chain-studio/.security-allow
flemming-it 01f3f773cf ci(hooks): pre-commit security check (mirror of fai/platform)
Mirrors the hook + script from `fai/platform`@1ebf893 verbatim
so commits to fai_studio go through the same gate: secrets,
forbidden filenames, confidentiality references, marketing-
speak, DCO sign-off, Conventional Commits subject, no Claude
co-author trailer.

A `.security-allow` file at the repo root extends the script's
universal excludes with three Studio-specific paths whose
content legitimately includes the filtered terms — the
Today-Hero proposal pipeline (LLM prompt + accept gate), its
runtime loader equivalent, and its operator-facing policy doc.

No CI mirror yet — Studio doesn't have a Forgejo workflow
(Flutter-on-DinD is a chunk of work). The local hook is the
gate for now; CI mirror follows when Flutter CI lands.

Activate once with `bash tools/install-hooks.sh`.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-09 13:32:26 +02:00

15 lines
811 B
Text

# Studio-specific paths that legitimately mention banned phrases or
# confidentiality terms, beyond the universal `tools/security/` and
# `.githooks/` excludes baked into the security script.
#
# `tools/today/` — the Today-Hero proposal pipeline runs an LLM under
# a prompt that explicitly lists banned words; the
# accept-script implements a banned-words gate. Both
# files MUST contain the verbatim words.
# `lib/data/today_story_loader.dart` — the runtime banned-words gate
# that double-checks accepted stories at load time.
# `docs/today-pipeline.md` — the operator-facing policy doc that
# documents the gate, including the verbatim list.
tools/today/
lib/data/today_story_loader.dart
docs/today-pipeline.md