-redact
  scan-at-sink (exact-byte temp file). Three enforcement points: pre-codex,
  pre-issue (files via --body-file from the scanned file), pre-archive (D2:
  sanitized body to the archive). --no-gate skips codex score only; redaction
  always runs, no flag disables it.

/cso: renders the full generated taxonomy table as its canonical pattern catalog
(shared source), keeps its git-history archaeology (different use case).

lib/redact-audit-log.ts: 0600 append-only semantic-review trail (no body text).
Resolver gains compact-table + brief-block variants so /spec references the
catalog instead of inlining it (stays under the v1.47 size budget).

Tests: extended spec invariants (semantic pass, scan-at-sink, no-promotion),
audit-log, cso/spec alignment. All green; spec 1.050× / cso 1.046× baseline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-29 07:20:18 -07:00
parent 38d6fadad7
commit 7bae40c40d
9 changed files with 599 additions and 98 deletions
+6
View File
@@ -159,6 +159,12 @@ INFRASTRUCTURE SURFACE
Scan git history for leaked credentials, check tracked `.env` files, find CI configs with inline secrets.
**Canonical pattern catalog** (shared with `/spec`'s in-flight redaction, generated
from `lib/redact-patterns.ts` — the archaeology greps below target the HIGH-tier
prefixes from this table):
{{REDACT_TAXONOMY_TABLE}}
**Git history — known secret prefixes:**
```bash
git log -p --all -S "AKIA" --diff-filter=A -- "*.env" "*.yml" "*.yaml" "*.json" "*.toml" 2>/dev/null