Commit a6f9eff
refactor(security): list all exclusions explicitly; fix PRs; dedup doc
Replaces the [auto_exclude] source policy with explicit per-rule entries,
per review feedback. Three concerns addressed:
1. No silent exclusion. source=/r/None is a reliable junk signal *today*
(all 104 probes lack the `license:` field every real rule carries), but
it is not guaranteed — a future legitimate rule could carry /r/None and
would have been auto-dropped. Now every exclusion is listed explicitly in
exclusions.toml; nothing is dropped implicitly, so a new upstream rule can
never silently disappear — it surfaces as `new` for triage. The 79 probe
rules (78 + bbp-pattern-inject) are now explicit entries.
2. Correct PR provenance (from git pickaxe, replacing the earlier PR#TBD->220
guess): the 21 original exclusions were PR #11 (2026-02-07), OpenAI was
PR #89, bbp-pattern-inject was PR #200. Only the 78 new probe exclusions
are PR #220.
3. Duplicate rows fixed. r/all reuses some ids across blocks (bbp-x x11,
bbp-ssrf x8, ...); EXCLUSIONS.md now collapses rows by id. Status legend
documents excluded/active/new (auto-excluded removed).
Also: when an excluded rule is later removed upstream, update.py now surfaces
the orphaned entry in a "Removed upstream (safe to prune)" doc section (and
console), rather than only a console warning — a human prunes it, nothing
auto-deletes.
Result: 101 explicit entries (21 PR#11, 1 PR#89, 1 PR#200, 78 PR#220),
3005 active rules, semgrep exit 0 with no parse errors, build green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent 3c6872f commit a6f9eff
3 files changed
Lines changed: 621 additions & 257 deletions
0 commit comments