tractatus

john/tractatus

Fork 0

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
TheFlow	51fd0bb6a3	chore(license): Phase B follow-on — relicense 3 scripts/ source files from Apache 2.0 to EUPL-1.2 Some checks are pending CI / Run Tests (push) Waiting to run Details CI / Lint Code (push) Waiting to run Details CI / CSP Compliance Check (push) Waiting to run Details Missed by Phase B (`d600f6ed`) which swept src/ headers but not scripts/ headers. All 3 follow the Phase B precedent pattern: - scripts/check-attack-surface.js (the inst_084 validator hook itself) - scripts/sync-prod-audit-logs.js - scripts/migrate-to-schema-v3.js Two header formats encountered: - Standard Apache 2.0 JS block header (first two files): full block swap to EUPL-1.2 equivalent with Licence/British spelling and EC canonical URL. - Brief JSDoc-style reference (migrate-to-schema-v3.js): short-form swap with Licence reference + URL line. Other scripts/ files with Apache text references NOT in scope here: - scripts/relicense-apache-to-eupl.js (DATA: Apache patterns are search targets for the relicense tool itself) - scripts/fix-markdown-licences.js (DATA: Apache regex patterns for a migration script's find-and-replace) - scripts/migrate-licence-to-cc-by-4.js (DATA: Apache source patterns for a different migration workflow) - scripts/upload-document.js (DATA: Apache-2.0 is a valid SPDX tag for uploadable documents; retained as valid metadata option) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 10:54:10 +12:00
TheFlow	e821987d9a	feat(security): implement attack surface exposure prevention (inst_084) Adds comprehensive protection against exposing internal implementation details in public-facing documentation. New Governance Rule (inst_084): - Quadrant: SYSTEM - Persistence: HIGH - Scope: Public documents (confidential:false) - Enforcement: Pre-commit hooks (mandatory) Implementation: 1. attack-surface-validator.util.js - Pattern detection for file paths, API endpoints, admin URLs, ports - Frontmatter parsing (respects confidential:true exemption) - Code block exemption (doesn't flag technical examples) - Intelligent line numbering for violation reporting 2. check-attack-surface.js - Pre-commit script that scans staged documents - User-friendly violation reporting with suggestions - Integration with git workflow 3. Pre-commit hook integration - Added as Check #3 in git hooks - Runs after prohibited terms, before test requirements - Blocks commits with attack surface exposures Detection Patterns: ✅ File paths: src/, public/, scripts/* ✅ API endpoints: /api/, /admin/ ✅ File naming patterns: .util.js, .service.js ✅ Port numbers in prose ✅ Connection strings Exemptions: - Code blocks (```) - Inline code (`) - Confidential documents (confidential:true) - Internal technical documentation Security Rationale (Defense-in-Depth): - Prevents reconnaissance by obscuring architecture - Reduces attack surface by hiding implementation paths - Complements credential protection (inst_069/070) - Part of layered security strategy (inst_072) Testing: - Validated against test document with known exposures - 7 violations detected correctly - Code block exemption verified - All expected pattern types detected Example Violations Blocked: ❌ "Dashboard at /admin/audit-analytics.html" ✅ "Administrative Dashboard" ❌ "GET /api/admin/audit-logs endpoint" ✅ "Authenticated API for audit data" ❌ "In activity-classifier.util.js" ✅ "The activity classifier" This enforcement prevented the exact security issue discovered in governance-bi-tools.md which exposed admin paths and API endpoints. Also fixed prohibited terms checker to exempt instruction-history.json (which contains prohibited term DEFINITIONS, not violations). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-27 12:11:43 +13:00

TheFlow

51fd0bb6a3

chore(license): Phase B follow-on — relicense 3 scripts/ source files from Apache 2.0 to EUPL-1.2

CI / Run Tests (push) Waiting to run

Details

CI / Lint Code (push) Waiting to run

Details

CI / CSP Compliance Check (push) Waiting to run

Details

Missed by Phase B (d600f6ed) which swept src/ headers but not scripts/ headers.
All 3 follow the Phase B precedent pattern:

  - scripts/check-attack-surface.js (the inst_084 validator hook itself)
  - scripts/sync-prod-audit-logs.js
  - scripts/migrate-to-schema-v3.js

Two header formats encountered:
  - Standard Apache 2.0 JS block header (first two files): full block swap to
    EUPL-1.2 equivalent with Licence/British spelling and EC canonical URL.
  - Brief JSDoc-style reference (migrate-to-schema-v3.js): short-form swap
    with Licence reference + URL line.

Other scripts/ files with Apache text references NOT in scope here:
  - scripts/relicense-apache-to-eupl.js (DATA: Apache patterns are search
    targets for the relicense tool itself)
  - scripts/fix-markdown-licences.js (DATA: Apache regex patterns for a
    migration script's find-and-replace)
  - scripts/migrate-licence-to-cc-by-4.js (DATA: Apache source patterns
    for a different migration workflow)
  - scripts/upload-document.js (DATA: Apache-2.0 is a valid SPDX tag for
    uploadable documents; retained as valid metadata option)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 10:54:10 +12:00

TheFlow

e821987d9a

feat(security): implement attack surface exposure prevention (inst_084)

Adds comprehensive protection against exposing internal implementation
details in public-facing documentation.

New Governance Rule (inst_084):
- Quadrant: SYSTEM
- Persistence: HIGH
- Scope: Public documents (confidential:false)
- Enforcement: Pre-commit hooks (mandatory)

Implementation:
1. attack-surface-validator.util.js
   - Pattern detection for file paths, API endpoints, admin URLs, ports
   - Frontmatter parsing (respects confidential:true exemption)
   - Code block exemption (doesn't flag technical examples)
   - Intelligent line numbering for violation reporting

2. check-attack-surface.js
   - Pre-commit script that scans staged documents
   - User-friendly violation reporting with suggestions
   - Integration with git workflow

3. Pre-commit hook integration
   - Added as Check #3 in git hooks
   - Runs after prohibited terms, before test requirements
   - Blocks commits with attack surface exposures

Detection Patterns:
✅ File paths: src/*, public/*, scripts/*
✅ API endpoints: /api/*, /admin/*
✅ File naming patterns: *.util.js, *.service.js
✅ Port numbers in prose
✅ Connection strings

Exemptions:
- Code blocks (```)
- Inline code (`)
- Confidential documents (confidential:true)
- Internal technical documentation

Security Rationale (Defense-in-Depth):
- Prevents reconnaissance by obscuring architecture
- Reduces attack surface by hiding implementation paths
- Complements credential protection (inst_069/070)
- Part of layered security strategy (inst_072)

Testing:
- Validated against test document with known exposures
- 7 violations detected correctly
- Code block exemption verified
- All expected pattern types detected

Example Violations Blocked:
❌ "Dashboard at /admin/audit-analytics.html"
✅ "Administrative Dashboard"
❌ "GET /api/admin/audit-logs endpoint"
✅ "Authenticated API for audit data"
❌ "In activity-classifier.util.js"
✅ "The activity classifier"

This enforcement prevented the exact security issue discovered in
governance-bi-tools.md which exposed admin paths and API endpoints.

Also fixed prohibited terms checker to exempt instruction-history.json
(which contains prohibited term DEFINITIONS, not violations).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-27 12:11:43 +13:00

2 commits