gflow-cli 0.6.0a4__tar.gz → 0.7.0__tar.gz

{gflow_cli-0.6.0a4 → gflow_cli-0.7.0}/.claude/README.md

@@ -10,7 +10,12 @@ This directory holds **internal maintainer workflows** that are bundled with the
 .claude/
 ├── README.md              ← this file
 └── commands/              ← repo-local slash commands
-    └── release.md         ← `/release` — automates the version-bump + tag + push flow
+    └── gflow/             ← `/gflow:*` namespace (avoids collision with built-ins)
+        ├── check.md       ← `/gflow:check` — hygiene + ruff + pyright + pytest
+        ├── plan.md        ← `/gflow:plan` — show active phase / superpowers plan
+        ├── known-issues.md← `/gflow:known-issues` — open/mitigated items
+        ├── changelog.md   ← `/gflow:changelog` — [Unreleased] + last tagged
+        └── release.md     ← `/gflow:release` — full release flow (signed tags)
 ```
 
 Optional additions when needed:
@@ -25,9 +30,9 @@ Optional additions when needed:
 
 ## Adding a slash command
 
-Drop a Markdown file into `commands/`. Filename (without `.md`) becomes the command name. The first paragraph is the description Claude shows in `/help`. The rest is the prompt the agent executes.
+Drop a Markdown file into `commands/gflow/` to add a `/gflow:<name>` command. Filename (without `.md`) becomes the command name. The first paragraph is the description Claude shows in `/help`. The rest is the prompt the agent executes. **Use the `gflow/` subdirectory** so commands stay namespaced and don't collide with Claude Code built-ins or user-global commands.
 
-Example: `commands/foo.md` → invoked as `/foo`.
+Example: `commands/gflow/foo.md` → invoked as `/gflow:foo`.
 
 ## Adding an internal skill
 

gflow_cli-0.7.0/.claude/commands/gflow/changelog.md

@@ -0,0 +1,21 @@
+---
+description: Show unreleased changes and last tagged version — insight into recent work.
+---
+
+# `/gflow:changelog` — Recent changes
+
+Read CHANGELOG.md and surface what's queued and what recently shipped.
+
+## Steps
+
+1. Read [CHANGELOG.md](../../../CHANGELOG.md)
+2. Return:
+   - All entries under `## [Unreleased]` (empty = nothing queued yet)
+   - The most recent versioned section (last tagged release) for comparison
+3. One-line summary: "X features, Y fixes queued since vZ."
+
+## When to call
+
+- Before cutting a release (called automatically by `/gflow:release` as its first step)
+- When you need a quick picture of recent work without opening the file
+- When writing a commit message and unsure if a change is user-visible enough to log

gflow_cli-0.7.0/.claude/commands/gflow/check.md

@@ -0,0 +1,48 @@
+---
+description: Auto-fix lint and formatting, then report types and tests. Run before every commit.
+---
+
+# `/gflow:check` — Quality gates
+
+Run in order. Stop and report if a step fails after the fix pass.
+
+## Steps
+
+**1. Repo hygiene** (read-only — checks tmp/ output rule, secret files, etc.)
+
+```bash
+PYTHONUTF8=1 uv run python scripts/ci/check_repo_hygiene.py
+```
+
+**2. Auto-fix lint and formatting** (rewrites files in place)
+
+```bash
+uv run ruff check --fix src tests
+uv run ruff format src tests
+```
+
+Report which files were modified. Do NOT stage or commit — leave the diff for review.
+
+**3. Type check** (report only — cannot auto-fix)
+
+```bash
+uv run pyright src
+```
+
+**4. Tests + coverage** (report only)
+
+```bash
+uv run pytest -q --cov=gflow_cli --cov-fail-under=80
+```
+
+## Output
+
+- List files changed by the fix pass (empty = nothing needed fixing)
+- All pyright errors with `file:line` references
+- Pytest summary line and coverage percentage
+- Final verdict: all gates pass / which gates failed
+
+## Notes
+
+Ruff fix and format may rewrite multiple files. Always `git diff` before staging.
+Pyright errors and test failures require manual intervention — do not attempt silent workarounds.

gflow_cli-0.7.0/.claude/commands/gflow/known-issues.md

@@ -0,0 +1,20 @@
+---
+description: Surface open known issues. Call before touching auth, reCAPTCHA, or anything previously flagged.
+---
+
+# `/gflow:known-issues` — Open issues
+
+Read KNOWN_ISSUES.md and return items that are still open or mitigated (not resolved).
