mirror of
https://github.com/obra/superpowers.git
synced 2026-06-11 21:29:07 +08:00
4d8ff907c4
Staff-review findings (4-reviewer panel): - The tripwire list existed twice in this file (description + HARD-GATE) and the copies had already drifted after one editing round — the framing tripwire and the security qualifier lived only in the HARD-GATE, which the skip decision never reads (our own GREEN-attempt-1 evidence). The description is now the single authoritative list; the HARD-GATE exception defers to it. - Security-posture fix: the "beyond the literally stated value" escape no longer applies to security — touching auth, sessions, permissions, CORS, or crypto re-gates EVEN when the value is exactly as stated (the harm of "set CORS to *" IS the stated value). User-visible behavior keeps the beyond-the-stated-change scope (a requested checkbox is the stated change; that is the point of the exception). - The framing tripwire moves into the description where it can act. - Anti-pattern final clause cut (was the 4th in-file statement of the exception's condition). - Description: 886/1024 chars, YAML-validated. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>