Add secret input guard: never ask for secrets in conversation

[VdustR]

Summary

• CLAUDE.md: Add always-active guard rule — never ask user to type/paste secrets in conversation; use tmp file + editor workflow instead
• secrets.md: Add "Obtaining Secrets from User" section with tmp file workflow (create → user edits → subshell transfer to staging → persist), add to PROHIBITED list

Context

secrets.md is conditionally loaded (alwaysApply: false), so the CLAUDE.md guard ensures the rule is active even before any secrets file is touched.

Test plan

• Verify CLAUDE.md loads the guard rule in all conversations
• Verify secrets.md "Obtaining" section workflow works end-to-end
• Confirm no regression in existing staging/browser-capture workflows

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture around handling sensitive information by introducing a robust, secure workflow for obtaining secrets from users. It establishes a clear policy that prevents direct secret input in conversational interfaces, instead guiding users through a temporary file and editor-based process to safeguard credentials. This change ensures that secret values are never exposed in conversation logs or directly handled by the system in an insecure manner.

Highlights

• Enhanced Secret Handling Policy: Introduced an always-active guard rule in CLAUDE.md to explicitly prohibit asking users to type or paste secrets directly into conversations, mandating a temporary file and editor workflow instead.
• Secure Secret Acquisition Workflow: Added a new "Obtaining Secrets from User" section in secrets.md outlining a secure workflow using temporary files for user input, followed by subshell transfer to staging and persistence.
• Prohibited Actions Update: Updated the secrets.md PROHIBITED list to include "Ask for secrets in conversation" as a forbidden action, reinforcing the new policy.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[changeset-bot]

⚠️ No Changeset found

Latest commit: e69552e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gemini-code-assist]

Code Review

This pull request introduces a new secure workflow for obtaining secrets from users by guiding them to edit a temporary file instead of directly inputting values into the conversation. It also updates the .claude/CLAUDE.md and .claude/rules/secrets.md documentation to reflect this new process and explicitly prohibit asking for secrets in conversation. The review comments suggest clarifying the placeholder for KEY_NAME in the instructions and address a potential issue where the tr -d '\n' command could corrupt multi-line secret values, proposing a modification or validation step.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a5e627e9cf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".