Resolve bin/gstack-config (keep both redact_* and brain_* config keys).
Regenerate all SKILL.md from merged templates + resolvers (redact-doc resolver
now coexists with main's brain-aware-planning resolvers). Refresh ship goldens.
Move the redaction taxonomy reference in /cso and /spec to a pointer at
lib/redact-patterns.ts (single source of truth) so neither skill inlines the
full catalog — keeps both under the size budget after the merge.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- test/redact-semantic-pass.eval.ts: periodic-tier paid eval (EVALS=1) with 10
should-flag / should-clean fixtures + an injection-resistance case, the only
way to detect semantic-pass model drift.
- CLAUDE.md: "Redaction guard" section — engine/CLI/hook locations, the
guardrail-not-enforcement framing, scan-at-sink, no-tier-promotion, the
tool-attributed-fence convention, the config keys, and the audit log.
- /cso uses the compact (HIGH-tier) taxonomy table so it fits under BOTH the
v1.47 and the older v1.44.1 parity ceilings; full MEDIUM/LOW lives in
lib/redact-patterns.ts. Alignment test asserts the HIGH-tier contract.
- Refresh the ship golden baselines (claude/codex/factory) for the PR-body
redaction wiring.
Full free suite green (incl. skill-size-budget + parity 10/10).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/spec Phase 4.5 rewrite:
- Phase 4.5a: in-conversation semantic content review (named-criticism,
customer complaints, unannounced strategy, NDA, codename bleed). Injection-
hardened (a body containing the SEMANTIC_REVIEW marker forces flagged).
Content-free audit trail to ~/.gstack/security/semantic-reviews.jsonl.
- Phase 4.5b: replaces the inline 7-regex prose with the shared gstack-redact
scan-at-sink (exact-byte temp file). Three enforcement points: pre-codex,
pre-issue (files via --body-file from the scanned file), pre-archive (D2:
sanitized body to the archive). --no-gate skips codex score only; redaction
always runs, no flag disables it.
/cso: renders the full generated taxonomy table as its canonical pattern catalog
(shared source), keeps its git-history archaeology (different use case).
lib/redact-audit-log.ts: 0600 append-only semantic-review trail (no body text).
Resolver gains compact-table + brief-block variants so /spec references the
catalog instead of inlining it (stays under the v1.47 size budget).
Tests: extended spec invariants (semantic pass, scan-at-sink, no-promotion),
audit-log, cso/spec alignment. All green; spec 1.050× / cso 1.046× baseline.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Garry Tan