feat: add pii-bouncer skill

[joethreepwood]

Summary

The context-mill skill ("cartridge") for the wizard's PII Bouncer program — companion to PostHog/wizard#510. The wizard side is pure engine; this is the packaged-English methodology it loads at runtime.

pii-bouncer is a docs-only remediation skill that hardens a frontend against PII leaking into session replay and autocapture:

• adds the ph-no-capture class to sensitive elements (the replay-masking mechanism — distinct from the data-ph-no-capture autocapture attribute)
• tightens session_recording mask config: adds maskTextSelector for sensitive text (not masked by default) and confirms maskAllInputs isn't disabled (it defaults to true, so inputs are already masked — the skill doesn't restate that)
• writes posthog-pii-bouncer-report.md (elements masked + why, init changes, reviewed-but-skipped, manual follow-ups)

Design

• type: docs-only, single variant id: all → skill id pii-bouncer (matches the wizard's skillId).
• shared_docs pulls in session-replay/privacy.md + libraries/js/config.md, bundled as references/ so the agent uses the authoritative option names and defaults instead of guessing.
• Emits the [ABORT] signals the wizard routes verbatim: no-posthog-js, no-init-call, no-frontend-templates.
• Conservative heuristic (type / autocomplete / name·id / label / placeholder / rendered text); bias toward masking. Idempotent — a second run is a no-op.

This is complementary to the new warlock PII rules: warlock stops PII being sent as event properties; this skill stops PII being recorded in the DOM.

Test plan

• pnpm build produces dist/skills/pii-bouncer.zip containing SKILL.md + references/{privacy,config}.md
• pii-bouncer appears in skill-menu.json
• pnpm dev serves it at http://localhost:8765; the wizard (localMcp) resolves + downloads it
• Manual e2e (reviewer): run the wizard's pii-bouncer against a workbench app and confirm the masking edits + report

🤖 Generated with Claude Code

[github-actions]

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

• /wizard-ci all

Test all apps in a directory:

• /wizard-ci basic-integration
• /wizard-ci error-tracking-upload-source-maps
• /wizard-ci misc
• /wizard-ci revenue

Test an individual app:

• /wizard-ci basic-integration/android
• /wizard-ci basic-integration/angular
• /wizard-ci basic-integration/astro

Show more apps

• /wizard-ci basic-integration/django
• /wizard-ci basic-integration/fastapi
• /wizard-ci basic-integration/flask
• /wizard-ci basic-integration/javascript-node
• /wizard-ci basic-integration/javascript-web
• /wizard-ci basic-integration/laravel
• /wizard-ci basic-integration/next-js
• /wizard-ci basic-integration/nuxt
• /wizard-ci basic-integration/python
• /wizard-ci basic-integration/rails
• /wizard-ci basic-integration/react-native
• /wizard-ci basic-integration/react-router
• /wizard-ci basic-integration/sveltekit
• /wizard-ci basic-integration/swift
• /wizard-ci basic-integration/tanstack-router
• /wizard-ci basic-integration/tanstack-start
• /wizard-ci basic-integration/vue
• /wizard-ci error-tracking-upload-source-maps/android
• /wizard-ci error-tracking-upload-source-maps/flutter
• /wizard-ci error-tracking-upload-source-maps/ios
• /wizard-ci error-tracking-upload-source-maps/next
• /wizard-ci error-tracking-upload-source-maps/next-no-posthog
• /wizard-ci error-tracking-upload-source-maps/node-raw
• /wizard-ci error-tracking-upload-source-maps/node-rollup
• /wizard-ci error-tracking-upload-source-maps/node-rollup-typescript-plugin
• /wizard-ci error-tracking-upload-source-maps/node-webpack
• /wizard-ci error-tracking-upload-source-maps/nuxt-3-6
• /wizard-ci error-tracking-upload-source-maps/nuxt-4-3
• /wizard-ci error-tracking-upload-source-maps/react-native
• /wizard-ci error-tracking-upload-source-maps/react-vite
• /wizard-ci error-tracking-upload-source-maps/rust
• /wizard-ci misc/quack-quack
• /wizard-ci revenue/stripe

Results will be posted here when complete.

[edwinyjlim]

@joethreepwood this is a perfectly constructed context mill skill 👏

i don't even have to read it. you can tell just by the shape and how you're stitching posthog docs as a reference with your skill instructions