18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).
Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
Runs `tools/security/check-staged.sh ci` on every push to main
and every PR. Same script as the local pre-commit hook so the gate
is identical whether or not a contributor activated the local
hook via `bash tools/install-hooks.sh`. No Flutter / Dart toolchain
needed in the runner — the check is plain bash + git.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>