一键导入
auto-support
Answer product Discord questions from public docs only; fail-closed leak guards; escalate the unsure to founders.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Answer product Discord questions from public docs only; fail-closed leak guards; escalate the unsure to founders.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | auto-support |
| description | Answer product Discord questions from public docs only; fail-closed leak guards; escalate the unsure to founders. |
Governing principle (full text in
PHILOSOPHY.md): a support bot's first job is to keep secrets in, not to answer. A guard written into this file is a suggestion the model can ignore; the only guards that hold are the deterministic checks inscripts/and thepermissions.deny+PreToolUsehook. Read those as the contract, not these words.
Use when answering a product's Discord users from that product's public docs, with a hard red line: never disclose source, algorithms, credentials, PII, or anything outside the public allowlist. When unsure, in doubt, or out of scope -> do not answer; escalate to the founder.
auto-support-config, not this skill.This skill is a plugin deployed into a product root's .claude/. Its guarantees come from
four deterministic layers, not from instructions:
templates/settings.json.template -> permissions.deny (Read/Bash on secret paths, all
write/network tools) + wires the hook.scripts/pretooluse_hook.py -> fail-closed PreToolUse enforcement (exit 2). Covers the
subprocess gap permissions.deny misses (python open('.env'), cat .env).scripts/guardrails.py -> the leak/injection engine (path boundary, secret+PII detection,
injection/social-engineering detection, spotlighting). Pure stdlib, no LLM, no network.scripts/egress_dlp.py -> the last gate: structured-output + DLP + canary fields + citation
integrity before anything is shown.If layers 1 to 2 are not deployed, this skill is not safe, it is a draft generator only.
scripts/answer_pipeline.py runs this; each gate's only failure mode is to abstain/escalate.
| Gate | Script | What it does | Fail-closed action |
|---|---|---|---|
| 0/1 entry | guardrails.detect_injection + intent | spotlight untrusted input; classify intent; catch injection/social-engineering | injection/unclear -> escalate; chitchat/off-topic -> cancel |
| 2 retrieval | retrieval.py | search allowlist only; secret-scrub every snippet; drop indirect-injection lines | empty -> abstain + escalate (never answer from memory) |
| 3 grounding | grounding.py | retrieval-confidence × faithfulness, both independent | below threshold -> abstain + escalate |
| 4 egress | egress_dlp.py | structured schema + secret/PII/exfil DLP + canary fields + citation-in-allowlist | any hit -> block, neutral refusal, escalate |
Passing all four yields a draft -> founder review channel -> human approve -> sent.
MVP is draft_human_review / relay_only; auto-post is never enabled until the red-team
suite (tests/) passes on the real product (see reference/redteam.md).
State + escalation reuse the bases, never reinvented:
scripts/reminder_bridge.py -> schedule-reminder (source=auto-support, ext x_auto_support_*,
idempotency auto-support:discord:<msg_id>). PII is redacted before persisting.scripts/escalate.py -> founder relay with SRE-style dedup/cooldown/severity routing.This SKILL.md is the only always-loaded file. Load one shard on demand:
reference/security-model.md (the four gates + why guards live outside the prompt) ·
reference/discord.md (min-intent listener, trigger gate, human-review reply) ·
reference/escalation.md (relay + dedup) · reference/config-schema.md (per-product policy) ·
reference/redteam.md (canary gate, AFR=100% / SCR, run before any auto-post).