Hard block private repo surfacing from public github-stars runs

[primeinc]

Goal

Add a hard privacy policy blocker:

NEVER EVER EVER EVER EVER allow private repositories to be surfaced if github-stars is running in a public repository.

This is a non-negotiable app invariant. If the output surface is public, private repo data must not appear in generated files, workflow summaries, logs, artifacts, issues, PR comments, Pages output, classification batches, provenance records, or diagnostic reports.

Parent: #69
Related: #42, #54, #71, #73

Why this exists

github-stars is intended to publish or expose a star catalog from a repo that may itself be public. The app may eventually support authenticated/private star fetch paths, broad GitHub App permissions, setup diagnostics, artifact provenance, and agent routing.

That creates a specific leak hazard:

authenticated/private input source
  -> public repository run/output context
  -> generated catalog/log/artifact/issue leak

This must hard-fail, not merely warn.

Policy Invariant

If output_repository.visibility == public:
  private_repository_records MUST NOT be surfaced.

Where surfaced means written, printed, summarized, classified, routed, cached, uploaded, published, or committed anywhere visible from the public repo context.

Required Behavior

1. Public repo mode must quarantine private inputs

When github-stars runs in a public repository:

private repo slug -> do not print
private repo metadata -> do not print
private repo count -> allowed only as aggregate count if no identifiers leak
private repo classification -> disabled
private repo generated output -> prohibited
private repo artifact upload -> prohibited
private repo issue/PR/comment output -> prohibited
private repo Pages output -> prohibited

Allowed public-safe aggregate example:

private_repos_omitted: 12

Forbidden examples:

private_repos_omitted:
  - owner/private-repo

Skipped private repo owner/private-repo

Classified private repo owner/private-repo as security/dev-tools

2. Auth resolver must enforce visibility boundary

The auth resolver from #69 must distinguish:

star_fetch_auth = public | pat | github_app_user | github_token | disabled
output_visibility = public | private | internal/unknown
private_repo_surface_policy = block | allow_private_context_only

Public output context requires:

private_repo_surface_policy=block

If authenticated/private data is fetched while output visibility is public, the run must either:

filter private repos before any surface
or fail closed before writing/logging/uploading/publishing anything private-derived

3. Setup doctor must report policy state safely

primeinc-stars-yoshi-doctor must report:

output_repository_visibility=public|private|unknown
private_repo_surface_policy=block|allow_private_context_only
private_repo_identifiers_printed=false
private_repo_count=<aggregate only, optional>

No private identifiers may appear in setup doctor output when output repo is public.

4. Generated artifact registry must mark public/private safety

Any generated artifact registry from #69 must include a public-safety classification:

artifact
visibility_surface
may_contain_private_identifiers
private_safe_for_public_repo
producer
validation_gate

Public repo runs may only publish artifacts where:

private_safe_for_public_repo=true

5. Classifier must refuse private repo candidates in public mode

The #71 classifier path must not receive private repo identifiers or metadata when output context is public.

Hard rule:

private repo records cannot enter model prompt/input if output repo is public

This avoids both output leaks and model-prompt leakage. Because letting an LLM see private repo names and then asking it politely not to leak them is not a policy. It is a haunted pinky promise.

Required Tests

Add tests for:

public output repo + private input repo -> private identifier omitted
public output repo + private input repo -> artifact excludes private slug
public output repo + private input repo -> workflow summary excludes private slug
public output repo + private input repo -> classifier batch excludes private slug
public output repo + private input repo -> logs do not contain private slug
public output repo + private input repo -> issue/PR/router payload excludes private slug
public output repo + aggregate count -> allowed
private output repo + private input repo -> allowed only if policy explicitly permits
unknown output visibility -> fail closed

Add at least one forbidden sentinel fixture:

owner/private-sentinel-repo-do-not-leak

The test must fail if that string appears in any public-mode output, summary, artifact, classifier input, or router payload.

Acceptance Criteria

• A formal policy exists in code or config for private repo surfacing.
• Public output repo mode defaults to hard block.
• Unknown output repo visibility fails closed.
• Private repo identifiers are filtered/quarantined before prompt/model/classifier input.
• Workflow summaries may show aggregate private omission counts but never private repo identifiers.
• Generated artifacts are marked public-safe before upload/commit/publish.
• Issue/PR/agent routing payloads are sanitized in public mode.
• Tests include sentinel private repo leak checks.
• AGENTS.md or control-plane docs state this as a hard blocker.
• Completion proof includes a test showing the sentinel private repo name does not surface.

Proof Required

Completion comment must include:

• PR URL or commit SHA.
• Test output for private leak sentinel fixture.
• Workflow/setup-doctor summary excerpt showing public mode and private_repo_surface_policy=block.
• Example sanitized aggregate output.
• Confirmation that classifier/model input excludes private repo identifiers in public mode.
• Confirmation that generated artifacts cannot be marked public-safe if they contain private identifiers.

Evidence Labels for Implementer

Use these labels in the completion report:

• Direct evidence: source diff, test fixture, test output, workflow summary, artifact validation output.
• Weak inference: a field may contain private-derived information but no identifiers; justify with sanitizer evidence.
• Unsupported: claiming private data is protected without a sentinel leak test.
• Contradicted: any private repo slug appears in public-mode logs, summaries, artifacts, prompts, generated files, issues, PR comments, or Pages output.
• Blocked: output repo visibility cannot be determined and fail-closed behavior triggers.

