Commit Graph

2 Commits

  • docs: add prompt defense baselines
    Add compact prompt-defense baselines to active ECC prompt surfaces and copied CLAUDE examples. AgentShield prompt-defense findings are now zero; local tests passed 2366/2366.
  • feat(agents,skills): add opensource-pipeline — 3-agent workflow for safe public releases (#1036)
    * feat(agents,skills): add opensource-pipeline — 3-agent open-source release workflow
    
    Adds a complete pipeline for safely preparing private projects for public
    release: secret stripping (20+ patterns), independent sanitization audit,
    and professional doc generation (CLAUDE.md, setup.sh, README, LICENSE).
    
    Agents added:
    - agents/opensource-forker.md    — copies project, strips secrets, generates .env.example
    - agents/opensource-sanitizer.md — independent PASS/FAIL audit, read-only, 20+ patterns
    - agents/opensource-packager.md  — generates CLAUDE.md, setup.sh, README, LICENSE, CONTRIBUTING
    
    Skill added:
    - skills/opensource-pipeline/SKILL.md — orchestrator: routes /opensource commands, chains agents
    
    Source: https://github.com/herakles-dev/opensource-pipeline (MIT)
    
    * fix: address P1/P2 review findings from Cubic, CodeRabbit, and Greptile
    
    - Collect GitHub org/username in Step 1, use quoted vars in publish command
    - Add 3-attempt retry cap on sanitizer FAIL loop
    - Use dynamic sanitization verdict in final review output
    - Broaden rsync exclusions: .env*, .claude/, .secrets/, secrets/
    - Fix JWT regex to match full 3-segment tokens (header.payload.signature)
    - Broaden GitHub token regex to cover gho_, ghu_ prefixes
    - Fix AWS regex to be case-insensitive, match env var formats
    - Tighten generic env regex: increase min length to 16, add non-secret lookaheads
    - Separate heuristic WARNING patterns from CRITICAL patterns in sanitizer
    - Broaden internal path detection: macOS /Users/, Windows C:\Users\
    - Clarify sanitizer is source-read-only (report writing is allowed)
    
    * fix: flag *.map files as dangerous instead of skipping them
    
    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
    
    ---------
    
    Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>