gstack

CalvinBackup/gstack

Fork 0

mirror of https://github.com/garrytan/gstack.git synced 2026-05-06 05:35:46 +02:00

Commit Graph

Author	SHA1	Message	Date
Garry Tan	c72c56dde9	fix(brain-sync): bearer-token regex catches values with leading space Pre-existing bug from v1.7.0.0: the bearer-token-json secret pattern required values matching [A-Za-z0-9_./+=-]{16,}, which rejected the "Bearer <token>" form because the literal space after "Bearer" wasn't in the character class. Real Authorization headers use "Bearer <token>" syntax, and the test fixture '"authorization":"Bearer abcdef1234567890abcdef1234567890"' sat unscanned despite being a leak-class secret. One-character fix: add space to the value character class. Test 'gstack-brain-sync secret scan > blocks bearer-json' now passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-25 21:01:46 -07:00
Garry Tan	97cbacf409	feat(gbrain-sync): --once drain + secret scan + push bin/gstack-brain-sync is the core sync binary. Subcommands: --once (drain queue, allowlist-filter, privacy-class-filter, secret-scan staged diff, commit with template, push with fetch+merge retry), --status, --skip-file <path>, --drop-queue --yes, --discover-new (cursor-based detection of artifact writes that skip the shim). Secret regex families: AWS keys, GitHub tokens (ghp_/gho_/ghu_/ghs_/ ghr_/github_pat_), OpenAI sk-, PEM blocks, JWTs, bearer-token-in-JSON. On hit: unstage, preserve queue, print remediation hint (--skip-file or edit), exit clean. No daemon — invoked by preamble at skill boundaries.	2026-04-22 13:47:11 -07:00

Author

SHA1

Message

Date

Garry Tan

c72c56dde9

fix(brain-sync): bearer-token regex catches values with leading space

Pre-existing bug from v1.7.0.0: the bearer-token-json secret pattern
required values matching [A-Za-z0-9_./+=-]{16,}, which rejected the
"Bearer <token>" form because the literal space after "Bearer" wasn't
in the character class. Real Authorization headers use "Bearer <token>"
syntax, and the test fixture
  '"authorization":"Bearer abcdef1234567890abcdef1234567890"'
sat unscanned despite being a leak-class secret.

One-character fix: add space to the value character class. Test
'gstack-brain-sync secret scan > blocks bearer-json' now passes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-25 21:01:46 -07:00

Garry Tan

97cbacf409

feat(gbrain-sync): --once drain + secret scan + push

bin/gstack-brain-sync is the core sync binary. Subcommands: --once
(drain queue, allowlist-filter, privacy-class-filter, secret-scan
staged diff, commit with template, push with fetch+merge retry),
--status, --skip-file <path>, --drop-queue --yes, --discover-new
(cursor-based detection of artifact writes that skip the shim).

Secret regex families: AWS keys, GitHub tokens (ghp_/gho_/ghu_/ghs_/
ghr_/github_pat_), OpenAI sk-, PEM blocks, JWTs, bearer-token-in-JSON.
On hit: unstage, preserve queue, print remediation hint (--skip-file
or edit), exit clean. No daemon — invoked by preamble at skill
boundaries.

2026-04-22 13:47:11 -07:00

2 Commits