Add skill for PostHog config defaults (autocapture / session recording / opt-out)

[sarahxsanders]

Why

Companion to a wizard concern: the legacy wizard-side regex scanner had medium-severity rules that fired when an agent silently wrote `autocapture: false`, `disable_session_recording: true`, or `opt_out_capturing: true` into a PostHog SDK init config. Those rules were removed in the wizard's warlock-migration PR — and (correctly) NOT added to warlock, because they're PostHog-specific, not platform-agnostic security concerns.

The wizard now has L0 protection via an agent commandment ("Keep PostHog data capture at its defaults..."), but no L2 enforcement. The natural place for L2 PostHog-specific rules is a context-mill skill — that matches the "skills own product knowledge" model the rest of the wizard uses.

What needs to happen

Add a context-mill skill (working name: `posthog-defaults-enforcer` or similar) that:

1. Documents the patterns that should NOT appear in SDK init config:
   • `autocapture: false`
   • `disable_session_recording: true` (and `disableSessionRecording: true`)
   • `opt_out_capturing: true` / `opted_out: true`
2. Documents the legitimate runtime form (`posthog.opt_out_capturing()` for GDPR consent) so the rules don't over-match.
3. Optionally ships YARA rules in the skill bundle that the wizard can load.

Related

• Wizard side: Add wizard-owned L2 ruleset for PostHog config defaults (autocapture / session recording / opt-out) wizard#592 tracks the L2 ruleset shape.

🤖 Generated with Claude Code