+
+## Steps
+
+1. Read [KNOWN_ISSUES.md](../../../KNOWN_ISSUES.md)
+2. Return only items with status **open** or **mitigated**
+3. Flag any that are relevant to the current task context
+
+## When to call
+
+- Before touching `src/gflow_cli/auth.py`
+- Before touching `src/gflow_cli/api/recaptcha.py`
+- Before any work the user flags as "this felt flaky before"
+- When a test or behaviour feels unexpectedly broken

gflow_cli-0.7.0/.claude/commands/gflow/plan.md

@@ -0,0 +1,39 @@
+---
+description: Show the active plan — next task if a superpowers plan is running, current phase otherwise.
+---
+
+# `/gflow:plan` — Active plan
+
+## Steps
+
+**1. Check conversation context.**
+
+Has the user mentioned a specific feature or invoked the write-plan skill in this session?
+If yes, note the feature name (e.g. `shell-multi-prompt`, `image-mvp`, `phase-4-hardening`).
+
+**2. Run the discovery script.**
+
+With a feature name identified in step 1:
+```bash
+uv run python scripts/dev/active_plan.py --feature <feature-name>
+```
+
+Without a feature name (uses most-recent superpowers plan, falls back to PLAN.md):
+```bash
+uv run python scripts/dev/active_plan.py
+```
+
+**3. Return the output verbatim.**
+
+The script already filters to the relevant block. Do not read additional files.
+
+## What the script returns
+
+- **Superpowers plan active:** file path, title, goal, progress (X/N steps), and the next unchecked task block
+- **No superpowers plan:** the first incomplete phase from `PLAN.md` (scope, sequence, definition of done)
+
+## When to call
+
+- When starting a task and unsure what's in scope
+- When the user asks "what are we working on?" or "what's next?"
+- Before adding a feature, to check it belongs to the current scope

gflow_cli-0.7.0/.claude/commands/gflow/release.md

@@ -0,0 +1,118 @@
+---
+description: Cut a new gflow-cli release — bump version, update CHANGELOG, tag, push.
+---
+
+# `/gflow:release` — Cut a new release
+
+Follow this sequence verbatim. Every step matters.
+
+## Inputs
+
+Ask the user (if not already provided):
+1. **Version** — the new version (e.g. `0.4.0`, `0.4.0a3`, `1.0.0rc1`). Use PEP 440 prerelease suffixes (`aN`, `bN`, `rcN`). If they don't know, run `/gflow:changelog` first and propose the next bump (PATCH for fixes only, MINOR for new features, MAJOR for breaks).
+2. **Pre-release?** — prerelease versions should stay marked as GitHub prereleases. Only the user can say when a release line is ready for the stable tag.
+
+## Sequence
+
+**1. Review what's queued.**
+
+Run `/gflow:changelog` — confirm the `[Unreleased]` block is non-empty and accurate before proceeding.
+
+**2. Verify clean working tree.**
+
+```bash
+git status --short
+```
+
+Must be empty. If not, abort and tell the user to commit or stash first.
+
+**3. Verify on `main`, up-to-date with `origin/main`.**
+
+```bash
+git rev-parse --abbrev-ref HEAD     # must be "main"
+git fetch origin
+git rev-list HEAD..origin/main      # must be empty
+```
+
+**4. Run quality gates.**
+
+Run `/gflow:check` — all gates must pass. Abort if any fail.
+
+**5. Bump version** in `pyproject.toml`:
+
+```toml
+[project]
+version = "<NEW_VERSION>"
+```
+
+**6. Bump package version** in `src/gflow_cli/__init__.py`:
+
+```python
+__version__ = "<NEW_VERSION>"
+```
+
+**7. Update version assertion tests** if present:
+
+```bash
+rg -n "__version__|<OLD_VERSION>|version assertion" tests src pyproject.toml
+```
+
+**8. Migrate CHANGELOG.**
+
+- Move all entries under `## [Unreleased]` to a new `## [<NEW_VERSION>] — YYYY-MM-DD` section.
+- Leave `## [Unreleased]` empty.
+- Update the link footer:
+  ```
+  [Unreleased]: https://github.com/ffroliva/gflow-cli/compare/v<NEW_VERSION>...HEAD
+  [<NEW_VERSION>]: https://github.com/ffroliva/gflow-cli/releases/tag/v<NEW_VERSION>
+  ```
+
+**9. Review commands for staleness.**
+
+Scan `.claude/commands/gflow/` — check if any command references a phase, file path, or behaviour that the release changes. Update in the same commit if so.
