tinqs/blog
5
0
Fork 0
Code Pull Requests Actions Packages Projects Releases Wiki Activity Issues

blog: scrub internal codename + admin URL from pre-commit-agent post

Browse Source 
The redaction-pattern example ironically named the real classified codename and a
real internal admin URL in a public post. Genericized both to placeholders
(<internal-codename>, admin.<internal-domain>) — the example still illustrates the
pattern format without leaking. Rebuilt HTML.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
ozan
2026-06-10 22:04:08 +01:00
parent 6cba781083
commit f762ad52a3
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
posts/pre-commit-agent.md
+2 -2
View File
@@ -21,11 +21,11 @@ We built a pre-commit hook with two layers: a regex blocklist that's instant and
A text file of patterns, each tagged with scope and message: A text file of patterns, each tagged with scope and message:
``` ```
public|\bCosmos\b|Classified codename — use "advanced colonist AI" public|\b<internal-codename>\b|Classified codename — use the public-facing alias
all|github\.com/(tinqs-ltd|tinqs)/|GitHub repos deleted — use tinqs.com all|github\.com/(tinqs-ltd|tinqs)/|GitHub repos deleted — use tinqs.com
all|sk-[a-zA-Z0-9]{20,}|Possible API key leaked all|sk-[a-zA-Z0-9]{20,}|Possible API key leaked
all|AKIA[A-Z0-9]{16}|AWS access key leaked all|AKIA[A-Z0-9]{16}|AWS access key leaked
public|admin\.arikigame\.com|Internal admin URL in public content public|admin\.<internal-domain>|Internal admin URL in public content
``` ```
The scope field controls where patterns apply. `all` means every file. `public` means only public-facing content — blog posts, website, marketing pages. We *want* classified codenames in internal architecture docs. We just don't want them in blog posts. The scope field controls where patterns apply. `all` means every file. `public` means only public-facing content — blog posts, website, marketing pages. We *want* classified codenames in internal architecture docs. We just don't want them in blog posts.
pre-commit-agent.html
+2 -2
View File
@@ -269,11 +269,11 @@
<p>We built a pre-commit hook with two layers: a regex blocklist that's instant and free, and an LLM review that costs $0.001. Together they catch everything.</p> <p>We built a pre-commit hook with two layers: a regex blocklist that's instant and free, and an LLM review that costs $0.001. Together they catch everything.</p>
<h2>Layer 1: Regex blocklist (0ms, $0.00)</h2> <h2>Layer 1: Regex blocklist (0ms, $0.00)</h2>
<p>A text file of patterns, each tagged with scope and message:</p> <p>A text file of patterns, each tagged with scope and message:</p>
<pre><code>public|\bCosmos\b|Classified codename — use "advanced colonist AI" <pre><code>public|\b&lt;internal-codename&gt;\b|Classified codename — use the public-facing alias
all|github\.com/(tinqs-ltd|tinqs)/|GitHub repos deleted — use tinqs.com all|github\.com/(tinqs-ltd|tinqs)/|GitHub repos deleted — use tinqs.com
all|sk-[a-zA-Z0-9]{20,}|Possible API key leaked all|sk-[a-zA-Z0-9]{20,}|Possible API key leaked
all|AKIA[A-Z0-9]{16}|AWS access key leaked all|AKIA[A-Z0-9]{16}|AWS access key leaked
public|admin\.arikigame\.com|Internal admin URL in public content</code></pre> public|admin\.&lt;internal-domain&gt;|Internal admin URL in public content</code></pre>
<p>The scope field controls where patterns apply. <code>all</code> means every file. <code>public</code> means only public-facing content — blog posts, website, marketing pages. We <em>want</em> classified codenames in internal architecture docs. We just don't want them in blog posts.</p> <p>The scope field controls where patterns apply. <code>all</code> means every file. <code>public</code> means only public-facing content — blog posts, website, marketing pages. We <em>want</em> classified codenames in internal architecture docs. We just don't want them in blog posts.</p>
<p>The blocklist runs grep against the staged diff. No network call, no API, no latency. Match found → commit blocked immediately with file path and explanation. This catches 80% of issues before the LLM wakes up.</p> <p>The blocklist runs grep against the staged diff. No network call, no API, no latency. Match found → commit blocked immediately with file path and explanation. This catches 80% of issues before the LLM wakes up.</p>
<h2>Layer 2: DeepSeek V4 Flash review (~4s, $0.001)</h2> <h2>Layer 2: DeepSeek V4 Flash review (~4s, $0.001)</h2>
Before
After