ci(hooks): pre-commit security check (mirror of fai/platform)
Mirrors the hook + script from `fai/platform`@1ebf893 verbatim so commits to fai_studio go through the same gate: secrets, forbidden filenames, confidentiality references, marketing- speak, DCO sign-off, Conventional Commits subject, no Claude co-author trailer. A `.security-allow` file at the repo root extends the script's universal excludes with three Studio-specific paths whose content legitimately includes the filtered terms — the Today-Hero proposal pipeline (LLM prompt + accept gate), its runtime loader equivalent, and its operator-facing policy doc. No CI mirror yet — Studio doesn't have a Forgejo workflow (Flutter-on-DinD is a chunk of work). The local hook is the gate for now; CI mirror follows when Flutter CI lands. Activate once with `bash tools/install-hooks.sh`. Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
parent
c389876a2f
commit
01f3f773cf
5 changed files with 290 additions and 0 deletions
15
.security-allow
Normal file
15
.security-allow
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
# Studio-specific paths that legitimately mention banned phrases or
|
||||
# confidentiality terms, beyond the universal `tools/security/` and
|
||||
# `.githooks/` excludes baked into the security script.
|
||||
#
|
||||
# `tools/today/` — the Today-Hero proposal pipeline runs an LLM under
|
||||
# a prompt that explicitly lists banned words; the
|
||||
# accept-script implements a banned-words gate. Both
|
||||
# files MUST contain the verbatim words.
|
||||
# `lib/data/today_story_loader.dart` — the runtime banned-words gate
|
||||
# that double-checks accepted stories at load time.
|
||||
# `docs/today-pipeline.md` — the operator-facing policy doc that
|
||||
# documents the gate, including the verbatim list.
|
||||
tools/today/
|
||||
lib/data/today_story_loader.dart
|
||||
docs/today-pipeline.md
|
||||
Loading…
Add table
Add a link
Reference in a new issue