+
+**10. Commit the release prep.**
+
+```bash
+git add pyproject.toml src/gflow_cli/__init__.py CHANGELOG.md tests
+git commit -m "chore(release): v<NEW_VERSION>"
+```
+
+**11. Tag.** Use `-s` for a signed annotated tag so GitHub shows the **"Verified"** badge AND `.github/workflows/release.yml` passes the signed-tag gate (lightweight or unsigned tags are rejected).
+
+```bash
+git tag -s v<NEW_VERSION> -m "v<NEW_VERSION>"
+```
+
+Requires a GPG or SSH signing key registered in your GitHub account settings.
+Run `git config --global user.signingkey` to confirm a key is set.
+If signing is not available in the current environment, create the tag on
+your local machine and push it: `git push origin v<NEW_VERSION>`.
+
+**12. Push commit + tag.**
+
+```bash
+git push origin main
+git push origin v<NEW_VERSION>
+```
+
+**13. Report.**
+
+Tell the user:
+- The pushed tag triggers `.github/workflows/release.yml`.
+- Watch <https://github.com/ffroliva/gflow-cli/actions> for the release workflow.
+- On success: PyPI publish + GitHub Release with auto-generated notes.
+- On failure (most common: PyPI Trusted Publishing not yet configured): point to <https://pypi.org/manage/account/publishing/>.
+
+## Critical reminders
+
+- **NEVER** add `Co-Authored-By: Claude` (or any AI co-author) to the release commit.
+- **NEVER** force-push a release tag once it's on GitHub. Ship a PATCH fix instead.
+- **NEVER** `--no-verify` past hooks. Fix the underlying issue.
+- If quality gates fail at step 4, **STOP**. Surface the failures to the user.
+
+## See also
+
+- [RELEASE.md](../../../RELEASE.md) — full release protocol, prerelease policy, and checklist
+- [README § Releases](../../../README.md#releases) — release policy and cadence
+- [PLAN § Phase 5](../../../PLAN.md#phase-5--public-alpha-release-on-pypi) — first-release exit criteria

gflow_cli-0.7.0/.github/CODEOWNERS

@@ -0,0 +1,23 @@
+# CODEOWNERS — https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+#
+# These owners are automatically requested for review on every PR that touches
+# the matched paths. Ownership does not prevent external contributors from
+# opening PRs — it ensures a maintainer is always in the review loop.
+
+# Global fallback — everything not matched below
+*                       @ffroliva
+
+# Core source
+/src/                   @ffroliva
+
+# CI and security gates — changes here require extra care
+/.github/               @ffroliva
+/scripts/ci/            @ffroliva
+/.pre-commit-config.yaml @ffroliva
+/.gitleaks.toml         @ffroliva
+/.secrets.baseline      @ffroliva
+/.gitignore             @ffroliva
+
+# Auth handling — sensitive, never bypass review
+/src/gflow_cli/auth.py  @ffroliva
+/src/gflow_cli/auth/    @ffroliva

gflow_cli-0.7.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,20 @@
+## Summary
+
+<!-- What changed and why? Link issues with "Fixes #123" when applicable. -->
+
+## Validation
+
+<!-- List the focused commands you ran, plus any checks you could not run. -->
+
+- [ ] Focused tests added or updated for behavior changes
+- [ ] `uv run ruff check src tests`
+- [ ] `uv run pyright src`
+- [ ] Relevant pytest command:
+
+## Contribution Checklist
+
+- [ ] This PR targets `develop`, unless it is a release or emergency fix
+- [ ] My commits use my real Git identity or GitHub noreply email
+- [ ] External contribution commits include `Signed-off-by:` (`git commit -s`)
+- [ ] I did not include secrets, cookies, account tokens, signed URLs, or private captured data
+- [ ] I reviewed any AI-assisted changes before submitting

gflow_cli-0.7.0/.github/copilot-instructions.md

@@ -0,0 +1,24 @@
+# Copilot Code Review Instructions
+
+Review this repository as a Python CLI that automates browser-authenticated
+Google Flow workflows. Treat auth, browser automation, CI, release, and secret
+handling changes as high-risk even when the diff is small.
+
+For pull request reviews:
+
+- Check that PRs target `develop`, unless they are release PRs.
+- Flag unclear contributor provenance, missing DCO sign-off, placeholder author
+  emails, and any copied private data.
+- Look for leaked tokens, cookies, signed URLs, local profile paths, and captured
+  Google/Flow request data.
