# =============================================================================
# BANDIT SECURITY CONFIGURATION - OmniClaude
# =============================================================================
# YAML format required for bandit >= 1.7
#
# OWNERSHIP & MAINTENANCE:
#   - Owner: Security team / code reviewers
#   - Review: Quarterly (or after security incidents)
#   - Last Review: 2025-11-26
#   - Next Review: 2026-02-26
#
# APPROVAL REQUIRED FOR CHANGES:
#   - Adding new global skips: Security team approval
#   - Adding path-specific skips: PR review by 2+ maintainers
#   - Removing skips: Can be done freely (improves security)
# =============================================================================

# Exclude directories from scanning
exclude_dirs:
  - agents/templates
  - agents/parallel_execution/templates
  - agents/tests
  - claude_hooks/tests
  - skills
  - .venv
  - claude/lib/.venv
  - __pycache__
  - build
  - dist
  - _archive
  - src/omniclaude/lib  # Legacy code - excluded from security scans, will be deleted post-Beta

# Skip specific test IDs
# See comments below for rationale
skips:
  - B101  # assert_used - Tests use assertions
  - B104  # hardcoded_bind_all_interfaces - Dev environments
  - B105  # hardcoded_password_string - Config via env vars
  - B106  # hardcoded_password_funcarg - Config via env vars
  - B107  # hardcoded_password_default - Config via env vars
  - B108  # hardcoded_tmp_directory - Controlled usage
  - B201  # flask_debug_true - Env-controlled
  - B311  # random - Non-security usage only
  - B404  # subprocess_import - Required for system integration
  - B603  # subprocess_without_shell_equals_true - Validated inputs
  - B607  # start_process_with_partial_path - Dev environment

# =============================================================================
# HIGH-SIGNAL CHECKS - NOW ENABLED:
# =============================================================================
# B110 - try_except_pass (ENABLED - catches silent exception hiding)
# B608 - sql_statements_without_placeholders (ENABLED - SQL injection)
#
# Use `# nosec B<ID> - <reason>` inline for justified exceptions
# =============================================================================
