You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#506 adds the server-side lint+test gate (ci.yml) #452/#331 call for — but its backend job runs pre-commit run --all-files (via scripts/lint.sh), and several hooks were only ever exercised on changed files locally. Under --all-files they throw false positives that make the gate red on main from day one, so it can't be merged or made a required check until fixed. (Full trace in the #506 review.) No real security violation is involved — gitleaks passes, there is no @csrf_exempt, and recent_actions.py is correctly scoped.
Fixes
no-csrf-exempt (pattern csrf_exempt) — matches the docstrings that explain the rule ("No @csrf_exempt — Django's middleware enforces") across urls.py/create.py/auth.py/… Make it ignore comment/docstring lines, or match the actual decorator (@csrf_exempt) and exclude the explanatory files. There is no real exemption to catch.
no-objects-all-in-api (pattern objects\.(all|filter)\() — matches the same rule-explaining docstrings and the legitimate recent_actions.py:67LogEntry.objects.filter(user__pk=...) (the parity: index 'Recent actions' widget (per-user LogEntry feed) #502 audit-log feed, correctly user-scoped; rule 10 doesn't govern LogEntry). Ignore comment lines and allow LogEntry.objects.* in recent_actions.py.
no-partial-tokens — already has an exclude: list for files that document the token-shaped patterns; add the doc/DECISIONS file(s) ci: run the test suites (pytest + frontend) on every PR (#452) #506 introduced that quote the example (ghp_…) to it. gitleaks remains the real secret gate.
ruff / ruff-format / black — the auto-fixing pre-commit variants rewrite files under --all-files and report "Failed". The CI path of scripts/lint.sh should invoke them in check mode (ruff format --check, black --check) so they report without mutating.
Security note / scope
.pre-commit-config.yaml + these house-rule hooks ARE the repo's security tooling (the denylist-class checks) → Tier 5, human review. Keep the hooks stricter or equal — the goal is to remove false positives, never to weaken real detection. Add a regression check that pre-commit run --all-files is clean on main so this can't silently rot again.
Acceptance
pre-commit run --all-files (hence scripts/lint.sh and #506's backend job) is green on main, with every house-rule hook still catching a genuine planted violation in a test fixture. Unblocks #506 → #452 → #331.
Why
#506 adds the server-side lint+test gate (
ci.yml) #452/#331 call for — but its backend job runspre-commit run --all-files(viascripts/lint.sh), and several hooks were only ever exercised on changed files locally. Under--all-filesthey throw false positives that make the gate red onmainfrom day one, so it can't be merged or made a required check until fixed. (Full trace in the #506 review.) No real security violation is involved —gitleakspasses, there is no@csrf_exempt, andrecent_actions.pyis correctly scoped.Fixes
no-csrf-exempt(patterncsrf_exempt) — matches the docstrings that explain the rule ("No@csrf_exempt— Django's middleware enforces") acrossurls.py/create.py/auth.py/… Make it ignore comment/docstring lines, or match the actual decorator (@csrf_exempt) and exclude the explanatory files. There is no real exemption to catch.no-objects-all-in-api(patternobjects\.(all|filter)\() — matches the same rule-explaining docstrings and the legitimaterecent_actions.py:67LogEntry.objects.filter(user__pk=...)(the parity: index 'Recent actions' widget (per-user LogEntry feed) #502 audit-log feed, correctly user-scoped; rule 10 doesn't governLogEntry). Ignore comment lines and allowLogEntry.objects.*inrecent_actions.py.no-partial-tokens— already has anexclude:list for files that document the token-shaped patterns; add the doc/DECISIONS file(s) ci: run the test suites (pytest + frontend) on every PR (#452) #506 introduced that quote the example (ghp_…) to it.gitleaksremains the real secret gate.ruff/ruff-format/black— the auto-fixing pre-commit variants rewrite files under--all-filesand report "Failed". The CI path ofscripts/lint.shshould invoke them in check mode (ruff format --check,black --check) so they report without mutating.Security note / scope
.pre-commit-config.yaml+ these house-rule hooks ARE the repo's security tooling (the denylist-class checks) → Tier 5, human review. Keep the hooks stricter or equal — the goal is to remove false positives, never to weaken real detection. Add a regression check thatpre-commit run --all-filesis clean onmainso this can't silently rot again.Acceptance
pre-commit run --all-files(hencescripts/lint.shand #506's backend job) is green onmain, with every house-rule hook still catching a genuine planted violation in a test fixture. Unblocks #506 → #452 → #331.