chain-studio/tools/today
flemming-it efa9871a75 chore(security): externalise confidentiality term list
Moves the list of private organisation / pilot / codename
strings the security gate blocks OUT of the repo entirely.

Before: tools/security/check-staged.sh + the Today AI prompt
+ docs/today-pipeline.md held the strings in plaintext. The
whole point of the gate is to keep certain strings out of
committed artefacts, so holding them in a committed
artefact was self-defeating — anyone with read access to
the repo trivially recovered the very list we tried to
protect.

After:

- The gate reads a runtime file
  `${FAI_BANNED_TERMS_FILE:-~/.fai-security/banned-terms.txt}`
  at scan time. One regex per line, `#`-prefixed comments,
  matched case-insensitively against staged diffs and
  commit messages. Repos contain no copy.
- Pre-commit / commit-msg modes log a warning + skip the
  confidential-terms scan if the file is missing (fresh
  checkouts shouldn't trip until the operator bootstraps
  the list).
- CI mode (`check-staged.sh ci`) FAILS when the file is
  missing — runners are expected to be bootstrapped by
  their deploy step.
- The unit-test harness uses a synthetic placeholder term
  (`SYNTHETIC_BANNED_TERM_XYZZY`) injected via a temp
  banned-terms file, so the test never references real
  customer names.
- docs/today-pipeline.md + tools/today/prompt.template.md
  point at the runtime file instead of enumerating terms.

Operator bootstrap (one-time, per machine):

  mkdir -p ~/.fai-security && chmod 700 ~/.fai-security
  printf '\\b%s\\b\\n' TERM_A TERM_B > ~/.fai-security/banned-terms.txt
  chmod 600 ~/.fai-security/banned-terms.txt

Gate self-tests: 18 passed, 0 failed.

Signed-off-by: flemming-it <sf@flemming.it>
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-25 21:06:17 +02:00
..
accept.sh feat(studio): daily Today-Hero proposal pipeline (v0.31.0) 2026-05-08 12:59:33 +02:00
collect.sh feat(studio): daily Today-Hero proposal pipeline (v0.31.0) 2026-05-08 12:59:33 +02:00
prompt.template.md chore(security): externalise confidentiality term list 2026-05-25 21:06:17 +02:00
propose.sh feat(studio): daily Today-Hero proposal pipeline (v0.31.0) 2026-05-08 12:59:33 +02:00
README.md feat(studio): daily Today-Hero proposal pipeline (v0.31.0) 2026-05-08 12:59:33 +02:00

Today-Hero proposal tooling

Daily-build pipeline for the editorial Today-Hero card in Studio's store. See ../../docs/today-pipeline.md for the full design rationale.

Quick start

# 1. Generate today's proposals (calls the local Ollama by default).
./propose.sh

# 2. Skim them — they sit under ~/.fai/today/proposals/<ISO-DATE>/
ls ~/.fai/today/proposals/

# 3. Accept one. The chosen file becomes ~/.fai/today/active.yaml,
#    which Studio reads at startup.
./accept.sh ~/.fai/today/proposals/2026-05-08/candidate-2.yaml

# 4. Restart Studio (or let the next launch pick it up).

Schedule it

macOS — launchd

# Drop a plist that runs propose.sh every morning at 07:30 local time.
# `launchctl load ~/Library/LaunchAgents/ai.flemming.fai.today.plist` to
# install. The plist must point at the absolute path of propose.sh.

A starter plist lives at launchd/ai.flemming.fai.today.plist.

Linux — systemd timer

# Copy systemd/fai-today.{service,timer} into ~/.config/systemd/user/,
# then `systemctl --user enable --now fai-today.timer`.

Anywhere — cron

30 7 * * * /Users/flemming/.../tools/today/propose.sh > /tmp/fai-today.log 2>&1

Provider override

propose.sh defaults to Ollama at http://127.0.0.1:11434 with the model gemma3:4b. Override via env vars:

Variable Default Example
FAI_TODAY_API http://127.0.0.1:11434/api/generate https://api.openai.com/v1/chat/completions
FAI_TODAY_MODEL gemma3:4b gpt-4o-mini
FAI_TODAY_KEY (unset) $OPENAI_API_KEY
FAI_TODAY_N 3 1 (single shot)

OpenAI-compatible endpoints will work as long as they speak chat/completions or generate; the script auto-detects from the URL path.

Trust model

  • Reads only git log, git diff, and the bundled seed.yaml of installed F∆I monorepos. Never your audit log without explicit op-in.
  • Calls only the System-AI you've already configured for Studio. The same privacy mode you set there applies here.
  • Writes only into ~/.fai/today/. Nothing in ~/.fai/data/ or ~/.fai/config.yaml is touched.
  • Studio loads active.yaml at startup; if the file is missing or fails schema validation, the compiled-in fallback story renders. KRITIS fresh installs see the fallback until and unless an operator accepts a proposal.