CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-06-19 00:00:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(ship,document-*): redaction scan-at-sink on PR bodies + generated docs

Browse Source 
- /ship: scan the composed PR body + title before create AND edit, from a temp
  file (exact bytes scanned = bytes sent). HIGH blocks the PR (no skip); MEDIUM
  confirms per finding. Codex/Greptile/eval sections go in tool-attributed fences
  so example credentials those tools quote WARN-degrade instead of blocking the
  PR — a live-format credential inside the fence still blocks.
- /document-release: scan the PR-body temp file before gh pr edit.
- /document-generate: scan the staged doc diff (added lines) before commit —
  generated docs often carry example credentials; a live-format secret blocks.

Tests: ship-template-redaction (incl. tool-fence WARN-degrade contract),
document-skills-redaction. All skills stay under the v1.47 size budget.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-05-29 07:21:48 -07:00
parent 7bae40c40d
commit dd4dd9e1f5
8 changed files with 205 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
document-release/SKILL.md
+10 -1
View File
@@ -1105,7 +1105,16 @@ glab mr view -F json 2>/dev/null | python3 -c "import sys,json; print(json.load(
If there are any documentation debt items, suggest adding a `docs-debt` label to the PR.
4. Write the updated body back:
4. Redaction scan-at-sink, then write the updated body back. The body is already
in a temp file (`/tmp/gstack-pr-body-$$.md`); scan THAT file before editing so
the bytes scanned are the bytes sent:
```bash
REDACT_VIS=$(~/.claude/skills/gstack/bin/gstack-config get redact_repo_visibility 2>/dev/null)
[ -z "$REDACT_VIS" ] && REDACT_VIS=$(gh repo view --json visibility -q .visibility 2>/dev/null | tr 'A-Z' 'a-z')
~/.claude/skills/gstack/bin/gstack-redact --from-file /tmp/gstack-pr-body-$$.md --repo-visibility "${REDACT_VIS:-unknown}" --json
# exit 3 (HIGH) → do NOT edit, rotate+redact; exit 2 (MEDIUM) → confirm per finding.
```
**If GitHub:**
```bash
document-release/SKILL.md.tmpl
+10 -1
View File
@@ -375,7 +375,16 @@ glab mr view -F json 2>/dev/null | python3 -c "import sys,json; print(json.load(
If there are any documentation debt items, suggest adding a `docs-debt` label to the PR.
4. Write the updated body back:
4. Redaction scan-at-sink, then write the updated body back. The body is already
in a temp file (`/tmp/gstack-pr-body-$$.md`); scan THAT file before editing so
the bytes scanned are the bytes sent:
```bash
REDACT_VIS=$(~/.claude/skills/gstack/bin/gstack-config get redact_repo_visibility 2>/dev/null)
[ -z "$REDACT_VIS" ] && REDACT_VIS=$(gh repo view --json visibility -q .visibility 2>/dev/null | tr 'A-Z' 'a-z')
~/.claude/skills/gstack/bin/gstack-redact --from-file /tmp/gstack-pr-body-$$.md --repo-visibility "${REDACT_VIS:-unknown}" --json
# exit 3 (HIGH) → do NOT edit, rotate+redact; exit 2 (MEDIUM) → confirm per finding.
```
**If GitHub:**
```bash