Skip to content

fix(yara): repeat-block escalation + scan only edit replacement text (stacked on #804)#820

Merged
gewenyu99 merged 5 commits into
mainfrom
posthog-code/yara-guards-on-804
Jul 8, 2026
Merged

fix(yara): repeat-block escalation + scan only edit replacement text (stacked on #804)#820
gewenyu99 merged 5 commits into
mainfrom
posthog-code/yara-guards-on-804

Conversation

@gewenyu99

@gewenyu99 gewenyu99 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Stacked on #804. Merge #804 first. This PR's diff is only the changes below.

Two problems. Agents keep retrying edits that YARA already blocked. And the edit scanner reads the old file text, not just the new text, so old code causes false blocks.

Changes:

  • Remember what YARA already blocked. If the agent sends the same content again, the error says: this was already blocked, change the code instead.
  • On the third try, the error says: stop, note it in the setup report, move on.
  • The original block message and its fix instructions stay in place.
  • Scan only the new text of an edit. The old text being replaced is not scanned anymore.
  • This applies to both the pi fence and the anthropic hook.
  • 10 new tests. 1198 total pass.

Why:

  • Agents retried blocked edits about 4 times per affected run.
  • Edits near existing PII were falsely blocked.
  • Edits that removed a violation were blocked by the violation they removed.

Check after ship: blocks per affected run on the switchboard YARA tile. Target under 1.5.

🤖 Generated with Claude Code

sarahxsanders and others added 3 commits July 6, 2026 14:58
The pi harness security fence called the embedded yara-scanner.ts, a
pre-warlock snapshot of the rules that was deleted in #597 and
re-added in #701. Its stale rules blocked the canonical $set /
$set_once person-property pattern, looping agents on retries.

pi now scans through @posthog/warlock via yara-hooks scanAndTriage –
same engine, rules, chunking, and LLM triage as the anthropic
harness – and block messages include the rule remediation so a
blocked agent can self-correct.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
pi auths the LLM gateway programmatically and never sets
ANTHROPIC_BASE_URL/AUTH_TOKEN, so the env-based triage provider
returned undefined on the pi path: fail-closed, but every flagged
match acted on with no false-positive filtering. The provider now
accepts explicit gateway auth and pi passes its boot credentials.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…(stacked on #804)

The YARA guard split out of #816, rebuilt on top of #804's warlock-based pi fence, plus the one surviving piece of the closed #818:

1. Repeat-block escalation: agents retry identically-blocked payloads (~4.2 blocks per affected run) despite the prompt saying not to. Both fences (pi pre-execution scan, anthropic PreToolUse Bash hook) now hash the payloads they block; an identical retry gets an escalated reason ("this exact content was ALREADY blocked — change the code, not the retry"), and from the third attempt the agent is told to note it in the setup report and move on. The escalation decorates #804's remediation-bearing block message, never replaces it. Tracker lives in yara-hooks, shared by both fences; policy denies are unaffected.

2. Edit scanning scoped to replacement text: #804 still scans JSON.stringify(input.edits), which includes each edit's oldText — pre-existing file content. That blocked edits whose surroundings contained a violation and even edits REMOVING one (field FPs: capture edits adjacent to existing identify() PII; pre-existing violations blocking their own replacement). Now scans only the joined newText, matching the anthropic path which scans new_string only.

Generated-By: PostHog Code
Task-Id: bcb96bcb-e37f-421d-841d-738647c73b8e
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci error-tracking-upload-source-maps
  • /wizard-ci mcp-analytics
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci error-tracking-upload-source-maps/android
  • /wizard-ci error-tracking-upload-source-maps/cicd-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-nested-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-single-stage-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-gitlab-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-monorepo-pnpm-node-react
  • /wizard-ci error-tracking-upload-source-maps/cicd-monorepo-raw-node-react
  • /wizard-ci error-tracking-upload-source-maps/cicd-ssh-vps-node-raw
  • /wizard-ci error-tracking-upload-source-maps/flutter
  • /wizard-ci error-tracking-upload-source-maps/ios
  • /wizard-ci error-tracking-upload-source-maps/next
  • /wizard-ci error-tracking-upload-source-maps/next-no-posthog
  • /wizard-ci error-tracking-upload-source-maps/node-raw
  • /wizard-ci error-tracking-upload-source-maps/node-rollup
  • /wizard-ci error-tracking-upload-source-maps/node-rollup-typescript-plugin
  • /wizard-ci error-tracking-upload-source-maps/node-webpack
  • /wizard-ci error-tracking-upload-source-maps/nuxt-3-6
  • /wizard-ci error-tracking-upload-source-maps/nuxt-4-3
  • /wizard-ci error-tracking-upload-source-maps/react-native
  • /wizard-ci error-tracking-upload-source-maps/react-vite
  • /wizard-ci error-tracking-upload-source-maps/rust
  • /wizard-ci mcp-analytics/custom-dispatcher
  • /wizard-ci mcp-analytics/typescript-sdk
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

@gewenyu99 gewenyu99 requested a review from sarahxsanders July 7, 2026 15:53
@gewenyu99

Copy link
Copy Markdown
Collaborator Author

/wizard-ci basic-integration/next-js

@wizard-ci-bot

wizard-ci-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

🧙 Wizard CI Results

Trigger ID: 0604541
Workflow: View run

App Confidence PR YARA
basic-integration/next-js/15-app-router-saas 4/5 #2445 (logs)
basic-integration/next-js/15-app-router-todo 4/5 #2443 (logs)
basic-integration/next-js/15-pages-router-saas 4/5 #2444 (logs)
basic-integration/next-js/15-pages-router-todo 4/5 #2442 (logs)

Configuration

Setting Value
Wizard ref posthog-code/yara-guards-on-804
Context Mill ref main
PostHog ref master

Search for trigger ID 0604541 in wizard-workbench PRs.

Base automatically changed from fix/pi-harness-use-warlock to main July 7, 2026 19:00
gewenyu99 and others added 2 commits July 7, 2026 16:48
# Conflicts:
#	src/lib/agent/runner/harness/pi/__tests__/security.test.ts
#	src/lib/agent/runner/harness/pi/security.ts
@gewenyu99 gewenyu99 requested a review from a team as a code owner July 8, 2026 15:10
@gewenyu99 gewenyu99 enabled auto-merge (squash) July 8, 2026 15:10
@gewenyu99 gewenyu99 merged commit 2b589ad into main Jul 8, 2026
16 checks passed
@gewenyu99 gewenyu99 deleted the posthog-code/yara-guards-on-804 branch July 8, 2026 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants