🔍 Running security validation on staged changes... Log file: /root/liveserver2024/data/www/official-en-aia/.claude/skills/safe-commit/scripts/../logs/validate_20260121_055604.log AI Validation: enabled (codex) ✓ Found staged changes Checking for sensitive data patterns... - API keys/tokens/secrets... OK - Absolute file paths... OK - Private domains/IPs... OK - .env variable values... OK - Database credentials... OK ✓ Regex-based security checks passed! 🤖 Running AI-powered validation... - AI sensitive data scan (codex)... OpenAI Codex v0.84.0 (research preview) -------- workdir: /root/liveserver2024/data/www/official-en-aia/.claude model: gpt-5.2-codex provider: openai approval: never sandbox: read-only reasoning effort: none reasoning summaries: auto session id: 019bdf1f-db62-7092-af75-67772117a8e8 -------- user You are a security auditor reviewing a git diff for sensitive information before commit. Analyze this git diff and check for: 1. API keys, tokens, secrets, passwords (real values, not placeholders) 2. Absolute file paths that reveal server infrastructure (e.g., /root/..., /home/user/..., /var/www/...) 3. Internal/private domain names or IP addresses 4. Database credentials or connection strings with passwords 5. Personal information (emails, phone numbers, addresses) 6. Cloud credentials (AWS keys, GCP keys, Azure keys) IMPORTANT: Documentation examples with placeholder paths like '/home/username/...' are OK. Only flag REAL sensitive data that would be a security risk if committed. Respond with EXACTLY one of these formats: - If SAFE: 'SAFE: No sensitive data found' - If ISSUES: 'ISSUES: [brief description of what was found]' Do NOT output anything else. Be concise. Here is the git diff to analyze: diff --git a/skills/safe-commit/SKILL.md b/skills/safe-commit/SKILL.md index c029464..a7cad33 100644 --- a/skills/safe-commit/SKILL.md +++ b/skills/safe-commit/SKILL.md @@ -207,14 +207,20 @@ When enabled, uses Codex CLI for intelligent sensitive data detection: | Variable | Values | Description | |----------|--------|-------------| | `USE_AI_VALIDATION` | `1` (default if codex installed), `0` | Enable/disable AI validation | -| `AI_VALIDATOR` | `codex` (default), `claude` | Which AI tool to use | +| `AI_VALIDATOR` | `codex` (default), `gemini`, `copilot` | Which AI tool to use | | `MAX_DIFF_SIZE` | `51200` (default) | Max diff size in bytes for AI validation | **Usage Examples:** ```bash -# Use Codex for AI validation (recommended - saves Claude tokens) +# Use Codex for AI validation (default) USE_AI_VALIDATION=1 bash .claude/skills/safe-commit/scripts/validate.sh +# Use Gemini for AI validation +AI_VALIDATOR=gemini bash .claude/skills/safe-commit/scripts/validate.sh + +# Use GitHub Copilot for AI validation +AI_VALIDATOR=copilot bash .claude/skills/safe-commit/scripts/validate.sh + # Disable AI validation (regex only, faster) USE_AI_VALIDATION=0 bash .claude/skills/safe-commit/scripts/validate.sh diff --git a/skills/safe-commit/scripts/validate.sh b/skills/safe-commit/scripts/validate.sh index 010642b..195d962 100755 --- a/skills/safe-commit/scripts/validate.sh +++ b/skills/safe-commit/scripts/validate.sh @@ -6,7 +6,8 @@ # USE_AI_VALIDATION=1 - Enable AI-powered validation using Codex (default: 1 if codex available) # USE_AI_VALIDATION=0 - Use regex-only validation (faster, no API calls) # AI_VALIDATOR=codex - Use Codex CLI for AI validation (default) -# AI_VALIDATOR=claude - Use Claude agent for AI validation (more tokens) +# AI_VALIDATOR=gemini - Use Gemini CLI for AI validation +# AI_VALIDATOR=copilot - Use GitHub Copilot CLI for AI validation set -e @@ -208,12 +209,96 @@ $(cat "$DIFF_FILE")" 2>> "$LOG_FILE"; then rm -f "$AI_RESULT_FILE" rm -f "$DIFF_FILE" - elif [ "$AI_VALIDATOR" = "claude" ]; then - # Claude agent validation (placeholder - handled by the calling agent) - echo -n " - AI sensitive data scan (claude)... " | tee -a "$LOG_FILE" - echo -e "${YELLOW}DELEGATED${NC}" | tee -a "$LOG_FILE" - log " Claude agent will perform manual review" - rm -f "$DIFF_FILE" + elif [ "$AI_VALIDATOR" = "gemini" ]; then + # Use Gemini CLI for AI validation + echo -n " - AI sensitive data scan (gemini)... " | tee -a "$LOG_FILE" + + if ! command -v gemini &> /dev/null; then + echo -e "${YELLOW}SKIPPED${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} Gemini CLI not installed${NC}" + rm -f "$DIFF_FILE" + else + AI_RESULT_FILE=$(mktemp) + + if timeout 60 gemini exec \ + -o "$AI_RESULT_FILE" \ + "$AI_PROMPT + +Here is the git diff to analyze: + +$(cat "$DIFF_FILE")" 2>> "$LOG_FILE"; then + + AI_RESULT=$(cat "$AI_RESULT_FILE" 2>/dev/null || echo "ERROR: Could not read result") + + if echo "$AI_RESULT" | grep -qi "^SAFE:"; then + echo -e "${GREEN}OK${NC}" | tee -a "$LOG_FILE" + log " AI: $AI_RESULT" + elif echo "$AI_RESULT" | grep -qi "^ISSUES:"; then + echo -e "${RED}FAILED${NC}" | tee -a "$LOG_FILE" + log -e "${RED} AI found issues:${NC}" + log " $AI_RESULT" + rm -f "$DIFF_FILE" "$AI_RESULT_FILE" + exit 1 + else + echo -e "${YELLOW}WARNING${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} AI response unclear, please review manually:${NC}" + log " $AI_RESULT" + fi + else + echo -e "${YELLOW}SKIPPED${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} Gemini validation timed out or failed${NC}" + log -e "${YELLOW} Continuing with regex-only validation${NC}" + fi + + rm -f "$AI_RESULT_FILE" + rm -f "$DIFF_FILE" + fi + + elif [ "$AI_VALIDATOR" = "copilot" ]; then + # Use GitHub Copilot CLI for AI validation + echo -n " - AI sensitive data scan (copilot)... " | tee -a "$LOG_FILE" + + if ! command -v gh &> /dev/null || ! gh copilot --version &> /dev/null 2>&1; then + echo -e "${YELLOW}SKIPPED${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} GitHub Copilot CLI not installed (requires gh copilot extension)${NC}" + rm -f "$DIFF_FILE" + else + AI_RESULT_FILE=$(mktemp) + + if timeout 60 gh copilot suggest \ + -t shell \ + "$AI_PROMPT + +Here is the git diff to analyze: + +$(cat "$DIFF_FILE")" > "$AI_RESULT_FILE" 2>> "$LOG_FILE"; then + + AI_RESULT=$(cat "$AI_RESULT_FILE" 2>/dev/null || echo "ERROR: Could not read result") + + if echo "$AI_RESULT" | grep -qi "^SAFE:"; then + echo -e "${GREEN}OK${NC}" | tee -a "$LOG_FILE" + log " AI: $AI_RESULT" + elif echo "$AI_RESULT" | grep -qi "^ISSUES:"; then + echo -e "${RED}FAILED${NC}" | tee -a "$LOG_FILE" + log -e "${RED} AI found issues:${NC}" + log " $AI_RESULT" + rm -f "$DIFF_FILE" "$AI_RESULT_FILE" + exit 1 + else + echo -e "${YELLOW}WARNING${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} AI response unclear, please review manually:${NC}" + log " $AI_RESULT" + fi + else + echo -e "${YELLOW}SKIPPED${NC}" | tee -a "$LOG_FILE" + log -e "${YELLOW} Copilot validation timed out or failed${NC}" + log -e "${YELLOW} Continuing with regex-only validation${NC}" + fi + + rm -f "$AI_RESULT_FILE" + rm -f "$DIFF_FILE" + fi + else log -e "${YELLOW} Unknown AI_VALIDATOR: $AI_VALIDATOR${NC}" rm -f "$DIFF_FILE" mcp: context7 starting mcp: playwright starting mcp: context7 ready mcp: playwright ready mcp startup: ready: context7, playwright thinking SAFE codex SAFE: No sensitive data found 2026-01-21T05:56:16.364917Z ERROR codex_core::codex: needs_follow_up: false tokens used 7,599 OK AI: SAFE: No sensitive data found ✓ All security checks passed! Staged files: - skills/safe-commit/SKILL.md - skills/safe-commit/scripts/validate.sh