feat: project_url_whitelist config-seam fail-CLOSED Фаза 1

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tools/commit-message-scanner.mjs

@@ -9,10 +9,11 @@
  * loud cases.
  */
 
-// G11 patterns (spec v4.1). External-URL pattern whitelists
-// github.com/{liderra,deck,deck-platform}, liderra.ru, *.anthropic.com.
-export const SUSPICIOUS_MESSAGE_PATTERNS = [
-  /\bhttps?:\/\/(?!github\.com\/(?:liderra|deck|deck-platform)|liderra\.ru|api\.anthropic\.com|docs\.anthropic\.com)\S+/i, // external URL
+import { buildCommitMessageUrlPattern, DEFAULT_PROJECT_URL_WHITELIST } from './url-whitelist-rules.mjs';
+
+// Suspicious-payload patterns (spec v4.1 G11). External-URL pattern [0] built from
+// base ∪ project_url_whitelist; the rest are payload-shape patterns (unchanged).
+export const OTHER_SUSPICIOUS_PATTERNS = [
   /[A-Fa-f0-9]{40,}/,            // long hex (full 40-char SHA refs trigger — use short SHA)
   /[A-Za-z0-9+/]{60,}={0,2}/,    // base64-like blob
   /<script\b/i,
@@ -23,14 +24,23 @@ export const SUSPICIOUS_MESSAGE_PATTERNS = [
   /\\u[0-9a-f]{4}/i,             // unicode escape
 ];
 
+export const SUSPICIOUS_MESSAGE_PATTERNS = [
+  buildCommitMessageUrlPattern(DEFAULT_PROJECT_URL_WHITELIST),
+  ...OTHER_SUSPICIOUS_PATTERNS,
+];
+
 /**
  * Synchronous regex pass.
  * @param {string} message
+ * @param {{urlWhitelist?: string[]}} [opts] project_url_whitelist override (config-seam).
  * @returns {{block: boolean, reason?: string}}
  */
-export function scanCommitMessagePatterns(message) {
+export function scanCommitMessagePatterns(message, opts = {}) {
   if (typeof message !== 'string') return { block: false };
-  for (const pattern of SUSPICIOUS_MESSAGE_PATTERNS) {
+  const patterns = opts.urlWhitelist !== undefined
+    ? [buildCommitMessageUrlPattern(opts.urlWhitelist), ...OTHER_SUSPICIOUS_PATTERNS]
+    : SUSPICIOUS_MESSAGE_PATTERNS;
+  for (const pattern of patterns) {
     if (pattern.test(message)) {
       return { block: true, reason: 'commit_message_suspicious_content' };
     }