aa44feea02
Adds a research note on whether/how to scan for malicious code (not just secrets) in commits pushed through the git-gate, and whether the semantic (LLM) layer is a defensible paid feature. Verdict: no scanner reliably detects malicious code (undecidable + adversarial), so the frame is raise-cost + cover-the-obvious + human-gate the dangerous. Ranked layers: dependency/supply-chain scanning (Socket/OSV/ GuardDog) > heuristic/obfuscation (Semgrep-on-diff) > risk-based human gating via the existing supervise plane > best-effort LLM diff-review. Fast scanners inline in the synchronous pre-receive; heavy analysis async. Monetization: the paid unit is the governed git-egress review bundle (managed semantic review + web-console human-review flow + RBAC + audit + cross-run policy), not the raw scanner — which stays OSS like gitleaks. Extends the egress audit+custody wedge to code artifacts; the supervise console generalizes across all proposal types (egress, gitleaks, commit review). Sell the workflow, not the detector's accuracy. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YBCHap11yGAKuKfsehNPaD
Docs
How this project records what it builds and why — and a guide to picking the right document for what you're capturing.
When to write which document
| Artifact | For |
|---|---|
PRD (docs/prds/) |
A feature: what to build, scope, success criteria. |
Research note (docs/research/) |
A landscape/tradeoff investigation. |
Decision record (docs/decisions/) |
A decision that isn't itself a feature — a policy, a convention, a "we will / won't do this," or a load-bearing choice made inside a larger PRD that deserves to be discoverable on its own. |
A decision that's fully specified by a PRD doesn't need duplicating in a decision record. Write one when the decision would otherwise be buried in prose, lost in an issue thread, or have no in-repo home at all (small requests that don't merit a PRD; non-feature choices like merge strategy or a trust posture).