The Phase 2 external search also sent raw error messages to WebSearch.
Apply same sanitization rule as Phase 3 search escalation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three fixes from adversarial Codex review:
- /investigate: sanitize error messages before searching (strip hostnames,
IPs, file paths, SQL, customer data). Skip search if unsanitizable.
- /office-hours: add privacy gate before landscape search. Use generalized
category terms, never the user's specific product name or stealth idea.
- setup: link ETHOS.md into .agents/skills/gstack/ sidecar so workspace-
local Codex sessions can find the builder philosophy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add generateSearchBeforeBuildingSection(ctx) to gen-skill-docs.ts.
Every workflow skill now gets a compact router section covering:
- Three layers of knowledge (tried-and-true, new-and-popular, first-principles)
- Eureka moment format and jq-based JSONL logging
- WebSearch fallback clause
- ETHOS.md reference via ctx.paths.skillRoot resolver
Also adds compact "Search before building" section to CLAUDE.md.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: plan mode exception for review log + telemetry writes
Add explicit plan-mode exception notes to review log sections in all
3 plan review skill templates and the telemetry section in gen-skill-docs.ts.
When Claude runs in plan mode, it self-censors bash writes — but review
logging and telemetry write to ~/.gstack/ (user metadata, not project
files). The preamble already writes to the same directory successfully.
The exception note gives Claude a reasoning chain: safety argument,
precedent, and consequence of skipping.
* chore: regenerate Codex/agents SKILL.md files with plan-mode exception
* chore: bump version and changelog (v0.9.0.1)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: community-first telemetry opt-in with anonymous fallback
Default opt-in is now "Help gstack get better!" (community mode with
stable device ID). If declined, offers anonymous mode as a softer
alternative before fully off.
* chore: regenerate SKILL.md files with community-first telemetry prompt
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add gstack-telemetry-log and gstack-analytics scripts
Local telemetry infrastructure for gstack usage tracking.
gstack-telemetry-log appends JSONL events with skill name, duration,
outcome, session ID, and platform info. Supports off/anonymous/community
privacy tiers. gstack-analytics renders a personal usage dashboard
from local data.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add telemetry preamble injection + opt-in prompt + epilogue
Extends generatePreamble() with telemetry start block (config read,
timer, session ID, .pending marker), opt-in prompt (gated by
.telemetry-prompted), and epilogue instructions for Claude to log
events after skill completion. Adds 5 telemetry tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: regenerate all SKILL.md files with telemetry blocks
Automated regeneration from gen-skill-docs.ts changes. All skills
now include telemetry start block, opt-in prompt, and epilogue.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add Supabase schema, edge functions, and SQL views
Telemetry backend infrastructure: telemetry_events table with RLS
(insert-only), installations table for retention tracking,
update_checks for install pings. Edge functions for update-check
(version + ping), telemetry-ingest (batch insert), and
community-pulse (weekly active count). SQL views for crash
clustering and skill co-occurrence sequences.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add telemetry-sync, community-dashboard, and integration tests
gstack-telemetry-sync: fire-and-forget JSONL → Supabase sync with
privacy tier field stripping, batch limits, and cursor tracking.
gstack-community-dashboard: CLI tool querying Supabase for skill
popularity, crash clusters, and version distribution.
19 integration tests covering all telemetry scripts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: session-specific .pending markers + crash_clusters view fix
Addresses Codex review findings:
- .pending race condition: use .pending-$SESSION_ID instead of
shared .pending file to prevent concurrent session interference
- crash_clusters view: add total_occurrences and anonymous_occurrences
columns since anonymous tier has no installation_id
- Added test: own session pending marker is not finalized
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: dual-attempt update check with Supabase install ping
Fires a parallel background curl to Supabase during the slow-path
version fetch. Logs upgrade_prompted event only on fresh fetches
(not cached replays) to avoid overcounting. GitHub remains the
primary version source — Supabase ping is fire-and-forget.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: integrate telemetry usage stats into /retro output
Retro now reads ~/.gstack/analytics/skill-usage.jsonl and includes
gstack usage metrics (skill run counts, top skills, success rate)
in the weekly retrospective output.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: move 'Skill usage telemetry' to Completed in TODOS.md
Implemented in this branch: local JSONL logging, opt-in prompt,
privacy tiers, Supabase backend, community dashboard, /retro
integration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: wire Supabase credentials and expose tables via Data API
Add supabase/config.sh with project URL and publishable key (safe to
commit — RLS restricts to INSERT only). Update telemetry-sync,
community-dashboard, and update-check to source the config and
include proper auth headers for the Supabase REST API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add SELECT RLS policies to migration for community dashboard reads
All telemetry data is anonymous (no PII), so public reads via the
publishable key are safe. Needed for the community dashboard to
query skill popularity, crash clusters, and version distribution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: bump version and changelog (v0.8.6)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: analytics backward-compatible with old JSONL format
Handle old-format events (no event_type field) alongside new format.
Skip hook_fire events. Fix grep -c whitespace issues and unbound
variable errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: map JSONL field names to Postgres columns in telemetry-sync
Local JSONL uses short names (v, ts, sessions) but the Supabase
table expects full names (schema_version, event_timestamp,
concurrent_sessions). Add sed mapping during field stripping.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address Codex adversarial findings — cursor, opt-out, queries
- Sync cursor now advances on HTTP 2xx (not grep for "inserted")
- Update-check respects telemetry opt-out before pinging Supabase
- Dashboard queries use correct view column names (total_occurrences)
- Sync strips old-format "repo" field to prevent privacy leak
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add Privacy & Telemetry section to README
Transparent disclosure of what telemetry collects, what it never sends,
how to opt out, and a link to the schema so users can verify.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: check for bun before running setup (#147)
Users without bun installed got a cryptic "command not found" error.
Now prints a clear message with install instructions.
Closes#147
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: block SSRF via URL validation in browse commands (#17)
Adds validateNavigationUrl() that blocks non-HTTP(S) schemes (file://,
javascript:, data:) and cloud metadata endpoints (169.254.169.254,
metadata.google.internal). Applied to goto, diff, and newTab commands.
Localhost and private IPs remain allowed for local dev QA.
Closes#17
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: replace eval $(gstack-slug) with source <(...) (#133)
Eliminates unnecessary use of eval across all skill templates and
generated files. source <(...) has identical behavior without the
shell injection surface. Also hardens gstack-diff-scope usage.
Closes#133
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: rename /debug to /investigate to avoid Claude Code conflict (#190)
Claude Code has a built-in /debug command that shadows the gstack skill.
Renaming to /investigate which better reflects the systematic root-cause
investigation methodology.
Closes#190
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test: add unit tests for path validation helpers
validateOutputPath() and validateReadPath() are security-critical
functions with zero test coverage. Adds 14 tests covering safe paths,
traversal attacks, and prefix collision edge cases.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: bump version and changelog (v0.8.3)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: update /debug → /investigate references in docs
CLAUDE.md, README.md, and docs/skills.md still referenced the old
/debug skill name after the rename.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: harden URL validation against hostname bypasses (Codex P1)
Codex review found that metadata IPs could be reached via hex
(0xA9FEA9FE), decimal (2852039166), octal, trailing dot, and IPv6
bracket forms. Now normalizes hostnames before checking the blocklist
and probes numeric IP representations via URL constructor.
Also moves URL validation before page allocation in newTab() to
prevent zombie tabs on rejection (Codex P3).
5 new test cases for bypass variants.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Garry Tan