Skip to content

Add skill for PostHog config defaults (autocapture / session recording / opt-out) #173

Description

@sarahxsanders

Why

Companion to a wizard concern: the legacy wizard-side regex scanner had medium-severity rules that fired when an agent silently wrote `autocapture: false`, `disable_session_recording: true`, or `opt_out_capturing: true` into a PostHog SDK init config. Those rules were removed in the wizard's warlock-migration PR — and (correctly) NOT added to warlock, because they're PostHog-specific, not platform-agnostic security concerns.

The wizard now has L0 protection via an agent commandment ("Keep PostHog data capture at its defaults..."), but no L2 enforcement. The natural place for L2 PostHog-specific rules is a context-mill skill — that matches the "skills own product knowledge" model the rest of the wizard uses.

What needs to happen

Add a context-mill skill (working name: `posthog-defaults-enforcer` or similar) that:

  1. Documents the patterns that should NOT appear in SDK init config:
    • `autocapture: false`
    • `disable_session_recording: true` (and `disableSessionRecording: true`)
    • `opt_out_capturing: true` / `opted_out: true`
  2. Documents the legitimate runtime form (`posthog.opt_out_capturing()` for GDPR consent) so the rules don't over-match.
  3. Optionally ships YARA rules in the skill bundle that the wizard can load.

Related

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions