dirigence/fermata
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🏗️ fermata: redaction-first security model, unified .botsecrets config

Browse Source 
Realign fermata around redaction (PostToolUse) as the primary security
layer, with access control (PreToolUse) as supplementary write/bash
protection. Remove botignore.toml — policy rules now live in .botsecrets
[policy] section. Add fermata.toml as an alias for .botsecrets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Gabor Körber
2026-05-26 01:10:07 +02:00
parent 77520819f6
commit 168aefd415
17 changed files with 571 additions and 423 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/fixtures_a4.rs
+5 -5
View File
@@ -9,9 +9,9 @@ fn fixture() -> TempDir {
let root = tmp.path();
fs::write(root.join(".botignore"), ".env\n.env.*\nconf/cert/**\nconf/mitmproxy/**\n").unwrap();
fs::write(
root.join("botignore.toml"),
root.join(".botsecrets"),
r#"
[read]
[policy.read]
patterns = [
"conf/localtestsettings.yaml",
"conf/localsettings.yaml",
@@ -19,14 +19,14 @@ patterns = [
".claude/self-reflections/**",
]
[write]
[policy.write]
patterns = [
"conf/localtestsettings.yaml",
"conf/localsettings.yaml",
"conf/default-secrets.yaml",
]
[bash]
[policy.bash]
deny = ["localtestsettings.yaml", "localsettings.yaml", "default-secrets.yaml", ".env"]
ask = ["rm *", "mv *"]
allow_prefixes = ["make test"]
@@ -103,7 +103,7 @@ fn bash_rm_somefile_asks() {
#[test]
fn read_self_reflections_asks() {
// Note: A.4 has self-reflections under "ask" — current toml schema uses `[read].patterns`
// Note: A.4 has self-reflections under "ask" — current toml schema uses `[policy.read].patterns`
// for hard reads. This documents the gap; once toml has a `[read].ask`, switch to Ask.
let t = fixture();
let p = Policy::load(t.path()).unwrap();