Non-Goals

• Do not remove support for private/authenticated star fetching in private output contexts.
• Do not expose private repo names just to explain that they were skipped.
• Do not rely on LLM instructions to suppress private identifiers after they enter prompts.
• Do not allow a warning-only mode for public output contexts.

Definition of Done

When github-stars runs in a public repository, private repositories are never surfaced. The pipeline either filters private records before any public surface or fails closed before output, and the sentinel leak test proves it.

[primeinc]

Closing — privacy quarantine + sentinel tripwire shipped in cc2668ae (PR #79).

Files added:

• src/privacy/private-quarantine.ts — OutputVisibility, PRIVATE_SENTINEL_SLUG, Zod schemas
• src/privacy/quarantine.ts — quarantinePrivate, publicSafeOmissionReport, findPrivateSlugLeaks, assertNoPrivateLeak, PrivateLeakError
• src/privacy/quarantine.test.ts — 14 tests including sentinel tripwire against artifact JSON, markdown summaries, classifier prompts
• src/privacy/index.ts — public surface

Files wired:

• src/sync/cli.ts — quarantine after reconcile, sentinel re-read assertion after write
• tests/setup/schema-registry.ts — privacy schemas registered before tests run

Acceptance criteria check:

• ✅ Formal policy in code or config — src/privacy/private-quarantine.ts + src/privacy/quarantine.ts. The OutputVisibility schema is in the GhStarsSchemaRegistry with id contract.github-stars.privacy.output-visibility.v1.
• ✅ Public output repo mode defaults to hard block — quarantinePrivate({visibility: "public", ...}) filters every private:true record. The sync CLI hardcodes visibility: "public" because github-stars deploys from a public repo.
• ✅ Unknown output repo visibility fails closed — quarantinePrivate({visibility: "unknown"}) is treated as public. Tested by quarantine.test.ts "unknown visibility fails closed".
• ✅ Private repo identifiers filtered/quarantined before any public surface — defense in depth: (1) fetch path drops isPrivate:true upstream (src/fetch/list-paginator.ts, src/fetch/list-paginator-rest.ts), (2) sync's quarantine filters again, (3) sentinel tripwire on serialized output.
• ✅ Workflow summaries may show aggregate count, never identifiers — publicSafeOmissionReport returns {count} only; the test "emits count only, never slugs" verifies via Object.keys(report).
• ✅ Tests include sentinel private repo leak checks — PRIVATE_SENTINEL_SLUG = "owner/private-sentinel-repo-do-not-leak" (matches the issue's spec). Tested at every documented surface: quarantinePrivate, findPrivateSlugLeaks, assertNoPrivateLeak against artifact JSON, markdown summaries, and classifier prompts.
• ✅ AGENTS.md / control-plane docs state this as a hard blocker — AGENTS.md §0 (added in Epic: Mandatory read-the-room and upstream-canonical gates before code changes #75) requires path-based privacy gates. The PR template adds a "Privacy-affecting (when Hard block private repo surfacing from public github-stars runs #74 lands) — sentinel leak tests" checkbox.
• ✅ Completion proof includes a test showing the sentinel does not surface — quarantine.test.ts "guards JSON artifact serialisation (sentinel embedded as quoted slug)" + "guards markdown summary surfaces" + "guards classifier prompt construction". All pass.

Direct evidence — local gate run:

=== gate stage: test ===
$ bun test --reporter=dots --no-color --timeout=5000
bun test v1.3.13
..............................................................................................................................
126 pass
0 fail
291 expect() calls
Ran 126 tests across 13 files. [164.00ms]

14 new tests in src/privacy/quarantine.test.ts (was 112 → now 126 pass).

Direct evidence — sentinel tripwire wiring in production code:

// src/sync/cli.ts:117
const written = readTextFileSync(MANIFEST_PATH);
assertNoPrivateLeak(written, [PRIVATE_SENTINEL_SLUG], MANIFEST_PATH);

If a future code path lets owner/private-sentinel-repo-do-not-leak reach repos.yml, sync hard-aborts before the workflow's commit step runs. PrivateLeakError is thrown with the surface name and the leaked slugs.

Non-goals respected:

• Did NOT remove support for private/authenticated star fetching in private output contexts (quarantinePrivate({visibility: "private"}) passes records through unchanged).
• Did NOT expose private repo names just to explain that they were skipped (the workflow ::warning:: is count-only, names "redacted from public log").
• Did NOT rely on LLM instructions to suppress private identifiers after they enter prompts (the quarantine runs BEFORE prompt construction in any future classifier wiring).
• Did NOT allow a warning-only mode for public output contexts (the assertion variant assertNoPrivateLeak throws — pipeline aborts, no warning-only path).

Evidence labels:

• Direct evidence: file diffs in cc2668ae, gate output above, 14 new tests in quarantine.test.ts.
• Weak inference: none.
• Unsupported: none.
• Blocked: none. Output visibility is hardcoded in sync CLI as public because github-stars's deploy target is GitHub Pages from a public repo. If/when a private deploy mode is added, the visibility resolver should consult gh api repos/{owner}/{repo} --jq .private and Zod-parse the response — out of scope here, file a separate issue if needed.
• Contradicted: none. The fetch path's existing isPrivate filter (src/fetch/list-paginator.ts, src/fetch/list-paginator-rest.ts) is consistent with the quarantine at sync time.