feat: add CI/CD YAML AppSec sensors for supply chain defense

gitgalaxy/standards/analysis_lens.py

@@ -182,7 +182,7 @@ def get_policy(mode="baseline"):
         # 7. The Verification Sieve
         # Test files are naturally dense with assertions and mocked data. 
         # Dampen their cognitive load so they don't outweigh actual application logic.
-        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-z]+$|\.test\.[a-z]+$', re.I), 0.50)
+        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-zA-Z]+$|\.test\.[a-zA-Z]+$', re.I), 0.50)
     ],
     'Error & Exception Exposure': [
         # 1. The Sentinel (Core Security & Auth)
@@ -242,7 +242,7 @@ def get_policy(mode="baseline"):
         # The Verification Exemption
         # Tests often contain mocked "TODO" strings to test parsers, or deliberate hacks 
         # for negative testing. They do not represent architectural debt.
-        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-z]+$|\.test\.[a-z]+$|.*IT\.java$', re.I), 0.0),
+        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-zA-Z]+$|\.test\.[a-zA-Z]+$|.*IT\.java$', re.I), 0.0),
 
         # ---> NEW: The Documentation/Examples Exemption <---
         # Forgive example code for lacking production-grade tests/safety
@@ -269,7 +269,7 @@ def get_policy(mode="baseline"):
         (re.compile(r'\.(?:stories|story|visual)\.', re.I), 0.90),
         # 6. The Verification Exemption
         # Unit tests rarely require formal JSDoc/RDoc blocks. Drop doc risk to 0.
-        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-z]+$|\.test\.[a-z]+$', re.I), 0.0)
+        (re.compile(r'(?:^|/)(?:tests?|specs?|testing)/|_spec\.[a-zA-Z]+$|\.test\.[a-zA-Z]+$', re.I), 0.0)
     ],
     'Testing Exposure': [
         # 1. The Universal Standard: 'test' is safe across all languages
@@ -312,7 +312,7 @@ def get_policy(mode="baseline"):
         # Forgive example code for lacking production-grade tests/safety
         (re.compile(r'(?:^|/)examples?/', re.I), 0.0),
         # Catch mainframe 8-char test prefixes (e.g., lgtestp1.cbl)
-        (re.compile(r'(?:^|/)[a-z]{0,2}test[a-z0-9]*\.(?:cbl|cob)$', re.I), 0.0),
+        (re.compile(r'(?:^|/)[a-zA-Z]{0,2}test[a-z0-9]*\.(?:cbl|cob)$', re.I), 0.0),
     ],
     'Dead Code Exposure': [
         # 1. The Template (Expected Dead Code)

gitgalaxy/standards/language_standards.py

@@ -685,6 +685,7 @@
             "blueprint_version": "v6.3.1",
             "status": "production",
         },
+        # COMPREHENSIVE SURFACE AREA: Standard modern suffixes, JSX variants, and ambient declaration boundaries.
         "extensions": [
             ".ts",
             ".tsx",
@@ -694,8 +695,6 @@
             ".d.mts",
             ".d.cts",  # Ambient declarations
         ],
-        # COMPREHENSIVE SURFACE AREA: Standard modern suffixes, JSX variants, and ambient declaration boundaries.
-        "extensions": [".ts", ".tsx", ".mts", ".cts", ".d.ts", ".d.mts", ".d.cts"],
         # ABSOLUTE IDENTITY & EXACT FILENAMES: Extensionless build/config scripts and tooling configs that are secretly pure code.
         "exact_matches": [],
         # ECOSYSTEM GRAVITY & DISAMBIGUATION: Primary sibling extensions, package manifests, and lockfiles to resolve ambiguous files.
@@ -7108,7 +7107,7 @@
             ),
             # 32. events: Pub/Sub Network. Platform Events and Trigger context.
             "events": re.compile(
-                r"\b(EventBus\.publish|PlatformEvent)\b|trigger\s+[A-z_]\w+\s+on\s+[A-z_]\w+Event__e",
+                r"\b(EventBus\.publish|PlatformEvent)\b|trigger\s+[a-zA-Z_]\w+\s+on\s+[a-zA-Z_]\w+Event__e",
                 re.I,
             ),
             # 33. dependency_injection: Inversion of Control. Mocking and injection frameworks.
@@ -10563,10 +10562,6 @@
     "jenkins": {"_shield_": {"exclude_paths": ["translation-tool.pl", "core/report-l10n.rb"]}},
     "redis": {"_shield_": {"exclude_dirs": ["deps/lua", "deps/jemalloc", "deps/hiredis"]}},
     "Correios-Brasil": {
-        "_shield_": {"unban_directories": ["features"]}
-    },
-    "freebsd-src": {
-        "objective-c": {"extensions": ['.mm', '.h']},
-        "c": {"extensions": ['.c', '.h', '.cl', '.inc', '.y', '.idc', '.cats', '.m', '.dts', '.dtsi']}
-    },
-}
+            "_shield_": {"unban_directories": ["features"]}
+        }
+    }

site/app.py

@@ -317,19 +317,23 @@ def capture_enterprise_lead():
         if any(domain in email for domain in generic_domains):
             return jsonify(error="Please provide a valid corporate email address for commercial licensing."), 400
 
-        # Log the massive lead as a CRITICAL event so it stands out in your server logs
-        lead_msg = f"🚨 ENTERPRISE LEAD CAPTURED: {company} | Size: {codebase_size} | Case: {use_case} | Contact: {email}"
-        logger.critical(lead_msg)
+        # SANITIZATION: Prevent CRLF Log Injection
+        safe_company = str(company).replace('\n', ' ').replace('\r', '')
+        safe_size = str(codebase_size).replace('\n', ' ').replace('\r', '')
+        safe_case = str(use_case).replace('\n', ' ').replace('\r', '')
+        safe_email = str(email).replace('\n', ' ').replace('\r', '')
 
-        # TODO: Add logic here to ping your Discord webhook or send an email to joe@gitgalaxy.io
-        # requests.post(os.getenv("DISCORD_WEBHOOK_URL"), json={"content": lead_msg})
+        # Log the massive lead safely
+        lead_msg = f"🚨 ENTERPRISE LEAD CAPTURED: {safe_company} | Size: {safe_size} | Case: {safe_case} | Contact: {safe_email}"
+        logger.critical(lead_msg)
 
         return jsonify({"status": "success", "message": "Lead captured. Our architecture team will be in touch shortly."}), 200
 
     except Exception as e:
-        logger.error(f"Lead Capture Error: {str(e)}")
+        safe_error = str(e).replace('\n', ' ')
+        logger.error(f"Lead Capture Error: {safe_error}")
         return jsonify(error="Failed to submit inquiry. Please email commercial@gitgalaxy.io directly."), 500
-
+    
 if __name__ == '__main__':
     print("\n" + "═"*50)
     print(" 🌌 GITGALAXY VISUALIZER: COMMAND CENTER ACTIVE")