18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).
Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
Mirrors the hook + script from `fai/platform`@1ebf893 verbatim
so commits to fai_studio go through the same gate: secrets,
forbidden filenames, confidentiality references, marketing-
speak, DCO sign-off, Conventional Commits subject, no Claude
co-author trailer.
A `.security-allow` file at the repo root extends the script's
universal excludes with three Studio-specific paths whose
content legitimately includes the filtered terms — the
Today-Hero proposal pipeline (LLM prompt + accept gate), its
runtime loader equivalent, and its operator-facing policy doc.
No CI mirror yet — Studio doesn't have a Forgejo workflow
(Flutter-on-DinD is a chunk of work). The local hook is the
gate for now; CI mirror follows when Flutter CI lands.
Activate once with `bash tools/install-hooks.sh`.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>