Rework caps.sh to detect new capabilities rather than requiring an
exact match, so the baseline works across Go versions. Add a
forbidden capabilities list (UNSAFE_POINTER, NETWORK, CGO, EXEC)
that will always fail the check. Use Go 1.26 and capslock@latest
in CI.
https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
The baseline was generated with Go 1.24 and capslock v0.3.1. Pin
both in CI to ensure consistent analysis results, since different
Go versions can change which capabilities capslock detects.
https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
Replace the full JSON baseline with a simple text file listing capability
names per package. Add caps.sh script to generate and check the baseline.
Document in CONTRIBUTING.md and AGENTS.md that PRs increasing capabilities
are unlikely to be accepted.
https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
Adds a capability baseline file and a GitHub Actions workflow that
uses Google's capslock tool to detect if any new capabilities (file
access, network, syscalls, etc.) are introduced by code changes.
https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
Claude