From 888d664fe12e512b4149a422a95f55614a7d0249 Mon Sep 17 00:00:00 2001 From: claude Date: Thu, 25 Jun 2026 01:13:07 +0000 Subject: [PATCH] docs(wiki): sync from modules/ @ 556b5a72 --- 15-security-scanning.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/15-security-scanning.md b/15-security-scanning.md index b40b9c1..6557d27 100644 --- a/15-security-scanning.md +++ b/15-security-scanning.md @@ -438,6 +438,15 @@ runs on every push and blocks the merge. --- +### Gate 0: your hosted forge + +Most hosted forges run their own secret scanner on every push and reject the push if it finds a +recognized key pattern (GitHub calls this *push protection*; GitLab and others have equivalents). +That happens **before** any CI you wrote runs, so it is effectively *Gate 0* in this module. The +planted `SYNC_API_KEY` in `lab/config.py` uses a generic high-entropy value (not an issuer +pattern) so the lab can ship; in your real repo, treat your forge's push protection as the +earliest gate and never paper over a bypass. + ## Where it breaks The honest limits (these gates are necessary, not sufficient):