add secure coding AI review guides

[Copilot]

this PR is adding security-aware review checklists (for coderabbit PR reviews) that should be relevant for WLED.
The lists are based on the OWASP "top 10" from https://github.com/github/awesome-copilot/blob/main/instructions/security-and-owasp.instructions.md, and on lessons learned from past reviews.

---

This PR now includes:

• corrected docs filename spelling to match existing docs/*.instructions.md naming pattern:
  • docs/securecode.instructions.md
  • docs/secure-short.instructions.md
• follow-up adjustments to both guides based on review feedback, including:
  • explicit WLED threat-model assumptions (typical firewall/DMZ/VPN deployment)
  • removal of any mandatory TLS/HTTPS baseline expectation
  • clarification that protocol-defined unauthenticated UDP multicast/broadcast paths should not be flagged solely for lacking auth
  • OTA integrity guidance framed as checksum/hash/signature verification without requiring TLS
  • wording consistency and clarity improvements across both files
• additional verification against the suggested rule set from issuecomment-4393037994, with missing coverage added to docs/securecode.instructions.md, including concrete pattern guidance for:
  • UDP packet bounds and protocol range clamping
  • explicit JSON parse-error handling patterns
  • OTA integrity checks in Update.* paths
  • FreeRTOS stack/recursion safety checks
  • mDNS/hostname sanitization constraints
  • outbound URL validation (without HTTPS requirement)
  • optional unicast UDP source filtering (advisory)
  • CSRF Origin/Referer advisory checks for non-internet-exposed deployments
  • credential exposure checks in API/config serialization
  • security-event logging coverage
  • workflow action pinning and permission hardening specifics

Summary by CodeRabbit

• Documentation
  • Added security review guidelines and a 24-rule checklist covering critical security areas including buffer safety, input validation, authentication, secure defaults, and protection against common vulnerabilities.
  • Refined rule wording and priorities to better fit WLED’s technical constraints and realistic deployment model.

Summary by CodeRabbit

• Documentation

  • Added WLED-focused security and hardening guides: prioritized checklists, low-noise reviewer workflow, AI-review guidance, firmware and Web UI security rules, secrets/logging standards, and CI/CD/supply-chain recommendations.

• Chores

  • Expanded automated review configuration to cover firmware, Web UI, and usermods; refined trust-boundary and ingress rules and added path-scoped secret-scanning rules with explicit flagging and exemptions.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 81f5d942-c63c-40d1-909e-2b14f746dc9b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

Walkthrough

Adds two WLED security guidance documents (hardening + securecode) and updates .coderabbit.yaml to reference them, applying path-scoped security rules for firmware, WebUI, and usermods plus secrets/supply-chain scanning.

Changes

Security Review Standards and CodeRabbit Configuration

Layer / File(s)	Summary
Hardening Rules, Trust-Boundary Model, and Output Format docs/hardening.instructions.md	Hardening instructions establish WLED threat-boundary ingress model, define CRITICAL and IMPORTANT hardening rules for firmware/WebUI/memory/auth/logging/workflow, and specify standardized reviewer output format requiring severity, exact file/line, and concrete fix direction.
Comprehensive Threat-Model Assumptions and Security Checklists docs/securecode.instructions.md	Securecode instructions add WLED-specific threat-model constraints and trust-boundary definitions, then provide categorized checklists: FW1–FW14 for firmware memory/validation/auth/OTA/FreeRTOS issues; WEB1–WEB7 for WebUI XSS/dynamic-code/postMessage/navigation; SEC1–SEC6 for secrets/logging; SC1–SC3 for supply-chain/CI; plus consolidated reviewer and AI behavior guidance.
CodeRabbit Path-Scoped Review Rules and Secrets Scanning Configuration .coderabbit.yaml	Updates references to the new docs, adds path-scoped review rules for firmware (wled00/**/*.{cpp,h,hpp,ino}), WebUI assets (wled00/data/**), and usermods (usermods/**/*.{cpp,h,hpp}), removes an obsolete disabled comment, and introduces secrets/sensitive-info scanning rules and exclusions for templates/placeholders.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• wled/WLED#5480: Both PRs modify .coderabbit.yaml to rework CodeRabbit reviews.path_instructions for firmware/WebUI/usermods; related guidance updates overlap.

Suggested reviewers

• netmindz
• DedeHai
• willmmiles
• Aircoookie

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'add secure coding AI review guides' clearly and accurately summarizes the main change: adding three new documentation files (securecode.instructions.md, hardening.instructions.md) and updating .coderabbit.yaml to configure AI-assisted security review guidance for the WLED project.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[softhack007]

@coderabbitai please check if you have learnings stored that are now fully covered by the new rules added in this PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
REPO="wled/WLED"
BRANCH="copilot/create-ai-review-guide-wled"

echo "=== .coderabbit.yaml ==="
curl -s "https://raw.githubusercontent.com/$REPO/$BRANCH/.coderabbit.yaml"

echo ""
echo "=== docs/securecode.instructions.md (Trust Boundary section only) ==="
curl -s "https://raw.githubusercontent.com/$REPO/$BRANCH/docs/securecode.instructions.md" | grep -A 20 "Trust Boundary"

echo ""
echo "=== .coderabbit.yaml usermods entry ==="
curl -s "https://raw.githubusercontent.com/$REPO/$BRANCH/.coderabbit.yaml" | grep -A 30 "usermods"

echo ""
echo "=== .coderabbit.yaml secrets entry ==="
curl -s "https://raw.githubusercontent.com/$REPO/$BRANCH/.coderabbit.yaml" | grep -A 40 "Secrets"

Length of output: 24575

---

---

@softhack007, here is the coverage check. All four learnings added during this PR conversation are now fully (or substantially) covered by the committed files.

---

Learning Coverage Status

Learning	Added when	Now encoded in	Status
Trust Boundary Model — ingress points, validated = trusted, don't re-flag downstream	Untrusted data sources discussion	docs/securecode.instructions.md § Trust Boundary Model + .coderabbit.yaml wled00/** block	✅ Fully covered — safe to remove
.coderabbit.yaml uses inline strings only (no file: reference) + trust boundary layout	Path instructions suggestion	Trust boundary content is in .coderabbit.yaml; the "inline strings only" YAML format constraint is NOT in any file	⚠️ Partially covered — trust boundary content is redundant; the format constraint is still useful if you want to keep one learning
Usermods ingress = readFromConfig() / getJsonValue(), flag only downstream misbehaviour	Usermods scope clarification	.coderabbit.yaml usermods/**/*.{cpp,h,hpp} block (which also now includes onMqttMessage, onEspNowMessage, onUdpPacket)	✅ Fully covered — safe to remove
Secrets path instructions for platformio*.ini*, usermods/**/library.json, usermods/**/README.md	Secrets scanning suggestion	.coderabbit.yaml Secrets section — all three path entries present	✅ Fully covered — safe to remove

---

Recommendation: The three fully-covered learnings (#1, #3, #4) can be deleted — the rules are now authoritative in .coderabbit.yaml and the *.instructions.md files that CodeRabbit reads per-review. Keeping them creates a risk of stale duplication if the files are later updated.

You can remove them via the CodeRabbit learnings page. Unfortunately I cannot retrieve the learning IDs from this conversation thread (they were stored in hidden HTML comments), but you can identify them by the content descriptions in the table above.

🐰 ✨