Garry Tan 13b8db9e7a feat(security): wait-for-decision instead of hard-kill on tool-output BLOCK ...

Was: tool-output BLOCK → immediate SIGTERM, session dies, user
stranded. A false positive on benign content (e.g. HN comments
discussing prompt injection) killed the session and lost the message.

Now: tool-output BLOCK → emit security_event with reviewable:true +
suspected_text + per-layer scores. Poll ~/.gstack/security/decisions/
for up to 60s. On "allow" — log the override to attempts.jsonl as
verdict=user_overrode and let the session continue. On "block" or
timeout — kill as before.

Canary leaks stay hard-stop (no review path). User-input pre-spawn
scans unchanged in this commit. Only tool-output scans gain review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 20:25:20 +08:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: ngrok Windows build + close CI error-swallowing gap (v0.18.0.1) (#1024)

2026-04-16 13:49:04 -07:00

src

feat(security): wait-for-decision instead of hard-kill on tool-output BLOCK

2026-04-20 20:25:20 +08:00

test

Merge origin/main into garrytan/prompt-injection-guard

2026-04-20 14:09:09 +08:00

PLAN-snapshot-dropdown-interactive.md

fix: snapshot -i auto-detects dropdown/popover interactive elements (#845)

2026-04-05 22:57:45 -07:00

SKILL.md

feat(v1.4.0.0): /make-pdf — markdown to publication-quality PDFs (#1086)

2026-04-20 13:20:30 +08:00

SKILL.md.tmpl

feat(browse): Puppeteer parity — load-html, screenshot --selector, viewport --scale, file:// (v1.1.0.0) (#1062)

2026-04-18 23:25:33 +08:00