Skip to content

Add altinity-expert-clickhouse-security skill#6

Merged
BorisTyshkevich merged 1 commit into
mainfrom
add-clickhouse-security-skill
Jun 2, 2026
Merged

Add altinity-expert-clickhouse-security skill#6
BorisTyshkevich merged 1 commit into
mainfrom
add-clickhouse-security-skill

Conversation

@BorisTyshkevich

Copy link
Copy Markdown
Collaborator

A standalone, read-only ClickHouse security audit skill using progressive disclosure: a lean SKILL.md routes to 20 reference files loaded on demand.

Coverage: scope/safety + redaction, identity/auth, RBAC/grants, definer & impersonation, network/TLS, table functions & external sources, table engines, row/column policy, settings profiles/constraints/quotas, audit logging, query-log threat hunting, secrets/named collections, password-hash hygiene, version-specific behavior, cluster/distributed, Keeper & interserver, executable UDFs, encryption at rest & backups, HTTP interface surface, and reporting/severity.

Severity model emphasizes correlation over single-setting flags: reproducible (query-based) evidence only, host-ACL reachability gating, authority decided by RBAC grants (not readonly), no double-counting of ALL-implied privileges, identity dedup, expected-service-account handling, and the three-part secret-display gate.

Also adds a read-only test (dbschema/scenarios/post.sql/prompt/expected) wired into the Makefile (test-security, test-all) and documents the skill in the README.

A standalone, read-only ClickHouse security audit skill using progressive
disclosure: a lean SKILL.md routes to 20 reference files loaded on demand.

Coverage: scope/safety + redaction, identity/auth, RBAC/grants, definer &
impersonation, network/TLS, table functions & external sources, table engines,
row/column policy, settings profiles/constraints/quotas, audit logging, query-log
threat hunting, secrets/named collections, password-hash hygiene, version-specific
behavior, cluster/distributed, Keeper & interserver, executable UDFs, encryption
at rest & backups, HTTP interface surface, and reporting/severity.

Severity model emphasizes correlation over single-setting flags: reproducible
(query-based) evidence only, host-ACL reachability gating, authority decided by
RBAC grants (not readonly), no double-counting of ALL-implied privileges, identity
dedup, expected-service-account handling, and the three-part secret-display gate.

Also adds a read-only test (dbschema/scenarios/post.sql/prompt/expected) wired into
the Makefile (test-security, test-all) and documents the skill in the README.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BorisTyshkevich
BorisTyshkevich merged commit 05b40ae into main Jun 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant