Claim Firewall v0.1.0: Security claims should compile before they ship

Claim Firewall v0.1.0: Security claims should compile before they ship

Claim Firewall scans security docs, PR text, README files, YAML files, and public-facing Markdown for unsupported security claims before they ship.

It is designed for detection engineers, SOC automation builders, security content maintainers, and reviewers who need to catch wording that outruns evidence.

What this release includes

• Python CLI: claimfirewall
• Composite GitHub Action
• Configurable blocked-claims policy
• Text and JSON output
• File and directory scanning
• Repeated --exclude support
• Safe-context suppression with allowed_context_patterns
• Tests for unsafe claims, safe negative-context wording, CLI behavior, JSON output, directory scanning, and action contract behavior

Install locally

python -m pip install -e ".[test]"

CLI examples

Passing example:

python -m claimfirewall scan examples/pass.md --policy policy/blocked_claims.yml

Failing example:

python -m claimfirewall scan examples/fail.md --policy policy/blocked_claims.yml

Console script:

claimfirewall scan examples/pass.md --policy policy/blocked_claims.yml

JSON output:

python -m claimfirewall scan examples/fail.md --policy policy/blocked_claims.yml --format json

GitHub Action example

name: Claim Firewall

on:
  pull_request:
  push:

jobs:
  claim-firewall:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: HawkinsOperations/claim-firewall@v0.1.0
        with:
          paths: "."
          format: "text"
          exclude: "examples/fail.md policy/blocked_claims.yml"

Example blocked claims

Claim Firewall can flag configured wording such as:

• does not claim production-ready
• does not claim runtime-proven
• does not claim public-safe
• does not claim signal-observed
• no autonomous SOC claim is made
• AI-approved disposition is blocked wording
• analyst-approved disposition is blocked wording
• does not claim customer deployment
• does not claim SOCaaS available
• does not claim fleet-wide coverage

Policy exceptions can suppress safe negative-context wording, such as "does not prove production deployment" or "does not claim public-safe status."

Validation status

Before release, the local release-candidate gate passed:

• python -m pytest: 16 passed
• Passing example scan: exit 0
• Failing example scan: exit 1 with expected blocked-claim findings
• README and claim-boundary scan: exit 0
• Repository scan with expected exclusions: exit 0
• JSON output scan: valid JSON with findings
• Console script pass scan: exit 0
• Old-name search: no stale naming references

Proof boundary

Claim Firewall checks wording against configured policy only.

It does not prove detection behavior, runtime telemetry, signal observation, production deployment, public-safe status, SOCaaS availability, AI approval, analyst approval, or final human authorization.

It does not prove customer deployment evidence.

Proof ceiling

TOOL_FUNCTION_ONLY

This release proves only that Claim Firewall v0.1.0 provides a tested utility for scanning configured wording-policy violations.

It does not create HawkinsOperations proof authority, runtime proof, signal proof, production proof, SOCaaS availability, AI approval authority, analyst approval authority, or final human authorization.

It does not prove public-safe approval or customer deployment evidence.