From 5189f28ae75f0cc824ad354110e3511ee22249b8 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 2 Jun 2026 06:18:04 -0700 Subject: [PATCH] fix(wiki): forbid inlining raw secrets in recompiled articles Live Sonnet-subagent recompile test inlined real passwords/PSK/RADIUS secret from a session log into the article; review caught it. Added rule 6b to the synthesis brief: wiki references vault paths only, never raw secrets (carry-over of values the existing article already discloses is the only exception). Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude/commands/wiki-compile.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.claude/commands/wiki-compile.md b/.claude/commands/wiki-compile.md index 81a2e88..3839581 100644 --- a/.claude/commands/wiki-compile.md +++ b/.claude/commands/wiki-compile.md @@ -333,6 +333,7 @@ RULES: 4. Active Work: use Syncro open ticket list as the primary source 5. History Highlights: chronological, from session logs only, one-line entries with dates 6. Access: vault paths and IPs from session logs; never invent vault paths +6b. NEVER inline raw secrets (passwords, PSKs, RADIUS/shared secrets, API keys, PFX passwords) into the article, even when a session log exposes them. The wiki references the vault path only — e.g. `sysadmin (password: vault)` or `secret in vault (clients//server.sops.yaml)`. Raw secrets live in session logs and the SOPS vault, never in the wiki knowledge layer. (Exception: a value the EXISTING article already discloses may be carried over to match its disclosure level — do not ADD new ones.) 7. For fields with no source data: write "(verify)" not placeholder text 8. Backlinks: list any wiki article slugs (clients/projects/systems) that this client is cross-referenced with ```