feat: port remaining squawk rules #508
Conversation
justfile
Outdated
| @@ -152,3 +152,22 @@ quick-modify: | |||
| # just show-logs | bunyan | |||
| show-logs: | |||
| tail -f $(ls $PGT_LOG_PATH/server.log.* | sort -t- -k2,2 -k3,3 -k4,4 | tail -n 1) | |||
|
|
|||
| agentic name: | |||
| unset ANTHROPIC_API_KEY && claude --dangerously-skip-permissions -p "please read agentic/{{name}}.md and follow the instructions closely" | |||
There was a problem hiding this comment.
not sure we should commit this into an open source repo – seems like a vulnerability for prompt injection :)
We could pass a --settings agentic/{{name}}.settings.json file ?
Also, I'm curious: Why do you unset the API key here? To force somebody to login?
There was a problem hiding this comment.
how would that be an attack vector?
I am removing the env because otherwise it doesn't pick up the Max subscription but the API key (which is usage based)
There was a problem hiding this comment.
I am removing the env because otherwise it doesn't pick up the Max subscription but the API key (which is usage based)
ah i see! that makes sense.
how would that be an attack vector?
for example if a malicious contributor adds something into a build script that replaces the contents of your agentic/ file. If you then run the agentic file, claude might do stuff you don't expect – with GH permissions, claude might even push unreviewd commits to master etc
If we review everything closely, that won't be an issue, but I could see that someone contributes a C file or something that we just gloss over
Of course, this would still happen if you run --dangerously-skip-permissions via your own terminal, but then at least nobody would know that we use that param 😇
Your call!
There was a problem hiding this comment.
good point, I just commented them out for now with a node 'use at your own risk'
will have claude do the work over night
closes #131
will port https://github.com/kaaveland/eugene/blob/main/eugene/src/lints/rules.rs afterwards
also added a new
agentic/dir and two newjustcommands to standardise as well as track the prompts for such work.UPDATE:
prefer jsonbfrom eugene too. the remaining ones are either covered be squawk or require a bit more updates to the file context. will do them in a follow-up. see full comparison here: Check eugene lint for migration lint rules? #305 (reply in thread)