decisions: RUN-040 post-merge supplement (HARD RULE 16 violation + mitigation)#36
Draft
vdineshk wants to merge 3 commits into
Draft
decisions: RUN-040 post-merge supplement (HARD RULE 16 violation + mitigation)#36vdineshk wants to merge 3 commits into
vdineshk wants to merge 3 commits into
Conversation
Documents a HARD RULE 16 (NO-SESSION-URLS-PUBLIC) violation discovered after PR #35 merged: the PR-creation MCP tool auto-appended a claude.ai session URL footer to the PR body that was not in the body parameter the agent supplied. Public repo. Mitigation applied immediately (update_pull_request to replace the body with a clean version, verified clean). Surfaces durable-fix recommendation as P1 item: configure the agent harness to suppress the auto-generated provenance footer for public-repo PRs.
The supplement describing the HARD RULE 16 violation itself contained the literal pattern that triggers the rule. Rewords the description to convey the same information without including the URL substring.
Sets attribution.pr and attribution.commit to empty strings so the harness does not append the "Generated by Claude Code" provenance text to PR bodies or commit-message trailers. Project-level so the setting persists across all sessions in this repo. This is the durable fix for the HARD RULE 16 (NO-SESSION-URLS-PUBLIC) exposure that required reactive remediation on PR #35 and PR #36 — the footer never gets added in the first place, so there is no residual GitHub-event-history exposure window.
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Appends a post-merge supplement to
decisions/2026-05-13-builder-run-040.mddocumenting a HARD RULE 16 (NO-SESSION-URLS-PUBLIC) violation discovered after PR #35 merged.The violation: the PR-creation MCP tool used in PR #35 auto-appended a "Generated by Claude Code" provenance footer to the PR body containing a live session URL. The agent did not include this string in the
bodyparameter — the harness inserted it after submission. The repo is public.Mitigation already applied: the agent called
update_pull_requeston #35 immediately upon detection, replacing the body with a clean version. Verified clean viapull_request_read get.Residual risk: GitHub's per-event audit history may still retain the original body. The merge commit and spec contents are clean — the violation lived only in the auto-generated PR-body footer.
Items requiring follow-up
Test plan