CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-06-20 08:40:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(ship,document-*): redaction scan-at-sink on PR bodies + generated docs

Browse Source 
- /ship: scan the composed PR body + title before create AND edit, from a temp
  file (exact bytes scanned = bytes sent). HIGH blocks the PR (no skip); MEDIUM
  confirms per finding. Codex/Greptile/eval sections go in tool-attributed fences
  so example credentials those tools quote WARN-degrade instead of blocking the
  PR — a live-format credential inside the fence still blocks.
- /document-release: scan the PR-body temp file before gh pr edit.
- /document-generate: scan the staged doc diff (added lines) before commit —
  generated docs often carry example credentials; a live-format secret blocks.

Tests: ship-template-redaction (incl. tool-fence WARN-degrade contract),
document-skills-redaction. All skills stay under the v1.47 size budget.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-29 07:21:48 -07:00
parent 7bae40c40d
commit dd4dd9e1f5
8 changed files with 205 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
document-generate/SKILL.md
+14
View File
@@ -1107,6 +1107,20 @@ Fix any failures before proceeding.
1. Stage new documentation files by name (never `git add -A` or `git add .`).
**Redaction scan before commit.** Generated docs frequently contain example
credentials; scan the staged doc content and block on a HIGH credential (a
live-format secret in committed docs is a leak). Example configs belong in
` ```example ` fences won't excuse a live-format secret, but the per-span
placeholder filter passes obvious docs examples (e.g. `AKIAIOSFODNN7EXAMPLE`):
```bash
REDACT_VIS=$(~/.claude/skills/gstack/bin/gstack-config get redact_repo_visibility 2>/dev/null)
[ -z "$REDACT_VIS" ] && REDACT_VIS=$(gh repo view --json visibility -q .visibility 2>/dev/null | tr 'A-Z' 'a-z')
git diff --cached --no-color | grep '^+' | sed 's/^+//' | \
~/.claude/skills/gstack/bin/gstack-redact --repo-visibility "${REDACT_VIS:-unknown}" --json
# exit 3 (HIGH) → unstage the offending doc, remove the secret, re-stage. Do NOT commit.
```
2. Create a commit:
```bash
document-generate/SKILL.md.tmpl
+14
View File
@@ -378,6 +378,20 @@ Fix any failures before proceeding.
1. Stage new documentation files by name (never `git add -A` or `git add .`).
**Redaction scan before commit.** Generated docs frequently contain example
credentials; scan the staged doc content and block on a HIGH credential (a
live-format secret in committed docs is a leak). Example configs belong in
` ```example ` fences won't excuse a live-format secret, but the per-span
placeholder filter passes obvious docs examples (e.g. `AKIAIOSFODNN7EXAMPLE`):
```bash
REDACT_VIS=$(~/.claude/skills/gstack/bin/gstack-config get redact_repo_visibility 2>/dev/null)
[ -z "$REDACT_VIS" ] && REDACT_VIS=$(gh repo view --json visibility -q .visibility 2>/dev/null | tr 'A-Z' 'a-z')
git diff --cached --no-color | grep '^+' | sed 's/^+//' | \
~/.claude/skills/gstack/bin/gstack-redact --repo-visibility "${REDACT_VIS:-unknown}" --json
# exit 3 (HIGH) → unstage the offending doc, remove the secret, re-stage. Do NOT commit.
```
2. Create a commit:
```bash