john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/add-inst-084-github-url-protection.js
TheFlow 3aae86edf9 feat(implementer): major page redesign with hook architecture and responsive diagrams 
## Implementer Page Enhancements

### Hero Section Redesign
- Changed title to "External Governance Services for AI Systems"
- Added three value proposition cards (Architectural Separation, Instruction Persistence, Audit Trail)
- Governance-compliant messaging (addresses vs prevents, designed to vs guarantees)
- Mobile-responsive card layout

### New "How It Works" Section
- Pattern Override Challenge explanation
- External Architecture Approach
- Request Flow with Governance diagram
- SVG download links

### New "Hook Architecture" Section (Credibility Layer)
- Architectural enforcement explanation
- Four real enforcement examples:
  * inst_084 GitHub URL Protection
  * inst_008 CSP Compliance
  * inst_027 Governance file protection
  * BoundaryEnforcer values decisions
- New hook-architecture.svg diagram showing PreToolUse flow
- Process separation and exit code enforcement details

### Deployment Section Improvements
- Removed broken "View Online" button
- PDF-only deployment guide download
- Simplified, cleaner presentation

### Responsive Diagrams
- Created system-architecture-mobile.svg (400x600px simplified)
- Created system-architecture-desktop.svg (full detail)
- Picture element with media queries for responsive switching
- Fixed request-flow-sequence.svg (restored from archive)

## Security & Governance

### inst_084 GitHub URL Modification Protocol
- HARD BLOCK on GitHub URL changes without explicit approval
- Prevents accidental private repository exposure
- Implemented in both validate-file-edit.js and validate-file-write.js
- Regex pattern matching for repository name changes
- Detailed error messages with context

### Hook Validator Improvements
- Fixed stderr output issue (console.log → console.error)
- Added checkGitHubURLProtection() function
- Enhanced error messaging for blocked actions

## Documentation

### New Deployment Guide
- Created comprehensive 14KB markdown guide (docs/markdown/deployment-guide.md)
- Generated 284KB PDF (public/docs/pdfs/deployment-guide.pdf)
- Covers: local dev, production, Docker, K8s, AWS, GCP, monitoring, security
- Removed MongoDB credential examples to comply with inst_069/070

### Diagram Archive
- Moved old diagrams to public/docs/diagrams/archive/
- Preserved deployment-architecture-old.svg
- Preserved request-flow-sequence-old.svg
- Preserved system-architecture-old.svg

## Cache & Version
- Bumped version to 0.1.2
- Updated changelog with all implementer changes
- forceUpdate: true for new diagrams and PDFs
- minVersion: 0.1.4

## Context
This addresses user feedback on implementer.html from 2025-10-26:
- Broken diagrams (404 errors, cut off at bottom)
- Need for credibility layer (hook architecture)
- GitHub URL security incident prevention
- Mobile responsiveness issues
- Deployment guide accessibility

