Skip to content

fix: harden token security, add guardrails, fix 0-test loop#19

Merged
abrichr merged 1 commit intomainfrom
fix/security-and-guardrails
Mar 3, 2026
Merged

fix: harden token security, add guardrails, fix 0-test loop#19
abrichr merged 1 commit intomainfrom
fix/security-and-guardrails

Conversation

@abrichr
Copy link
Member

@abrichr abrichr commented Mar 3, 2026

Summary

  • Strip GitHub token from .git/config after clone so Claude subprocess cannot access it
  • Sanitize git errors in commitAndPush() to prevent token leaks in Supabase/logs
  • Use minimal env for gh subprocess (was spreading all process.env)
  • Add hard constraints to system prompt: never modify tests/manifests/lockfiles unless task requires
  • Treat 0 tests collected as pass (prevents 10 wasted $3 loops on README changes)
  • Sanitize Telegram <> delimiters from task text
  • Add bot Dockerfile, fly.toml, and .env.example files

Test plan

  • 53/53 worker tests pass
  • Worker deployed to Fly.io (v11)
  • Bot deployed to Fly.io, responding on Telegram
  • Re-submit README task after merge to validate guardrails + 0-test fix

🤖 Generated with Claude Code

@abrichr @claude
fix: harden token security, add guardrails, fix 0-test loop
ee73b38 
Security:
- Strip credentials from .git/config after clone so Claude subprocess
  cannot read the token from the remote URL
- Re-inject credentials only during push, strip immediately after
- Sanitize git error messages in commitAndPush to prevent token leaks
- Use minimal env (PATH + HOME + GH_TOKEN) for gh subprocess instead
  of spreading all process.env vars

Guardrails:
- Add hard constraints to system prompt: never modify test files,
  package manifests, or lock files unless task explicitly requires it
- Documentation-only tasks restricted to documentation files only

Bug fixes:
- Treat 0 tests collected as pass (failed=0 && errors=0) instead of
  failure, preventing 10 wasted loops on README-only changes
- Sanitize Telegram <> formatting delimiters from task text before
  use in prompts, PR body, and commit messages
- Pass github_token through to commitAndPush for authenticated push

Bot deployment:
- Add bot Dockerfile, fly.toml, and .env.example
- Add worker .env.example

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@abrichr abrichr merged commit 4441526 into main Mar 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abrichr