[claude-hackernews] Reply draft: rogue Cursor agent, sanitize-connection-strings (id=47973681)#15
Open
NiveditJain wants to merge 1 commit into
Open
Conversation
…rings reply (id=47973681) Reply to everforward (id=47979791) on the ABC News re-report of the Cursor + Railway production-DB wipe. Engages with the "approvals get clicked through past dialog #3" point and names sanitize-connection-strings as the input-side defense against the credential-discovery failure mode ChiperSoft surfaces in the same sub-thread. Single policy named, no snippet, no install command, ~146 words, ASCII punctuation only. Different angle / different policy / different sub- failure from the prior posted reply on the original incident (comments/2026-04-29T043958Z.md, id=47911524, warn-destructive-sql).
📝 WalkthroughWalkthroughA new draft Markdown reply to a HackNews comment is added, responding to discussion about agent database credential exposure. The draft covers sanitization strategies via PostToolUse redaction, failure modes, and compliance validations. ChangesDraft HN Reply on Agent Credential Sanitization
Estimated Code Review Effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly Related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Review rate limit: 3/5 reviews remaining, refill in 21 minutes and 1 second. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@drafts/2026-05-02T202113Z.md`:
- Around line 25-29: The fenced code block in the draft contains prose without a
language specifier, triggering MD040; fix it by adding a language tag (e.g.,
change the opening triple backtick to ```text) for the block that starts with
"(disclosure: I work on FailProof AI:
https://github.com/exospherehost/failproofai)" so the linter recognizes it as
plain text (ensure only the opening fence is updated to include "text" or
"markdown").
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c4c8e7c6-f2b5-4308-8751-9dc834fd9e57
📒 Files selected for processing (1)
drafts/2026-05-02T202113Z.md
Comment on lines
+25
to
+29
| ``` | ||
| (disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai) | ||
|
|
||
| The approval-fatigue point is the real load-bearing one. Cursor's permission dialogs are a UX speed bump that gets clicked through within minutes of any real session, so they cannot be the defense for credentials sitting in the project tree. What helps is intercepting the tool result before it reaches the model's context, and rewriting connection-string-shaped substrings to [REDACTED]. An ls or grep of the project then returns a sanitized view, and the agent literally cannot copy a string it never saw. Built-in `sanitize-connection-strings` runs on PostToolUse for any tool that reads files or runs commands, doing exactly that redaction. It does not protect against a human pasting a real cred into the prompt, but it kills the "agent grepped the codebase and found a stray testing cred" path the article describes. | ||
| ``` |
There was a problem hiding this comment.
Fix Markdownlint MD040: add a language to the fenced block.
Your “My reply” text is inside a fenced code block with no language specifier, which triggers MD040. Add text (or markdown) after the opening fence.
Proposed fix
-```
+```text
(disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)
The approval-fatigue point is the real load-bearing one. Cursor's permission dialogs are a UX speed bump that gets clicked through within minutes of any real session, so they cannot be the defense for credentials sitting in the project tree. What helps is intercepting the tool result before it reaches the model's context, and rewriting connection-string-shaped substrings to [REDACTED]. An ls or grep of the project then returns a sanitized view, and the agent literally cannot copy a string it never saw. Built-in `sanitize-connection-strings` runs on PostToolUse for any tool that reads files or runs commands, doing exactly that redaction. It does not protect against a human pasting a real cred into the prompt, but it kills the "agent grepped the codebase and found a stray testing cred" path the article describes.
-```
+```📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| ``` | |
| (disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai) | |
| The approval-fatigue point is the real load-bearing one. Cursor's permission dialogs are a UX speed bump that gets clicked through within minutes of any real session, so they cannot be the defense for credentials sitting in the project tree. What helps is intercepting the tool result before it reaches the model's context, and rewriting connection-string-shaped substrings to [REDACTED]. An ls or grep of the project then returns a sanitized view, and the agent literally cannot copy a string it never saw. Built-in `sanitize-connection-strings` runs on PostToolUse for any tool that reads files or runs commands, doing exactly that redaction. It does not protect against a human pasting a real cred into the prompt, but it kills the "agent grepped the codebase and found a stray testing cred" path the article describes. | |
| ``` |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 25-25: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@drafts/2026-05-02T202113Z.md` around lines 25 - 29, The fenced code block in
the draft contains prose without a language specifier, triggering MD040; fix it
by adding a language tag (e.g., change the opening triple backtick to ```text)
for the block that starts with "(disclosure: I work on FailProof AI:
https://github.com/exospherehost/failproofai)" so the linter recognizes it as
plain text (ensure only the opening fence is updated to include "text" or
"markdown").
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
everforward(id=47979791) on the ABC News re-report of the Cursor + Railway production-DB wipe (story id=47973681, 14 points, 12 comments).ChiperSoft's clarification that the agent grepped the codebase and found a stray testing credential it shouldn't have had.sanitize-connection-strings(PostToolUse redaction so the agent never sees the cred string in the first place). No custom snippet, no install command, no comma-list.Discovery path
news.ycombinator.com/ask->news.ycombinator.com/show->hn.algolia.com/?q=agent+wiped&dateRange=pastWeek&type=story&sort=byDate-> the ABC News re-report atnews.ycombinator.com/item?id=47973681.thunkle->ChiperSoft->everforward) where the failure mode is described concretely.Thread URLs
ChiperSoftclarification): https://news.ycombinator.com/item?id=47975699Duplicate-check
grep -rl "item?id=47973681" drafts/ comments/-> 0 hits.item?id=47973681-> 0 hits across [claude-hackernews] Reply draft: Claude 4.7 ignoring stop hooks (id=47895029) #8 (47895029), [claude-hackernews] Reply draft: hooks vs CLAUDE.md drift (id=47936579) #10 (47936579), [claude-hackernews] Reply draft: AgentPort vs runtime-hook layer (id=47950752) #11 (47950752), [claude-hackernews] Reply draft: BetterClaw Show HN, graph vs policy-function (id=47973502) #13 (47973502), [claude-hackernews] Reply draft: Cordon Show HN, MCP-gateway vs agent-hook layer (id=47941823) #14 (47941823).comments/2026-04-29T043958Z.md, id=47911524) usedwarn-destructive-sql+ ablock-drop-databasesnippet to engage with the destructive-SQL angle. This draft engages with the credential-discovery angle on a different parent comment in a different thread, naming a different policy (sanitize-connection-strings); body and framing share no sentences with the prior reply.Brand-voice / anti-pitch checklist
~/.failproofai/callouts, no dashboard /localhost:8020plug.Test plan
drafts/2026-05-02T202113Z.mdand the parent comment context to confirm the reply engages witheverforward's "approvals get clicked through" point.🤖 Generated with Claude Code
Summary by CodeRabbit