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 23:14:22 +13:00

167 lines
6.3 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
/**
* Add inst_084: GitHub Repository URL Modification Protocol
*
* PURPOSE: Prevent accidental exposure of private repository structure
* through unauthorized GitHub URL modifications in public-facing files.
*
* CONTEXT: Previous incident where AI changed repository name from
* tractatus-framework (public) to tractatus (private), exposing internal
* file paths like /src/services/ and /deployment-quickstart/.
*
* ENFORCEMENT: Pre-action hard block via architectural hook
*/
const mongoose = require('mongoose');
const GovernanceRule = require('../src/models/GovernanceRule.model');
const fs = require('fs');
const path = require('path');
// Connect to MongoDB
const MONGODB_URI = process.env.MONGODB_URI || 'mongodb://localhost:27017/tractatus_dev';
const rule = {
id: 'inst_084',
text: `GitHub Repository URL Modification Protocol (SYSTEM/SECURITY)
**SCOPE**: Any modification to URLs containing "github.com" in ANY file
**PROHIBITED ACTIONS**:
1. NEVER add new github.com URLs without explicit human approval
2. NEVER change existing github.com repository names
3. NEVER change github.com URL paths (e.g., /tree/main/src/services/)
4. NEVER assume a repository is public vs. private
5. NEVER "fix" broken GitHub links by pointing to different repository
**REQUIRED PROCESS** when encountering broken GitHub link:
1. FLAG the broken link to user
2. STOP all work
3. ASK: "This links to [URL] which doesn't exist. Options:
a) Remove the link entirely
b) Add corresponding content to public repository
c) Different approach?"
4. WAIT for explicit human approval before ANY GitHub URL modification
**CONTEXT**:
- tractatus = PRIVATE repository (internal implementation code)
- tractatus-framework = PUBLIC repository (research patterns, documentation)
- Linking to private repo paths exposes internal structure to public
- Previous incident: AI changed URL from public to private repo, exposing /src/services/
**RATIONALE**:
Historical incident where 500+ internal files were uploaded to public repository.
GitHub URL modifications have EXTREME RISK of exposing private code structure,
credentials, deployment configuration, or internal architecture to public.
**ENFORCEMENT**:
- Pre-action validation hook (architectural, cannot be bypassed)
- Exit code 2 (HARD BLOCK) if GitHub URL modification detected without approval
- Logged to audit database with HIGH severity
**VERIFICATION**:
Before: grep -r "github.com" in modified file
After: Verify no repository name changes, no new github.com URLs added
Audit: Log all GitHub URL change attempts (allowed or blocked)`,
timestamp: new Date().toISOString(),
quadrant: 'SYSTEM',
persistence: 'HIGH',
temporal_scope: 'PERMANENT',
verification_required: 'MANDATORY',
explicitness: 1.0,
source: 'automated',
session_id: '2025-10-26-implementer-page-fixes',
parameters: {
enforcement_mechanism: 'pre_action_hook',
block_type: 'hard_block',
approval_required: true,
affected_tools: ['Edit', 'Write'],
risk_level: 'EXTREME',
historical_incident: '2024-Q4-mass-file-upload'
},
active: true,
notes: 'Created after AI attempted to change github.com/AgenticGovernance/tractatus-framework URLs to github.com/AgenticGovernance/tractatus (private repo), which would expose internal file paths /src/services/ and /deployment-quickstart/ to public documentation.',
enforcement_hooks: ['validate-file-edit.js', 'validate-file-write.js'],
related_instructions: ['inst_027', 'inst_072'], // instruction-history.json protection, defense-in-depth
validation_command: 'grep -r "github.com" <file> && git diff <file> | grep "github.com"'
};
async function main() {
try {
console.log('\n📋 Adding inst_084: GitHub Repository URL Modification Protocol\n');
await mongoose.connect(MONGODB_URI);
console.log('✓ Connected to MongoDB');
// Check if rule already exists
const existing = await GovernanceRule.findOne({ id: 'inst_084' });
if (existing) {
console.log('\n⚠ inst_084 already exists. Updating...');
await GovernanceRule.updateOne({ id: 'inst_084' }, rule);
console.log('✓ Updated inst_084');
} else {
await GovernanceRule.create(rule);
console.log('✓ Created inst_084');
}
// Update instruction-history.json
const historyPath = path.join(__dirname, '../.claude/instruction-history.json');
const history = JSON.parse(fs.readFileSync(historyPath, 'utf8'));
const instructionEntry = {
id: 'inst_084',
text: 'GitHub Repository URL Modification Protocol: NEVER modify github.com URLs without explicit approval. HARD BLOCK all repository name changes, path modifications, or new GitHub links. Previous incident exposed private repo structure.',
timestamp: new Date().toISOString(),
quadrant: 'SYSTEM',
persistence: 'HIGH',
temporal_scope: 'PERMANENT',
verification_required: 'MANDATORY',
explicitness: 1.0,
source: 'automated',
session_id: '2025-10-26-implementer-page-fixes',
parameters: {
enforcement_mechanism: 'pre_action_hook',
block_type: 'hard_block',
risk_level: 'EXTREME'
},
active: true,
notes: 'Architectural enforcement via validate-file-edit.js and validate-file-write.js hooks'
};
// Check if instruction exists
const instIndex = history.instructions.findIndex(i => i.id === 'inst_084');
if (instIndex >= 0) {
history.instructions[instIndex] = instructionEntry;
console.log('✓ Updated instruction-history.json (inst_084)');
} else {
history.instructions.push(instructionEntry);
console.log('✓ Added to instruction-history.json');
}
history.last_updated = new Date().toISOString();
fs.writeFileSync(historyPath, JSON.stringify(history, null, 2));
console.log('\n✓ inst_084 added successfully');
console.log('\nNext steps:');
console.log('1. Implement enforcement in scripts/hook-validators/validate-file-edit.js');
console.log('2. Implement enforcement in scripts/hook-validators/validate-file-write.js');
console.log('3. Test with: attempt to modify a github.com URL');
console.log('4. Verify HARD BLOCK occurs without approval');
await mongoose.disconnect();
process.exit(0);
} catch (error) {
console.error('❌ Error adding inst_084:', error);
process.exit(1);
}
}
main();
Reference in a new issue View git blame Copy permalink