+- For auth/browser changes, check that the implementation preserves profile
+  isolation, does not weaken local path boundaries, and avoids remote debugging
+  unless explicitly documented.
+- For CI changes, check forked-PR secret behavior and avoid recommending
+  `pull_request_target` for jobs that checkout or execute contributor code.
+- For behavior changes, expect focused tests and docs/changelog updates.
+- Keep findings concrete: reference files/lines, explain the user-visible risk,
+  and separate blocking issues from cosmetic suggestions.
+
+Do not approve pull requests. Copilot review is advisory; maintainer approval is
+still required.

gflow_cli-0.7.0/.github/dependabot.yml

@@ -0,0 +1,34 @@
+# Dependabot configuration
+# Docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Python dependencies (pip/uv — Dependabot reads pyproject.toml)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Europe/Lisbon"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"
+    ignore:
+      # Playwright has its own browser download step; pin manually.
+      - dependency-name: "playwright"
+        update-types: ["version-update:semver-major"]
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Europe/Lisbon"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"

gflow_cli-0.7.0/.github/workflows/ci.yml

@@ -0,0 +1,104 @@
+name: CI
+
+on:
+  push:
+    branches: [develop, main]
+  pull_request:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Security gate: runs first, on every push/PR, never skippable ──────────
+  secrets-scan:
+    name: Secret scan (gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # full history so gitleaks can diff against base
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # ── Main test matrix ──────────────────────────────────────────────────────
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Set up Python
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Install deps
+        run: uv sync --extra dev
+
+      - name: Repo hygiene (no artefacts, no hardcoded paths)
+        run: uv run python scripts/ci/check_repo_hygiene.py
+
+      - name: Lint
+        run: uv run ruff check src tests
+
+      - name: Format check
+        run: uv run ruff format --check src tests
+
+      - name: Type check
+        run: uv run pyright src
+
+      - name: Test (smoke only) + coverage
+        # e2e tests (tests/e2e/) require a logged-in Chromium profile
+        # and live Flow auth — never runnable in CI. They self-mark with
+        # `pytestmark = pytest.mark.e2e` (file-level) and are opt-in via
+        # `-m e2e` per their module docstring. `live` marker is reserved for
+        # `GFLOW_LIVE=1` tests that hit the real Flow API. Both are excluded
+        # from the default smoke run; `tests/smoke/test_real_flow.py` already
+        # self-skips via `pytest.mark.skipif(GFLOW_E2E != "1")`.
+        run: uv run python -m pytest -q -m "not e2e and not live" --cov=gflow_cli --cov-report=xml
+
+      # Upload coverage XML so the sonar job can consume it
+      - name: Upload coverage report
+        if: matrix.python-version == '3.11'
+        uses: actions/upload-artifact@v7
+        with:
+          name: coverage-xml
+          path: coverage.xml
+          retention-days: 1
+
+  # ── SonarCloud analysis ───────────────────────────────────────────────────
+  sonar:
+    name: SonarCloud analysis
+    runs-on: ubuntu-latest
+    needs: test   # wait for tests + coverage report
+    # Forked pull_request runs do not receive repository secrets, so SONAR_TOKEN
+    # is empty there and the scanner fails before analysis. Keep SonarCloud on
+    # trusted pushes/internal PRs where the token is available.
