- Notifications
You must be signed in to change notification settings - Fork109
feat: port remaining squawk rules#508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
justfile Outdated
| tail -f $(ls $PGT_LOG_PATH/server.log.* | sort -t- -k2,2 -k3,3 -k4,4 | tail -n1) | ||
| agenticname: | ||
| unset ANTHROPIC_API_KEY&& claude --dangerously-skip-permissions -p"please read agentic/{{name}}.md and follow the instructions closely" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
not sure we should commit this into an open source repo – seems like a vulnerability for prompt injection :)
We could pass a --settingsagentic/{{name}}.settings.json file ?
Also, I'm curious: Why do you unset the API key here? To force somebody to login?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
how would that be an attack vector?
I am removing the env because otherwise it doesn't pick up the Max subscription but the API key (which is usage based)
juleswritescodeSep 18, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I am removing the env because otherwise it doesn't pick up the Max subscription but the API key (which is usage based)
ah i see! that makes sense.
how would that be an attack vector?
for example if a malicious contributor adds something into a build script that replaces the contents of youragentic/ file. If you then run the agentic file, claude might dostuff you don't expect – with GH permissions, claude might even push unreviewd commits to master etc
If we review everything closely, that won't be an issue, but I could see that someone contributes aC file or something that we just gloss over
Of course, this would still happen if you run--dangerously-skip-permissions via your own terminal, but then at least nobody would know that we use that param 😇
Your call!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
good point, I just commented them out for now with a node 'use at your own risk'
41d5a8d intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
will have claude do the work over night
closes#131
will porthttps://github.com/kaaveland/eugene/blob/main/eugene/src/lints/rules.rs afterwards
also added a new
agentic/dir and two newjustcommands to standardise as well as track the prompts for such work.UPDATE:
prefer jsonbfrom eugene too. the remaining ones are either covered be squawk or require a bit more updates to the file context. will do them in a follow-up. see full comparison here:Check eugene lint for migration lint rules? #305 (reply in thread)