Background
PR #20 added prompt fingerprint logging (prompt_sha256 field in every routine's state gist) and tightened state-gist content rules (never write secrets, raw payloads, file content). Detection is now needed.
Request
Add two new rules to routines/sentinel.prompt.md:
Rule A — Prompt fingerprint drift
Daily, for each cloud routine listed in CLAUDE.md routine inventory:
- Fetch the last
prompt_sha256 from the routine's state gist (most-recent run_log entry).
- Compute
sha256 of the prompt file at HEAD of main in JacobPEvans/claude-code-routines:
gh api repos/JacobPEvans/claude-code-routines/contents/routines/<basename>.prompt.md \
--jq .content | base64 -d | sha256sum
- Alert via Slack on mismatch: "Cloud routine
<basename> is running a prompt that differs from main. Last deployed sha: <X>, current main sha: <Y>."
Catches: forgotten RemoteTrigger update after merge, mid-merge partial deploys, malicious post-merge poisoning, accidental update from a dirty worktree.
Rule B — State gist secret scan
Daily, for each <routine>-state gist, fetch its body and grep for known secret prefixes:
ghp_[A-Za-z0-9]{30,} (GitHub PAT)ghs_[A-Za-z0-9]{30,} (GitHub server token)sk-ant-[A-Za-z0-9_-]{20,} (Anthropic key)aws_access_key_id or AKIA[0-9A-Z]{16} (AWS access key)xoxb- or xoxp- (Slack tokens)
Alert via Slack on any hit. State gists must never contain credentials per CLAUDE.md rule 8 / S7.
Why now
Per security-auditor review: "the routines as a whole compose into a single-PR-to-ai-workflows → RCE on 41 repos chain. The cross-repo blast radius is the dominant risk." Out-of-band fingerprint + secret-scan are the lightweight defenses that catch silent compromise.
Provenance
Background
PR #20 added prompt fingerprint logging (
prompt_sha256field in every routine's state gist) and tightened state-gist content rules (never write secrets, raw payloads, file content). Detection is now needed.Request
Add two new rules to
routines/sentinel.prompt.md:Rule A — Prompt fingerprint drift
Daily, for each cloud routine listed in
CLAUDE.mdroutine inventory:prompt_sha256from the routine's state gist (most-recentrun_logentry).sha256of the prompt file at HEAD ofmaininJacobPEvans/claude-code-routines:<basename>is running a prompt that differs frommain. Last deployed sha:<X>, current main sha:<Y>."Catches: forgotten
RemoteTrigger updateafter merge, mid-merge partial deploys, malicious post-merge poisoning, accidental update from a dirty worktree.Rule B — State gist secret scan
Daily, for each
<routine>-stategist, fetch its body and grep for known secret prefixes:ghp_[A-Za-z0-9]{30,}(GitHub PAT)ghs_[A-Za-z0-9]{30,}(GitHub server token)sk-ant-[A-Za-z0-9_-]{20,}(Anthropic key)aws_access_key_idorAKIA[0-9A-Z]{16}(AWS access key)xoxb-orxoxp-(Slack tokens)Alert via Slack on any hit. State gists must never contain credentials per
CLAUDE.mdrule 8 / S7.Why now
Per security-auditor review: "the routines as a whole compose into a single-PR-to-
ai-workflows→ RCE on 41 repos chain. The cross-repo blast radius is the dominant risk." Out-of-band fingerprint + secret-scan are the lightweight defenses that catch silent compromise.Provenance
cloud-routine