You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(security): flip silent-success masking gate to blocking (#257)
Triage all 40 baseline AI004 findings with justified inline nosemgrep
allowlists for intentional fail-open and degraded-mode fallbacks, add
--error to security:sast:masking, and remove the advisory baseline doc.
Co-authored-by: Cursor <cursoragent@cursor.com>
Copy file name to clipboardExpand all lines: AGENTS.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -111,7 +111,7 @@ Run `mise tasks --all` (with `MISE_EXPERIMENTAL=1`) for the full list. Common co
111
111
-**`mise //docs:build`** — Sync and build docs site.
112
112
-**`mise run security:secrets`** — Gitleaks at repo root.
113
113
-**`mise run security:sast`** — Semgrep on the repo (root; includes **`agent/`** Python among paths).
114
-
-**`mise run security:sast:masking`** — Custom semgrep rules for silent-success masking (`catch`/`except` returning empty defaults, AI004). Advisory while the baseline in **`.semgrep/BASELINE.md`** is open; emits SARIF to `test-reports/`. Allowlist intentional fallbacks with an inline justified `nosemgrep: <rule-id> -- <reason>` comment.
114
+
-**`mise run security:sast:masking`** — Custom semgrep rules for silent-success masking (`catch`/`except` returning empty defaults, AI004). Blocking; emits SARIF to `test-reports/`. Allowlist intentional fallbacks with an inline justified `nosemgrep: <rule-id> -- <reason>` comment.
115
115
-**`mise run security:deps`** — OSV Scanner on **`yarn.lock`** (all JS workspaces) and **`agent/uv.lock`**.
116
116
-**`mise run security`** — Runs **`security:secrets`**, **`security:deps`**, **`security:sast`**, **`security:sast:masking`**, **`security:grype`**, **`security:retire`**, **`security:gh-actions`**, and **`//agent:security`**.
117
117
-**`mise run security:retire`** — Retire.js on CDK, CLI, and docs packages.
0 commit comments