Diablo_ClaudeMD_Ricing_example/.github/instructions/security.instructions.md

---
applyTo: "hooks/**,rules/**,agents/**,a2a/**,settings.json"
---

# Security Instructions — CoM Governance Layer

## Scope

These instructions apply to all security-critical files: execution hooks, governance rules, agent definitions, A2A constitution, and the master settings.json.

## Hook Development (hooks/)

- All hooks must use `set -euo pipefail` as the first executable line
- Hooks must have defined timeouts (PreToolUse: 10s, PostToolUse: 15s, Stop: 10s)
- Pattern matching must cover both Unix and Windows-style destructive commands
- Never use `eval` or `source` with untrusted input in hooks
- Test hooks against the full deny list before committing
- Log all blocked operations to stderr for audit trail
- Exit codes: 0 = allow, 2 = block (for PreToolUse hooks)

## Deny List Patterns

The following patterns must always be caught by PreToolUse validation:
- Pipe-to-shell: `curl|bash`, `wget|sh`, `curl|python`
- Force operations: `--force`, `--no-verify`, `-f` on destructive commands
- Permission bombs: `chmod 777`, `chmod -R 777`
- Drive destruction: `rm -rf /`, `format`, `diskpart`, `dd if=`
- Credential exposure: writing to `.env`, echoing tokens/keys
- Registry destruction: `reg delete`, `Remove-ItemProperty` on system keys
- Boot config modification: `bcdedit`, `grub-install` without confirmation

## Agent Definitions (agents/)

- Every agent must declare: role, model tier, archetype, shadow, capabilities, constraints
- Shadow integration must be documented — suppression is a governance violation
- Permission boundaries must be explicit (read/write/system/network/destructive)
- Model tier must match the agent registry in a2a/agent-cards.json
- No agent may self-escalate permissions without CADevO authorization

## Constitutional Governance (a2a/)

- The constitution.md is the supreme governance document
- Non-negotiables cannot be modified without Sovereign (Ty) approval
- Alignment assessments must use the Busytown/Rapture axis
- Agent cards must stay in sync with agent personality files
- All governance changes require a PR with security review

## Settings.json

- Permission deny lists are append-only — never remove protections
- MCP server additions require security vetting documentation
- Hook configurations must specify timeout and error behavior
- API tokens must reference environment variables, never inline values
- Schema validation must pass before any settings change is merged

## Credential Protection

- Never hardcode tokens, keys, passwords, or connection strings
- Use environment variable references: `${GITHUB_TOKEN}` format
- API keys in MCP configs must use env var substitution
- If a credential is accidentally committed, rotate immediately and notify
- The .gitignore must cover: .env, .env.*, *.token, *.key, *.pem, config.json

## Review Requirements

- All changes to files in this scope require manual review — no auto-merge
- Security hook changes need testing against the full pattern deny list
- Agent permission changes need constitutional alignment check
- Settings.json changes need validation against the JSON schema