Add security tools (tirith, shellfirm) and JACKIN_ env prefix#22
Merged
Conversation
Defines the approach for installing tirith and shellfirm in the construct image via multi-stage Docker build, wiring shell hooks and MCP servers, and renaming CLAUDE_ENV/CLAUDE_DEBUG to JACKIN_CLAUDE_ENV/JACKIN_DEBUG. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add versions.env approach for tracking tirith/shellfirm versions and the corresponding construct workflow changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Eight tasks covering env var renames, multi-stage Docker build for tirith/shellfirm, shell hooks, MCP registration, CI workflow, and docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…NV in docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
70cb6ee to
35cddc0
Compare
2 tasks
donbeave
added a commit
that referenced
this pull request
Apr 20, 2026
…-env-prefix Add security tools (tirith, shellfirm) and JACKIN_ env prefix
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
…-env-prefix Add security tools (tirith, shellfirm) and JACKIN_ env prefix
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Codex <codex@openai.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Codex <codex@openai.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
…ix (#22) Defines the approach for installing tirith and shellfirm in the construct image via multi-stage Docker build, wiring shell hooks and MCP servers, and renaming CLAUDE_ENV/CLAUDE_DEBUG to JACKIN_CLAUDE_ENV/JACKIN_DEBUG. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Add versions.env approach for tracking tirith/shellfirm versions and the corresponding construct workflow changes. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Eight tasks covering env var renames, multi-stage Docker build for tirith/shellfirm, shell hooks, MCP registration, CI workflow, and docs. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
…22) Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Add security tools (tirith, shellfirm) and JACKIN_ env prefix Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Codex <codex@openai.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CLAUDE_ENV→JACKIN_CLAUDE_ENVandCLAUDE_DEBUG→JACKIN_DEBUG— all jackin-defined env vars now use theJACKIN_prefix for clear namespacingrust:trixiebuilder), with shell hooks in.zshrcand MCP server registration in the entrypointENV JACKIN_DISABLE_TIRITH=1/ENV JACKIN_DISABLE_SHELLFIRM=1docker/construct/versions.env, loaded by CI workflow as Docker build-argsDetails
Why these tools? Claude Code runs with
--dangerously-skip-permissionsinside jackin containers. Tirith and shellfirm act as safety nets:rm -rf,git push --force,kubectl delete,terraform destroy)Both provide shell hooks (defense-in-depth) and MCP servers (AI agent self-checking).
Design spec:
docs/superpowers/specs/2026-04-08-security-tools-and-env-prefix-design.mdTest plan
cargo fmt -- --check && cargo clippy && cargo nextest run— 213 tests pass, zero warningsCLAUDE_DEBUGor"CLAUDE_ENV"references insrc/ordocker/load_agent_passes_debug_flag_when_enabled,entrypoint_registers_security_tool_mcp_servers,entrypoint_mcp_registration_respects_disable_guards--build-arg TIRITH_VERSION=0.2.12 --build-arg SHELLFIRM_VERSION=0.3.9completes successfullytirith --versionandshellfirm --versionwork inside built image🤖 Generated with Claude Code