version: 1
product: CapitalGuard
mode: defensive
authorization:
  repo_owner_confirmation_required: true
  scan_only_authorized_repositories: true
data_handling:
  train_on_customer_code: false
  redact_secret_values: true
  delete_uploaded_repository_after_scan: true
  retain_reports_until_customer_deletes: true
agent_rules:
  blocked_paths:
    - ".env*"
    - ".npmrc"
    - ".netrc"
    - ".docker/config.json"
    - "id_rsa"
    - "id_ed25519"
    - "**/*.pem"
    - "**/*.key"
    - "**/*.p12"
    - "**/*service-account*.json"
    - "**/*kubeconfig*"
    - "**/secrets/**"
    - "**/customer_exports/**"
    - "**/backups/**"
  protected_paths:
    - ".cursor/**"
    - ".claude/**"
    - ".mcp.json"
    - "AGENTS.md"
    - ".github/copilot-instructions.md"
    - ".github/workflows/**"
    - "infra/**"
    - "k8s/**"
    - "charts/**"
    - "Dockerfile"
    - "docker-compose*.yml"
    - "db/migrations/**"
    - "billing/**"
    - "auth/**"
    - "package.json"
  untrusted_inputs:
    - "docs/**"
    - "issues/**"
    - "prompts/**"
    - "logs/**"
    - "README.md"
    - "CHANGELOG.md"
  requires_human_approval:
    - "terminal_command_execution"
    - "agent_tool_configuration_changes"
    - "mcp_server_changes"
    - "package_lifecycle_script_changes"
    - "workflow_changes"
    - "deployment_changes"
    - "database_changes"
    - "billing_changes"
    - "auth_changes"
    - "external_file_uploads"
reporting:
  include_severity: true
  include_affected_path: true
  include_why_it_matters: true
  include_agent_exposure: true
  include_business_impact: true
  include_safe_fix: true
  include_confidence_level: true
