Moves the list of private organisation / pilot / codename
strings the security gate blocks OUT of the repo entirely.
Before: tools/security/check-staged.sh + the Today AI prompt
+ docs/today-pipeline.md held the strings in plaintext. The
whole point of the gate is to keep certain strings out of
committed artefacts, so holding them in a committed
artefact was self-defeating — anyone with read access to
the repo trivially recovered the very list we tried to
protect.
After:
- The gate reads a runtime file
`${FAI_BANNED_TERMS_FILE:-~/.fai-security/banned-terms.txt}`
at scan time. One regex per line, `#`-prefixed comments,
matched case-insensitively against staged diffs and
commit messages. Repos contain no copy.
- Pre-commit / commit-msg modes log a warning + skip the
confidential-terms scan if the file is missing (fresh
checkouts shouldn't trip until the operator bootstraps
the list).
- CI mode (`check-staged.sh ci`) FAILS when the file is
missing — runners are expected to be bootstrapped by
their deploy step.
- The unit-test harness uses a synthetic placeholder term
(`SYNTHETIC_BANNED_TERM_XYZZY`) injected via a temp
banned-terms file, so the test never references real
customer names.
- docs/today-pipeline.md + tools/today/prompt.template.md
point at the runtime file instead of enumerating terms.
Operator bootstrap (one-time, per machine):
mkdir -p ~/.fai-security && chmod 700 ~/.fai-security
printf '\\b%s\\b\\n' TERM_A TERM_B > ~/.fai-security/banned-terms.txt
chmod 600 ~/.fai-security/banned-terms.txt
Gate self-tests: 18 passed, 0 failed.
Signed-off-by: flemming-it <sf@flemming.it>
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
|
||
|---|---|---|
| .. | ||
| accept.sh | ||
| collect.sh | ||
| prompt.template.md | ||
| propose.sh | ||
| README.md | ||
Today-Hero proposal tooling
Daily-build pipeline for the editorial Today-Hero card in Studio's store.
See ../../docs/today-pipeline.md for the full design rationale.
Quick start
# 1. Generate today's proposals (calls the local Ollama by default).
./propose.sh
# 2. Skim them — they sit under ~/.fai/today/proposals/<ISO-DATE>/
ls ~/.fai/today/proposals/
# 3. Accept one. The chosen file becomes ~/.fai/today/active.yaml,
# which Studio reads at startup.
./accept.sh ~/.fai/today/proposals/2026-05-08/candidate-2.yaml
# 4. Restart Studio (or let the next launch pick it up).
Schedule it
macOS — launchd
# Drop a plist that runs propose.sh every morning at 07:30 local time.
# `launchctl load ~/Library/LaunchAgents/ai.flemming.fai.today.plist` to
# install. The plist must point at the absolute path of propose.sh.
A starter plist lives at launchd/ai.flemming.fai.today.plist.
Linux — systemd timer
# Copy systemd/fai-today.{service,timer} into ~/.config/systemd/user/,
# then `systemctl --user enable --now fai-today.timer`.
Anywhere — cron
30 7 * * * /Users/flemming/.../tools/today/propose.sh > /tmp/fai-today.log 2>&1
Provider override
propose.sh defaults to Ollama at http://127.0.0.1:11434 with the model
gemma3:4b. Override via env vars:
| Variable | Default | Example |
|---|---|---|
FAI_TODAY_API |
http://127.0.0.1:11434/api/generate |
https://api.openai.com/v1/chat/completions |
FAI_TODAY_MODEL |
gemma3:4b |
gpt-4o-mini |
FAI_TODAY_KEY |
(unset) | $OPENAI_API_KEY |
FAI_TODAY_N |
3 |
1 (single shot) |
OpenAI-compatible endpoints will work as long as they speak chat/completions
or generate; the script auto-detects from the URL path.
Trust model
- Reads only
git log,git diff, and the bundledseed.yamlof installed F∆I monorepos. Never your audit log without explicit op-in. - Calls only the System-AI you've already configured for Studio. The same privacy mode you set there applies here.
- Writes only into
~/.fai/today/. Nothing in~/.fai/data/or~/.fai/config.yamlis touched. - Studio loads
active.yamlat startup; if the file is missing or fails schema validation, the compiled-in fallback story renders. KRITIS fresh installs see the fallback until and unless an operator accepts a proposal.