Tracking: open work from initial privacy-guard build session

[krisrowe]

Context

The privacy-guard agent, test infrastructure, PERSON.md patterns file, and ./agent CLI were built in a single session and pushed as the initial commit. This tracks everything still open.

Issues from the prior private repo (krisrowe/claude-coding-plugin, now renamed/archived) are referenced by their original numbers below and need to be recreated here as individual issues.

Related issues (opened from this tracking issue)

• Agent should own PII categories and reason from any input, not just structured YAML #2 — Agent should own PII categories and reason from any input (covers items 11, 13, 17 below; expanded test matrix, attribution, test module reorg)
• Update debug-agent-tests skill: log review as verification on every run #3 — Update validate-privacy-guard skill: log review as verification (covers code cleanup items below; debug-by-default, docstrings, verification checklist)
• Agent interface contract: parent-facing skill, schema enforcement, and discovery #4 — Agent interface contract: parent-facing skill, schema enforcement, discovery (covers item 14 partially; --json-schema, Agent Card, MCP wrapper)
• Schema redesign: SARIF-aligned file findings, ruleId foreign keys, local-only scope #5 — Schema redesign: SARIF-aligned file findings, ruleId foreign keys, scope narrowing (see docs/agents/privacy-guard/SCHEMA-PROPOSAL.md)

Tests not yet verified

7 of 17 pass. Remaining need to be run via ./agent test privacy-guard -k <name>:

• test_pii_in_prior_commit_when_asked — history scan when explicitly requested
• test_pii_in_commit_message — PII in commit message text, not file content
• test_pii_in_gitignored_file — gitignored file reported as warning severity
• test_author_email_domain_mismatch — commit author email domain differs from configured
• test_os_username_in_file — OS-level detection, marked env_dependent
• test_unknown_name_in_personal_context — judgment-based, may xfail
• test_completed_scan_has_required_fields — JSON schema validation
• test_failed_scan_has_required_fields — failure JSON schema validation
• test_unconfigured_categories_warning — sparse PERSON.md warns about gaps
• test_exhaustive_reporting — slow marker, 9 planted values across 40+ files

Code cleanup

• Add comments to conftest.py: symlink setup rationale, AGENT_SOURCE path resolution, FAKE_PERSON design, run_privacy_guard() JSON extraction, debug logging
• Add comments to test_privacy_guard.py: test class grouping, relative import

Issues to recreate from prior repo

Each of these needs its own issue on this repo:

1. Default scan: should git history be included? (was CI/CD integration: privacy scanning in GitHub Actions for PRs #6) — Currently opt-in. Trade-offs between thoroughness and speed.
2. MCP tool to export agents to user/local scope (was Modular agent composition: build agent .md from reusable components #7) — export_agent(name, scope) for plugin users who want CLI --agent access.
3. Multi-repo scanning and structured output (was #8) — working + attempted array with per-repo status/findings. Output is pure JSON with messages array.
4. Handle non-git directories gracefully (was #9) — Don't silently skip git scans. Report git_repo: false explicitly.
5. **Verify plugin agent discovery via --plugin-dir and marketplace (was #10) — Does --agent <name> resolve from plugin cache on cold CLI start? Document test results in CONTRIBUTING.md regardless of outcome (works/doesn't work/partially works).
6. Prefer issue body edits over comments for scope changes (was #11) — Enforce via hook or skill guidance.
7. Workspace root detection should be configurable (was #12) — Remove hardcoded conventions, make it a PERSON.md field.
8. Agent scope expanding beyond privacy (was #13) — Also catches usability defects (hardcoded paths, non-portable configs). Naming/branding/modularization implications.
9. Formalize workspace_roots in PERSON.md (was #14) — Add to test fixtures, document, handle missing gracefully.
10. Suppress GitHub username findings when it matches repo owner (was #16) — Self-referential repo URLs are not findings.
11. Run /identify-best-practices against agent and plugin (was #17) — Compare against existing tools (gitleaks, trufflehog, etc.), evaluate architecture.
12. Make personal repo prefix configurable (was #18) — Don't hardcode any prefix convention.
13. Cloud IDs and service accounts should be pattern-based (was #19) — Structural detection, not user-enumerated lists.
14. Deterministic pattern scanning with optional MCP acceleration (was #20) — Split mechanical grep from LLM judgment. Investigate actual tool usage via debug logs first.
15. Support custom patterns and wildcards in PERSON.md (was #21) — Glob/regex for power users, keep simple for basic use.
16. Review CLAUDE.md location: root vs .claude/ directory (was #22) — Confirm best practice.

Cross-repo issues

• echomodel/claude-plugin-creator#4 (if transferred) or Document and support plugin context injection into consumer repos krisrowe/claude-plugin-creator#4 — Document plugin context injection mechanisms. Includes SessionStart hook + additionalContext investigation.

Context files

• .claude/CLAUDE.md was deleted — root CLAUDE.md with @ imports is the single source
• FAQ in CONTRIBUTING.md may grow — consider moving to standalone FAQ.md

Agent design

• Verify agent parses YAML frontmatter from PERSON.md (not old backtick format)
• pre-publish-privacy-review skill dependency — does it resolve from ~/.claude/skills/ when invoked via --agent?

Additional issues from prior repo (#1-5)

These predate the privacy-guard work and cover broader plugin concerns:

17. Dynamic PII dictionary: auto-discover names and identifiers (was Tracking: open work from initial privacy-guard build session #1) — Auto-discover PII from machine identity, git config, GitHub API, cloud config, contacts, financial accounts. Complements the static PERSON.md with runtime discovery.
18. Commit approval UX: notifications, interactive gates, and toggle controls (was Agent should own PII categories and reason from any input, not just structured YAML #2) — Push notifications for approval, interactive dialogue from hooks, reducing approval fatigue.
19. Explore: product-design agent (was Update debug-agent-tests skill: log review as verification on every run #3) — Combine branding, best-practices, feature-support, and dependency evaluation into a product design workflow agent.
20. Native macOS approval dialogue from hooks (was Agent interface contract: parent-facing skill, schema enforcement, and discovery #4) — osascript/AppleScript prompts for high-stakes git operations (commit, push, merge).
21. Two-repo safety pipeline: private dev → public release (was Schema redesign: SARIF-aligned file findings, ruleId foreign keys, local-only scope #5) — Agent works freely in private repo, squash-merged results push to public after human review.