tessl install github:specstoryai/agent-skills --skill specstory-guardgithub.com/specstoryai/agent-skills
Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets".
Review Score
89%
Validation Score
15/16
Implementation Score
77%
Activation Score
100%
A pre-commit guardrail that scans .specstory/history for potential secrets and blocks commits until they are removed or redacted.
.specstory/history files on every commitAI coding sessions may inadvertently capture sensitive data:
Guard prevents accidental commits of these secrets.
| User says | Action |
|---|---|
/specstory-guard | Install the pre-commit hook |
/specstory-guard install | Install the pre-commit hook |
/specstory-guard scan | Run a manual scan without installing |
/specstory-guard check | Alias for scan |
/specstory-guard uninstall | Remove the pre-commit hook |
# Install the pre-commit hook
python skills/specstory-guard/scripts/guard.py install
# Run a manual scan
python skills/specstory-guard/scripts/guard.py scan --root .
# Uninstall the hook
python skills/specstory-guard/scripts/guard.py uninstall
# Scan with custom allowlist
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*' \
python skills/specstory-guard/scripts/guard.py scan --root .SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
ALERT: Potential secrets found!
File: .specstory/history/2026-01-22_19-20-56Z-api-setup.md
Line 142: AWS_SECRET_ACCESS_KEY=AKIA...redacted...XYZ
Line 289: private_key: "-----BEGIN RSA PRIVATE KEY-----..."
File: .specstory/history/2026-01-20_10-15-33Z-debug-auth.md
Line 56: Authorization: Bearer eyJhbG...redacted...
Total: 3 potential secrets in 2 files
Commit blocked. Please redact or remove these secrets before committing.SpecStory Guard - Security Scan
===============================
Scanning .specstory/history/...
All clear! No secrets detected in 47 files.SpecStory Guard - Setup
=======================
Pre-commit hook installed at .git/hooks/pre-commit
The hook will now scan .specstory/history/ before each commit.
To test: python skills/specstory-guard/scripts/guard.py scan --root .Guard scans for these common secret patterns:
| Pattern | Example |
|---|---|
| AWS Keys | AKIA..., aws_secret_access_key |
| API Tokens | Bearer ..., token: ... |
| Private Keys | -----BEGIN RSA PRIVATE KEY----- |
| GitHub Tokens | ghp_..., github_pat_... |
| Generic Secrets | password=, secret=, api_key= |
If you have false positives (example keys, placeholders), use the allowlist:
# Environment variable (comma-separated regex patterns)
SPECSTORY_GUARD_ALLOWLIST='example-key,PLACEHOLDER_.*,test-token' \
python skills/specstory-guard/scripts/guard.py scan --root .When secrets are found:
[REDACTED] or remove the lineAfter running guard commands:
I found 3 potential secrets in your SpecStory history:
1. **AWS credentials** in `2026-01-22_19-20-56Z-api-setup.md` (line 142)
2. **Private key** in the same file (line 289)
3. **Bearer token** in `2026-01-20_10-15-33Z-debug-auth.md` (line 56)
Would you like me to help redact these? I can replace them with `[REDACTED]`
while preserving the rest of the conversation context.git commit