fix(ce-demo-reel): prevent secrets in recorded demos#664
Merged
Conversation
Introduce "Never Record Secrets" as a ground rule: set credentials before recording, never substitute placeholders inline, scan artifacts before upload. Add the concrete VHS Hide/clear/Show pattern plus per-tier guidance for browser, screenshot, and static captures, and a drift check for broken demos caused by re-exporting a fake value after Show. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tmchow
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 00271cf3a7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
tmchow
added a commit
that referenced
this pull request
Apr 24, 2026
Codex review flagged that the VHS tape example embedded a literal API key inside `export API_KEY='real-secret-value'`. Even with Hide keeping it out of the GIF, the .tape itself is a persistent file that can leak through temp-dir retention, debug copies, or sharing. Switch the pattern: the invoking shell carries the secret (direnv, source .env, or export before vhs), VHS inherits it, and the tape file never contains the literal. Planning bullet, example comment, "Why this shape" note, and drift-check remediation all follow. Resolves: #664 (comment) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 78a82c6cd1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
tmchow
force-pushed
the
tmchow/demo-reel-no-secrets
branch
from
78a82c6 to
00271cf
Compare
Merged
3 tasks
tmchow
added a commit
that referenced
this pull request
Apr 24, 2026
PR #663 squash-merged as `feat(ce-commit-push-pr):` — adding two short-circuits that skip a blocking prompt when the agent just authored the change. The intent was a UX/flow fix, not a new capability, so the correct conventional prefix is `fix:`. Since the prefix drove a minor bump, the open release PR (#661) is pinning the linked `cli` / `compound-engineering` group at 3.1.0. This empty commit reclassifies the pending release to 3.0.2 via `Release-As:` footers so the patch-level fixes in this window (#660 ce-update, #664 ce-demo-reel, #663 ce-commit-push-pr) land as 3.0.2 instead of 3.1.0. The feat prefix remains in history and may still render under a Features heading in the generated changelog — hand-edit the release PR body before merge if so. Release-As: cli@3.0.2 Release-As: compound-engineering@3.0.2
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Recorded demos must never contain credentials. A new "Never Record Secrets" ground rule in
ce-demo-reelcodifies that across all capture tiers: plan secrets out of frame, never substitute placeholders inline, and scan before upload.The prior skill had only a single post-capture bullet in one tier, and didn't prevent the subtler failure mode — a visible
export API_KEY=REDACTED"mask" overwrites the real env var, producing a broken demo (401,0 credits remaining, empty output) that still leaks the variable name. The rule is built around one principle: secrets should affect the environment, not the visible transcript.What's new
SKILL.md— three directives (plan out of frame, don't substitute placeholders, scan before upload) with the runtime-state failure called out explicitly, plus the positive principle "show the authenticated result, not the auth step."tier-terminal-recording.md— cleanHOME, secrets inHide,clear, thenShow. Full skeleton included as the teaching artifact.401 Unauthorized,0 credits remaining, empty output where data was expected) usually means a visibleexport SECRET=...afterShowoverwrote the real env. Fix the.tapeand re-record rather than ship.