#!/usr/bin/env node /** * Add inst_084: GitHub Repository URL Modification Protocol * * PURPOSE: Prevent accidental exposure of private repository structure * through unauthorized GitHub URL modifications in public-facing files. * * CONTEXT: Previous incident where AI changed repository name from * tractatus-framework (public) to tractatus (private), exposing internal * file paths like /src/services/ and /deployment-quickstart/. * * ENFORCEMENT: Pre-action hard block via architectural hook */ const mongoose = require('mongoose'); const GovernanceRule = require('../src/models/GovernanceRule.model'); const fs = require('fs'); const path = require('path'); // Connect to MongoDB const MONGODB_URI = process.env.MONGODB_URI || 'mongodb://localhost:27017/tractatus_dev'; const rule = { id: 'inst_084', text: `GitHub Repository URL Modification Protocol (SYSTEM/SECURITY) **SCOPE**: Any modification to URLs containing "github.com" in ANY file **PROHIBITED ACTIONS**: 1. NEVER add new github.com URLs without explicit human approval 2. NEVER change existing github.com repository names 3. NEVER change github.com URL paths (e.g., /tree/main/src/services/) 4. NEVER assume a repository is public vs. private 5. NEVER "fix" broken GitHub links by pointing to different repository **REQUIRED PROCESS** when encountering broken GitHub link: 1. FLAG the broken link to user 2. STOP all work 3. ASK: "This links to [URL] which doesn't exist. Options: a) Remove the link entirely b) Add corresponding content to public repository c) Different approach?" 4. WAIT for explicit human approval before ANY GitHub URL modification **CONTEXT**: - tractatus = PRIVATE repository (internal implementation code) - tractatus-framework = PUBLIC repository (research patterns, documentation) - Linking to private repo paths exposes internal structure to public - Previous incident: AI changed URL from public to private repo, exposing /src/services/ **RATIONALE**: Historical incident where 500+ internal files were uploaded to public repository. GitHub URL modifications have EXTREME RISK of exposing private code structure, credentials, deployment configuration, or internal architecture to public. **ENFORCEMENT**: - Pre-action validation hook (architectural, cannot be bypassed) - Exit code 2 (HARD BLOCK) if GitHub URL modification detected without approval - Logged to audit database with HIGH severity **VERIFICATION**: Before: grep -r "github.com" in modified file After: Verify no repository name changes, no new github.com URLs added Audit: Log all GitHub URL change attempts (allowed or blocked)`, timestamp: new Date().toISOString(), quadrant: 'SYSTEM', persistence: 'HIGH', temporal_scope: 'PERMANENT', verification_required: 'MANDATORY', explicitness: 1.0, source: 'automated', session_id: '2025-10-26-implementer-page-fixes', parameters: { enforcement_mechanism: 'pre_action_hook', block_type: 'hard_block', approval_required: true, affected_tools: ['Edit', 'Write'], risk_level: 'EXTREME', historical_incident: '2024-Q4-mass-file-upload' }, active: true, notes: 'Created after AI attempted to change github.com/AgenticGovernance/tractatus-framework URLs to github.com/AgenticGovernance/tractatus (private repo), which would expose internal file paths /src/services/ and /deployment-quickstart/ to public documentation.', enforcement_hooks: ['validate-file-edit.js', 'validate-file-write.js'], related_instructions: ['inst_027', 'inst_072'], // instruction-history.json protection, defense-in-depth validation_command: 'grep -r "github.com" && git diff | grep "github.com"' }; async function main() { try { console.log('\nšŸ“‹ Adding inst_084: GitHub Repository URL Modification Protocol\n'); await mongoose.connect(MONGODB_URI); console.log('āœ“ Connected to MongoDB'); // Check if rule already exists const existing = await GovernanceRule.findOne({ id: 'inst_084' }); if (existing) { console.log('\nāš  inst_084 already exists. Updating...'); await GovernanceRule.updateOne({ id: 'inst_084' }, rule); console.log('āœ“ Updated inst_084'); } else { await GovernanceRule.create(rule); console.log('āœ“ Created inst_084'); } // Update instruction-history.json const historyPath = path.join(__dirname, '../.claude/instruction-history.json'); const history = JSON.parse(fs.readFileSync(historyPath, 'utf8')); const instructionEntry = { id: 'inst_084', text: 'GitHub Repository URL Modification Protocol: NEVER modify github.com URLs without explicit approval. HARD BLOCK all repository name changes, path modifications, or new GitHub links. Previous incident exposed private repo structure.', timestamp: new Date().toISOString(), quadrant: 'SYSTEM', persistence: 'HIGH', temporal_scope: 'PERMANENT', verification_required: 'MANDATORY', explicitness: 1.0, source: 'automated', session_id: '2025-10-26-implementer-page-fixes', parameters: { enforcement_mechanism: 'pre_action_hook', block_type: 'hard_block', risk_level: 'EXTREME' }, active: true, notes: 'Architectural enforcement via validate-file-edit.js and validate-file-write.js hooks' }; // Check if instruction exists const instIndex = history.instructions.findIndex(i => i.id === 'inst_084'); if (instIndex >= 0) { history.instructions[instIndex] = instructionEntry; console.log('āœ“ Updated instruction-history.json (inst_084)'); } else { history.instructions.push(instructionEntry); console.log('āœ“ Added to instruction-history.json'); } history.last_updated = new Date().toISOString(); fs.writeFileSync(historyPath, JSON.stringify(history, null, 2)); console.log('\nāœ“ inst_084 added successfully'); console.log('\nNext steps:'); console.log('1. Implement enforcement in scripts/hook-validators/validate-file-edit.js'); console.log('2. Implement enforcement in scripts/hook-validators/validate-file-write.js'); console.log('3. Test with: attempt to modify a github.com URL'); console.log('4. Verify HARD BLOCK occurs without approval'); await mongoose.disconnect(); process.exit(0); } catch (error) { console.error('āŒ Error adding inst_084:', error); process.exit(1); } } main();