Add CI check to enforce capability limits using capslock

Adds a capability baseline file and a GitHub Actions workflow that uses Google's capslock tool to detect if any new capabilities (file access, network, syscalls, etc.) are introduced by code changes. https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
2026-03-24 01:40:56 +00:00
parent 16b1ef5508
commit 478c2ff9d8
2 changed files with 1297 additions and 0 deletions
@@ -0,0 +1,25 @@
+name: capabilities
+on:
+  push:
+    branches:
+      - v2
+  pull_request:
+    branches:
+      - v2
+
+jobs:
+  check:
+    name: check capabilities
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Setup go
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.26"
+      - name: Install capslock
+        run: go install github.com/google/capslock/cmd/capslock@latest
+      - name: Check for new capabilities
+        run: capslock -packages=./... -output=compare -granularity=package capability_baseline.json