bin/gstack-redact-prepush scans the diff being pushed for HIGH credentials and
blocks on a hit, for public AND private repos (a pushed secret is compromised
regardless of visibility). Correct git pre-push semantics: scans remote..local
(what's being pushed), handles new-branch zero-SHA via merge-base or empty-tree
fallback, force-push, and branch-delete skip. MEDIUM warns non-blocking; LOW/WARN
silent. GSTACK_REDACT_PREPUSH=skip escape valve logs to prepush-skip.jsonl.
bin/gstack-redact gains install-prepush-hook / uninstall-prepush-hook
subcommands that chain any pre-existing hook (renamed to pre-push.local,
stdin forwarded to both, exit code propagated).
Guardrail not enforcement: --no-verify and the env skip both bypass; it scans
only the pushed delta, not history/binary/LFS. 9 tests in a throwaway git repo.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Skill-facing CLI wrapping lib/redact-engine. Reads stdin or --from-file,
scans, prints JSON (--json) or a human table. Exit codes 0/2/3 gate
dispatch/file/edit/commit (WARN never gates). --auto-redact emits the
sanitized body + diff for the PII-class one-keystroke path. --allowlist,
--self-email, --repo-public-emails, --repo-visibility, --max-bytes.
Fails closed on oversize at the CLI boundary before the engine even reads.
9 contract tests: exit codes, JSON shape, auto-redact, allowlist, self-email,
from-file, oversize-fail-closed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Garry Tan