?

Overview

Once a week at Sunday 07:00 UK, rousseau runs govulncheck, npm audit, and a grep pass for common secret patterns across every repository under the workspace mount. It produces a digest and delivers it as a Signal message. Signal is chosen because the audit report should stay end-to-end encrypted in transit.

Prerequisites

  • Signal transport working (rousseau signal --account +… completes handshake).
  • govulncheck and npm installed in the container image.
  • A workspace mount containing your repos.

Config

provider: claudecli

agent:
  approver:
    mode: pattern
    default: deny
    allow:
      - {tool: read, match: ".*"}
      - {tool: grep, match: ".*"}
      - {tool: bash, match: "^(govulncheck ./...|npm audit --json|rg --hidden -e 'AWS_SECRET_ACCESS_KEY|-----BEGIN [A-Z]+ PRIVATE KEY-----|sk-[a-zA-Z0-9-]+' /workspace)"}
    deny:
      - {tool: bash, match: "rm |sudo|git push"}

signal:
  account: "+447900123456"
  allowlist:
    - "+447900222222"

The bash allow list is deliberately narrow — the exact commands the audit needs, no more.

Register the cron job

rousseau cron add \
  --name weekly-security-audit \
  --schedule '0 7 * * SUN' \
  --prompt 'For every repo under /workspace: (1) run govulncheck if it is a Go module, (2) run npm audit --json if package.json exists, (3) rg for common secret patterns. Summarise: total findings, top 5 by severity, any secret hits (with file:line). Under 1500 chars.' \
  --deliver-to '+447900123456'

rousseau cron list

Launch

rousseau signal --account +447900123456 --allow +447900222222

The scheduler starts inside the signal daemon.

Verification

  • Trigger the prompt manually via rousseau chat and confirm the tool calls run in the expected order.
  • Wait for the next Sunday fire, or temporarily set --schedule '*/5 * * * *' to smoke-test.
  • A Signal message lands at +447900222222.

Failure modes

  • govulncheck: command not found — install go install golang.org/x/vuln/cmd/govulncheck@latest inside the container image.
  • npm audit slow or hangs on private registries — pin the registry URL with npm config set registry in the image build.
  • False positives in secret grep — refine the regex to your project's key formats, and consider truffleHog as a heavier alternative.

Related pages

Type to search 150+ pages. Ranking: BM25 with title/description boost.