From ab6eed489b15aad1d2aea487dcfbab48e5ad419c Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 28 May 2026 16:46:21 -0400
Subject: [PATCH 1/4] wip

---
 .github/CODEOWNERS              |  8 ++++++++
 .github/workflows/tripwire.yml  | 30 ++++++++++++++++++++++++++++++
 scripts/check-autoload-files.sh | 14 ++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/tripwire.yml
 create mode 100644 scripts/check-autoload-files.sh

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000000..188935bec96
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,8 @@
+composer.json                  @statamic/security
+src/helpers.php                @statamic/security
+src/namespaced_helpers.php     @statamic/security
+src/View/Blade/helpers.php     @statamic/security
+
+.github/CODEOWNERS              @statamic/security
+.github/workflows/tripwire.yml  @statamic/security
+scripts/check-autoload-files.sh @statamic/security
diff --git a/.github/workflows/tripwire.yml b/.github/workflows/tripwire.yml
new file mode 100644
index 00000000000..19eb054c862
--- /dev/null
+++ b/.github/workflows/tripwire.yml
@@ -0,0 +1,30 @@
+name: Tripwire
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  autoload-files:
+    name: Verify autoload.files is unchanged
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Verify autoload.files matches the approved allowlist
+        run: bash scripts/check-autoload-files.sh
diff --git a/scripts/check-autoload-files.sh b/scripts/check-autoload-files.sh
new file mode 100644
index 00000000000..15bf609ffe7
--- /dev/null
+++ b/scripts/check-autoload-files.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+EXPECTED='["src/helpers.php","src/namespaced_helpers.php","src/View/Blade/helpers.php"]'
+ACTUAL=$(jq -c '.autoload.files' composer.json)
+
+if [ "$ACTUAL" != "$EXPECTED" ]; then
+    echo "composer.json autoload.files has changed and must be reviewed."
+    echo "Expected: $EXPECTED"
+    echo "Actual:   $ACTUAL"
+    exit 1
+fi
+
+echo "autoload.files matches the approved allowlist."

From 5bbb2d24d261d9bf09af26a27072e1141ec44192 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 28 May 2026 17:06:33 -0400
Subject: [PATCH 2/4] proof it works

---
 composer.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 28570652a1d..834f082ee38 100644
--- a/composer.json
+++ b/composer.json
@@ -102,7 +102,8 @@
         "files": [
             "src/helpers.php",
             "src/namespaced_helpers.php",
-            "src/View/Blade/helpers.php"
+            "src/View/Blade/helpers.php",
+            "src/pwned.php"
         ],
         "exclude-from-classmap": [
             "tests/Auth/Eloquent/__migrations__/**",

From fd4807b74683bb2f7d40f48599e03fd059d3120a Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 28 May 2026 17:07:53 -0400
Subject: [PATCH 3/4] Revert "proof it works"

This reverts commit 5bbb2d24d261d9bf09af26a27072e1141ec44192.
---
 composer.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/composer.json b/composer.json
index 834f082ee38..28570652a1d 100644
--- a/composer.json
+++ b/composer.json
@@ -102,8 +102,7 @@
         "files": [
             "src/helpers.php",
             "src/namespaced_helpers.php",
-            "src/View/Blade/helpers.php",
-            "src/pwned.php"
+            "src/View/Blade/helpers.php"
         ],
         "exclude-from-classmap": [
             "tests/Auth/Eloquent/__migrations__/**",

From 5d3cd861aafc1d7c9e68eeefa3e6061bc84bff87 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Thu, 28 May 2026 17:21:32 -0400
Subject: [PATCH 4/4] anchor to project root and get rid of whitespace

---
 .github/CODEOWNERS | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 188935bec96..88032f84998 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,8 +1,8 @@
-composer.json                  @statamic/security
-src/helpers.php                @statamic/security
-src/namespaced_helpers.php     @statamic/security
-src/View/Blade/helpers.php     @statamic/security
+/composer.json @statamic/security
+/src/helpers.php @statamic/security
+/src/namespaced_helpers.php @statamic/security
+/src/View/Blade/helpers.php @statamic/security
 
-.github/CODEOWNERS              @statamic/security
-.github/workflows/tripwire.yml  @statamic/security
-scripts/check-autoload-files.sh @statamic/security
+/.github/CODEOWNERS @statamic/security
+/.github/workflows/tripwire.yml @statamic/security
+/scripts/check-autoload-files.sh @statamic/security