+    if: >
+      always() &&
+      (
+        github.event_name != 'pull_request' ||
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # shallow clones break blame / new-code detection
+
+      - name: Download coverage report
+        uses: actions/download-artifact@v8
+        with:
+          name: coverage-xml
+        continue-on-error: true  # graceful if coverage upload was skipped
+
+      - name: SonarCloud scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # PR decoration
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}    # set in repo → Settings → Secrets

gflow_cli-0.7.0/.github/workflows/external-pr-triage.yml

@@ -0,0 +1,126 @@
+name: External PR Triage
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review, edited]
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  triage:
+    name: Label and route external PRs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Triage external pull request
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            if (!pr) {
+              core.info("No pull request payload; nothing to do.");
+              return;
+            }
+
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const issue_number = pr.number;
+            const isBot = pr.user?.type === "Bot";
+            const trustedAssociations = new Set(["OWNER", "MEMBER", "COLLABORATOR"]);
+            const isFork = pr.head.repo.full_name !== pr.base.repo.full_name;
+            const isExternal = isFork || !trustedAssociations.has(pr.author_association);
+
+            if (isBot) {
+              core.info("Bot PR; skipping human external-contribution triage.");
+              return;
+            }
+
+            if (!isExternal) {
+              core.info("PR is not external; skipping external triage.");
+              return;
+            }
+
+            const labels = [
+              {
+                name: "external-contribution",
+                color: "0e8a16",
+                description: "Pull request from a non-maintainer or fork",
+              },
+              {
+                name: "needs-maintainer-review",
+                color: "fbca04",
+                description: "Requires maintainer review before merge",
+              },
+              {
+                name: "needs-copilot-review",
+                color: "5319e7",
+                description: "Ask GitHub Copilot for advisory code review",
+              },
+            ];
+
+            for (const label of labels) {
+              try {
+                await github.rest.issues.createLabel({ owner, repo, ...label });
+              } catch (error) {
+                if (error.status !== 422) {
+                  throw error;
+                }
+              }
+            }
+
+            await github.rest.issues.addLabels({
+              owner,
+              repo,
+              issue_number,
+              labels: labels.map((label) => label.name),
+            });
+
+            try {
+              await github.rest.pulls.requestReviewers({
+                owner,
+                repo,
+                pull_number: issue_number,
+                reviewers: ["ffroliva"],
+              });
+            } catch (error) {
+              core.warning(`Could not request maintainer review: ${error.message}`);
+            }
+
+            const marker = "<!-- gflow-cli-external-pr-triage -->";
+            const body = `${marker}
+            Thanks for the contribution. This PR has been marked as an external contribution and routed for maintainer review.
+
+            Before merge, please make sure:
+
+            - The PR targets \`develop\`.
+            - Commits use a real Git identity or GitHub noreply email.
+            - External commits include a DCO sign-off: \`git commit -s\`.
+            - The PR does not include secrets, cookies, account tokens, signed URLs, or private captured data.
+            - Focused tests/docs are included for behavior changes.
+
+            GitHub Copilot code review may be requested as an advisory first pass, but maintainer approval is still required.`;
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner,
+              repo,
+              issue_number,
+              per_page: 100,
+            });
+            const existing = comments.find((comment) => comment.body?.includes(marker));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body,
+              });
+            }

{gflow_cli-0.6.0a4 → gflow_cli-0.7.0}/.github/workflows/release.yml

@@ -18,16 +18,31 @@ jobs:
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@v7
 
       - name: Set up Python
         run: uv python install 3.12
 
+      - name: Verify tag is signed
+        run: |
+          TAG=${GITHUB_REF_NAME}
+          # Lightweight tags resolve directly to a commit, not a tag object.
+          TYPE=$(git cat-file -t "$TAG")
+          if [ "$TYPE" != "tag" ]; then
+            echo "::error::$TAG is a lightweight tag. Use 'git tag -s' to create a signed annotated tag."
+            exit 1
+          fi
+          # Annotated but unsigned tags have no signature header in the object.
+          if ! git cat-file -p "$TAG" | grep -qE "BEGIN (PGP|SSH) SIGNATURE"; then
+            echo "::error::$TAG is not signed. Use 'git tag -s' when cutting releases."
+            exit 1
+          fi
+
       - name: Verify tag matches pyproject version
         run: |
           TAG=${GITHUB_REF_NAME#v}
@@ -46,7 +61,7 @@ jobs:
         # Configure once at https://pypi.org/manage/account/publishing/
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           generate_release_notes: true
           files: dist/*

{gflow_cli-0.6.0a4 → gflow_cli-0.7.0}/.gitignore

@@ -43,12 +43,25 @@ secrets.json           # generic secrets file
 # Generated outputs
 out/
 tmp/
+gflow-output/
 *.mp4
 *.png
+*.jpg
+*.jpeg
 !docs/**/*.png         # docs images are OK
 !tests/fixtures/**/*.png
+!test_assets/fixtures/**/*.jpg
+!test_assets/fixtures/**/*.jpeg
 samples/*.captured.json # sandbox-recorded API exchanges may contain PII
 
+# CDP browser session lock files (contain PID, port, profile name)
+.gflow-cdp.lock
+**/.gflow-cdp.lock
+
+# Runtime artefact dirs written by smoke/debug scripts — belong under tmp/ only
+test_assets/smoke_*/
+test_assets/debug_*/
+
 # Live Flow traffic captures — NEVER commit (contain real Bearer tokens / API keys).
 # Diagnostic scripts MUST default-write here, NOT to samples/captured/.
 # Sanitised reference samples (no secrets) can still live under samples/captured/.