k-skill

mirror of https://github.com/NomaDamas/k-skill.git synced 2026-06-24 02:04:11 +00:00

History

Jeffrey (Dongkyu) Kim 3ccb44afda Constrain report fetch credentials Scope caller-owned GitHub credentials to API requests, add exact-file contents fallback for known report fetches, and report actual inspected detail attempts. This tightens the public mirror boundary without adding proxy auth or broadening release metadata. Constraint: public GitHub mirror remains keyless by default; optional caller tokens must stay least-privilege. Rejected: forwarding GitHub auth headers to all GitHub-operated hosts \| raw.githubusercontent.com does not need API credentials for the verified path. Confidence: high Scope-risk: narrow Directive: Keep optional credentials host-scoped unless a future caller explicitly opts into raw-host forwarding. Tested: npm run lint --workspace daishin-report-search; npm run test --workspace daishin-report-search; npm pack --workspace daishin-report-search --dry-run; npm run ci; injected raw/API header and contents fallback smoke; live exact-report and latest-list CLI smokes; architect/code-reviewer verification. Not-tested: authenticated live GitHub token path with a real token.	2026-05-14 09:57:45 +09:00
..
SKILL.md	Constrain report fetch credentials	2026-05-14 09:57:45 +09:00

Jeffrey (Dongkyu) Kim 3ccb44afda Constrain report fetch credentials

Scope caller-owned GitHub credentials to API requests, add exact-file contents fallback for known report fetches, and report actual inspected detail attempts. This tightens the public mirror boundary without adding proxy auth or broadening release metadata.

Constraint: public GitHub mirror remains keyless by default; optional caller tokens must stay least-privilege.

Rejected: forwarding GitHub auth headers to all GitHub-operated hosts | raw.githubusercontent.com does not need API credentials for the verified path.

Confidence: high

Scope-risk: narrow

Directive: Keep optional credentials host-scoped unless a future caller explicitly opts into raw-host forwarding.

Tested: npm run lint --workspace daishin-report-search; npm run test --workspace daishin-report-search; npm pack --workspace daishin-report-search --dry-run; npm run ci; injected raw/API header and contents fallback smoke; live exact-report and latest-list CLI smokes; architect/code-reviewer verification.

Not-tested: authenticated live GitHub token path with a real token.

2026-05-14 09:57:45 +09:00

SKILL.md

Constrain report fetch credentials

2026-05-14 09:57:45 +09:00