Commit graph

2 commits

Author SHA1 Message Date
flemming-it
efa9871a75 chore(security): externalise confidentiality term list
Moves the list of private organisation / pilot / codename
strings the security gate blocks OUT of the repo entirely.

Before: tools/security/check-staged.sh + the Today AI prompt
+ docs/today-pipeline.md held the strings in plaintext. The
whole point of the gate is to keep certain strings out of
committed artefacts, so holding them in a committed
artefact was self-defeating — anyone with read access to
the repo trivially recovered the very list we tried to
protect.

After:

- The gate reads a runtime file
  `${FAI_BANNED_TERMS_FILE:-~/.fai-security/banned-terms.txt}`
  at scan time. One regex per line, `#`-prefixed comments,
  matched case-insensitively against staged diffs and
  commit messages. Repos contain no copy.
- Pre-commit / commit-msg modes log a warning + skip the
  confidential-terms scan if the file is missing (fresh
  checkouts shouldn't trip until the operator bootstraps
  the list).
- CI mode (`check-staged.sh ci`) FAILS when the file is
  missing — runners are expected to be bootstrapped by
  their deploy step.
- The unit-test harness uses a synthetic placeholder term
  (`SYNTHETIC_BANNED_TERM_XYZZY`) injected via a temp
  banned-terms file, so the test never references real
  customer names.
- docs/today-pipeline.md + tools/today/prompt.template.md
  point at the runtime file instead of enumerating terms.

Operator bootstrap (one-time, per machine):

  mkdir -p ~/.fai-security && chmod 700 ~/.fai-security
  printf '\\b%s\\b\\n' TERM_A TERM_B > ~/.fai-security/banned-terms.txt
  chmod 600 ~/.fai-security/banned-terms.txt

Gate self-tests: 18 passed, 0 failed.

Signed-off-by: flemming-it <sf@flemming.it>
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-25 21:06:17 +02:00
flemming-it
3dede6d7d8 ci(security): add self-test harness (mirror of fai/platform)
Some checks failed
Security / Security check (push) Has been cancelled
18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).

Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-10 21:41:23 +02:00