Skip to content

chore(security): install global security baseline + project rules P011-P016#27

Merged
shyhunter merged 1 commit into
mainfrom
chore/security-baseline
Apr 28, 2026
Merged

chore(security): install global security baseline + project rules P011-P016#27
shyhunter merged 1 commit into
mainfrom
chore/security-baseline

Conversation

@shyhunter
Copy link
Copy Markdown
Owner

@shyhunter shyhunter commented Apr 28, 2026

Summary

Establishes the project's surface of the workspace-wide security baseline (R005–R016 in ~/.claude/rules.md).

  • .gitignore — env-file coverage with example file allowed (R006)
  • .claude/project_rules_decisions.md — adds P011–P016 covering Tauri capabilities, sidecar provenance, updater key handling, renderer trust boundary, npm audit + gitleaks in CI
  • .claude/CLAUDE.md — pointer to the inherited baseline
  • src-tauri/binaries/README.md — documents Ghostscript sidecar source URL + SHA-256 (R011 supply-chain pinning)
  • .github/workflows/security.yml — gitleaks on every push/PR + npm audit --omit=dev --audit-level=high (R006, R011)
  • .gitleaks.tomluseDefault = true with project-specific path allowlist for test fixtures and redaction-library examples (drops 51 false-positives to 0)

Test plan

  • gitleaks scan locally: 0 findings after allowlist
  • npm audit --omit=dev will be exercised by the new workflow on first push
  • Reviewer: confirm no path-allowlist entry inadvertently hides a real secret

Security notes (R015)

  • Secrets: none introduced; the change adds secret-scanning + env-file ignores.
  • Auth/permissions: workflow runs with permissions: contents: read; uses ${{ secrets.GITHUB_TOKEN }} only.
  • Remaining risks: the .gitleaks.toml allowlist is path-based — any new file added under those paths is implicitly trusted. If sensitive content is added under test-fixtures/ or src/lib/secrets/__tests__/, gitleaks will not flag it. Mitigation: code review owns those paths.

🤖 Generated with Claude Code

@shyhunter @claude
chore(security): install global security baseline + project rules P01…
bf47020 
…1-P016

Establishes the project's surface of the workspace-wide security
baseline (R005-R016 in ~/.claude/rules.md):

- .gitignore: env-file coverage with example file allowed (R006).
- .claude/project_rules_decisions.md: adds P011-P016 covering Tauri
  capabilities, sidecar provenance, updater key handling, renderer
  trust boundary, npm audit + gitleaks in CI.
- .claude/CLAUDE.md: pointer to the inherited baseline so future
  agents in this repo always read R005-R016 + P011-P016.
- src-tauri/binaries/README.md: documents the Ghostscript sidecar
  source URL + SHA-256 (R011 supply-chain pinning).
- .github/workflows/security.yml: runs gitleaks on every push/PR
  and `npm audit --omit=dev --audit-level=high` (R006, R011).
- .gitleaks.toml: useDefault=true with project-specific path
  allowlist for test fixtures and redaction-library examples
  (drops 51 false-positives to 0 without weakening upstream rules).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@shyhunter shyhunter merged commit d39ff48 into main Apr 28, 2026
10 of 12 checks passed
@shyhunter shyhunter deleted the chore/security-baseline branch April 28, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shyhunter