chore(security): externalise confidentiality term list
Moves the list of private organisation / pilot / codename
strings the security gate blocks OUT of the repo entirely.
Before: tools/security/check-staged.sh + the Today AI prompt
+ docs/today-pipeline.md held the strings in plaintext. The
whole point of the gate is to keep certain strings out of
committed artefacts, so holding them in a committed
artefact was self-defeating — anyone with read access to
the repo trivially recovered the very list we tried to
protect.
After:
- The gate reads a runtime file
`${FAI_BANNED_TERMS_FILE:-~/.fai-security/banned-terms.txt}`
at scan time. One regex per line, `#`-prefixed comments,
matched case-insensitively against staged diffs and
commit messages. Repos contain no copy.
- Pre-commit / commit-msg modes log a warning + skip the
confidential-terms scan if the file is missing (fresh
checkouts shouldn't trip until the operator bootstraps
the list).
- CI mode (`check-staged.sh ci`) FAILS when the file is
missing — runners are expected to be bootstrapped by
their deploy step.
- The unit-test harness uses a synthetic placeholder term
(`SYNTHETIC_BANNED_TERM_XYZZY`) injected via a temp
banned-terms file, so the test never references real
customer names.
- docs/today-pipeline.md + tools/today/prompt.template.md
point at the runtime file instead of enumerating terms.
Operator bootstrap (one-time, per machine):
mkdir -p ~/.fai-security && chmod 700 ~/.fai-security
printf '\\b%s\\b\\n' TERM_A TERM_B > ~/.fai-security/banned-terms.txt
chmod 600 ~/.fai-security/banned-terms.txt
Gate self-tests: 18 passed, 0 failed.
Signed-off-by: flemming-it <sf@flemming.it>
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
parent
21c2a0f411
commit
efa9871a75
4 changed files with 84 additions and 20 deletions
|
|
@ -153,9 +153,19 @@ git add tests/server.pem
|
|||
assert_content_passes "tests/*.pem allowlisted"
|
||||
|
||||
d=$(setup_repo); cd "$d"
|
||||
echo "Notes from the ITDZ Berlin meeting" > confidential.md
|
||||
# The confidentiality list lives outside the repo at
|
||||
# $FAI_BANNED_TERMS_FILE (default ~/.fai-security/banned-terms.txt).
|
||||
# For the test we point at a temp file holding a single
|
||||
# generic test term — the actual production terms stay in the
|
||||
# operator's untracked file and never enter this test suite.
|
||||
TEST_BANNED_TERMS=$(mktemp -t fai_banned.XXXXXX)
|
||||
printf "\\\\bSYNTHETIC_BANNED_TERM_XYZZY\\\\b\n" > "$TEST_BANNED_TERMS"
|
||||
export FAI_BANNED_TERMS_FILE="$TEST_BANNED_TERMS"
|
||||
echo "Document contains SYNTHETIC_BANNED_TERM_XYZZY in passing" > confidential.md
|
||||
git add confidential.md
|
||||
assert_content_fails "confidential term ITDZ" "ITDZ"
|
||||
assert_content_fails "confidential term (synthetic test term)" "SYNTHETIC_BANNED_TERM_XYZZY"
|
||||
rm -f "$TEST_BANNED_TERMS"
|
||||
unset FAI_BANNED_TERMS_FILE
|
||||
|
||||
d=$(setup_repo); cd "$d"
|
||||
echo "Our viral release of a powerful tool that just works" > marketing.md
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue