docs(wiki): sync from modules/ @ 556b5a72

2026-06-25 01:13:07 +00:00
parent 26e33daf0a
commit 888d664fe1
+9
@@ -438,6 +438,15 @@ runs on every push and blocks the merge.
---
### Gate 0: your hosted forge
Most hosted forges run their own secret scanner on every push and reject the push if it finds a
recognized key pattern (GitHub calls this *push protection*; GitLab and others have equivalents).
That happens **before** any CI you wrote runs, so it is effectively *Gate 0* in this module. The
planted `SYNC_API_KEY` in `lab/config.py` uses a generic high-entropy value (not an issuer
pattern) so the lab can ship; in your real repo, treat your forge's push protection as the
earliest gate and never paper over a bypass.
## Where it breaks
The honest limits (these gates are necessary, not sufficient):