Close cmd-output redaction hole and surface artifact-leak scrubs#18
Merged
Conversation
Two-layer redaction, honestly documented: 1. cmd context-source output was inlined verbatim into context.md, so a command that printed a flagged file (cat .env-style, env dumps, git log) leaked it to every downstream member. Output is now scrubbed against redaction-glob file contents like everything else. 2. Content-scrubbing is no longer silent. scrub_flagged_content() returns which flagged files were caught, and the runner logs a redaction_applied event to run-log.md and appends a state.json warning naming the sources and destination - so a leak into loop artifacts is visible instead of quietly masked. README now describes the real posture: path-based non-send for flagged files (first layer, guaranteed), best-effort content scrub with surfacing for derived content (second layer), local models recommended when redaction-sensitive paths exist. 2 new tests (43 total). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The review's core finding: the branch's "scrubbed before any send" claim was false for the largest egress path - host prompts (plan/delivery/revise) were never scrubbed, so an artifact leak went verbatim to the host CLI while state.json said it was contained. Fixes: - Host prompts now pass through the same scrub as every other send (call_host helper used by run_host and the revise path), with "prompt for host" surfacing. Flagged means flagged for every recipient; the escape hatch is not flagging files the loop needs. - Scrub runs before the first-send consent question, and the consent prompt prints any leak warnings for that member, so the one irreversible decision is made with the leak signal visible. - Flagged files the scrub cannot read (>1MB, non-UTF-8) are surfaced as blind spots (redaction_unscrubbable event + state warning) instead of silently skipped. - Leak attribution detects against the original text, so two flagged files sharing content are both named, not just the first replaced. - redaction_applied events dedupe per (destination, sources); flagged-file contents are read once per run instead of per prompt; cmd stdout/stderr scrub as one block. - CHANGELOG rewritten to state old behavior accurately (member prompts were already scrubbed on main; the verbatim path was the host) and README documents the over-redaction bias explicitly. 4 new tests (47 total). Conformance harness still 8/8. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Completes the v0.2.0 redaction residual (ROADMAP Part 2 item 2): artifact-level redaction is no longer silent content-scrubbing, and the last unredacted ingestion path is closed.
Changes
cmdcontext-source output is now scrubbed. Previouslygather_contextinlined command stdout/stderr verbatim, so a context command that printed a flagged file (cat .env-style, env dumps,git log) leaked it intocontext.mdand every downstream prompt. Output now goes through the same flagged-content scrub as prompts.scrub_flagged_content()reports which flagged files' content it caught; the runner logs aredaction_appliedevent torun-log.mdand appends astate.jsonwarning naming the source files and the destination. A leak into loop artifacts is now visible evidence, not a silent mask.Tests
2 new (43 total): cmd-output leak is scrubbed + marked + surfaced; artifact leak scrub writes the
run-log.mdevent andstate.jsonwarning.🤖 Generated with Claude Code