CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 03:35:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(supabase): schema migration for attack_attempt telemetry fields

Browse Source 
Extends telemetry_events with five nullable columns:
  * security_url_domain   (hostname only, never path/query)
  * security_payload_hash (salted SHA-256 hex)
  * security_confidence   (numeric 0..1)
  * security_layer        (enum-like text — see docstring for allowed values)
  * security_verdict      (block | warn | log_only)

Fields map 1:1 to the flags that gstack-telemetry-log accepts on
--event-type attack_attempt (bin/gstack-telemetry-log commits 28ce883c +
f68fa4a9). All nullable so existing skill_run inserts keep working.

Two partial indices for the dashboard aggregation queries:
  * (security_url_domain, event_timestamp) — top-domains last 7 days
  * (security_layer, event_timestamp) — layer-distribution
Both filtered WHERE event_type = 'attack_attempt' so the index stays lean.

RLS policies (anon_insert, anon_select) from 001_telemetry already
cover the new columns — no RLS changes needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-20 04:58:08 +08:00
parent 7a815fa7f6
commit a5588ec061
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
supabase/migrations/004_attack_telemetry.sql
+44
View File
@@ -0,0 +1,44 @@
-- gstack attack telemetry — schema extension for prompt injection events.
--
-- Ships alongside the gstack-telemetry-log `--event-type attack_attempt`
-- flag (bin/gstack-telemetry-log, commits 28ce883c + f68fa4a9). These
-- columns are nullable so the existing skill_run events continue inserting
-- unchanged.
--
-- Fields (1:1 with gstack-telemetry-log flags):
-- security_url_domain — hostname only, never path/query
-- security_payload_hash — salted SHA-256 hex
-- security_confidence — 0..1 numeric, clamped client-side
-- security_layer — stackone_content | testsavant_content
-- | transcript_classifier | aria_regex | canary
-- | deberta_content
-- security_verdict — block | warn | log_only
--
-- Indices:
-- * (security_url_domain, event_timestamp) — for "top domains last 7 days"
-- * (security_layer, event_timestamp) WHERE event_type='attack_attempt'
-- — for layer-distribution queries
--
-- Privacy rules (enforced client-side, documented here):
-- * domain only, never path or query string
-- * payload_hash is a salted hash, not the payload
-- * salt is per-device local file (~/.gstack/security/device-salt) —
-- preventing cross-device rainbow table attacks
ALTER TABLE telemetry_events
ADD COLUMN security_url_domain TEXT,
ADD COLUMN security_payload_hash TEXT,
ADD COLUMN security_confidence NUMERIC,
ADD COLUMN security_layer TEXT,
ADD COLUMN security_verdict TEXT;
-- Top-domains query: ORDER BY count DESC WHERE event_type='attack_attempt'
-- AND event_timestamp > now() - interval '7 days'
CREATE INDEX idx_telemetry_attack_domain
ON telemetry_events (security_url_domain, event_timestamp)
WHERE event_type = 'attack_attempt';
-- Layer-distribution query
CREATE INDEX idx_telemetry_attack_layer
ON telemetry_events (security_layer, event_timestamp)
WHERE event_type = 'attack_attempt';