fix(ci): eliminate false positives in file-whitelist-check.sh (#2381)

* fix(ci): eliminate false positives in file-whitelist-check.sh

The release gate script flagged 3 whitelisted files as violations because
the env-file and suspicious-file-type checks had no exclusion mechanism.

Add per-check ignore lists under .github/security/ so known-good files
(the .env.template and the two .mp3 notification sounds) are skipped by
those specific checks, while all other security checks remain unaffected.

* style: align for-loop indentation with existing script convention

.file-whitelist.txt

@@ -83,6 +83,7 @@
 ^README$
 ^Dockerfile$
 ^\.file-whitelist\.txt$
+^\.github/security/.*\.txt$
 
 # ---------------------------------------------------------------------------
 # Binary assets — explicit paths only.

.github/scripts/file-whitelist-check.sh

@@ -20,6 +20,25 @@ while IFS= read -r line; do
   ALLOWED_PATTERNS+=("$line")
 done < "$WHITELIST_FILE"
 
+# Load per-check ignore lists (exact paths to skip for specific checks)
+IGNORE_ENV_FILES=()
+IGNORE_ENV_FILE="$REPO_ROOT/.github/security/ignore-env-files.txt"
+if [ -f "$IGNORE_ENV_FILE" ]; then
+  while IFS= read -r line; do
+    [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+    IGNORE_ENV_FILES+=("$line")
+  done < "$IGNORE_ENV_FILE"
+fi
+
+IGNORE_SUSPICIOUS_FILETYPES=()
+IGNORE_SUSPICIOUS_FILE="$REPO_ROOT/.github/security/ignore-suspicious-filetypes.txt"
+if [ -f "$IGNORE_SUSPICIOUS_FILE" ]; then
+  while IFS= read -r line; do
+    [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+    IGNORE_SUSPICIOUS_FILETYPES+=("$line")
+  done < "$IGNORE_SUSPICIOUS_FILE"
+fi
+
 # Get list of files to check
 if [ "${CHECK_ALL_FILES:-}" = "true" ]; then
 echo "🔍 Checking ALL tracked files (release gate mode)..."
@@ -160,8 +179,14 @@ fi
 
 # Check for environment files
 if echo "$file" | grep -E "\.(env|env\.[a-zA-Z]+)$" >/dev/null; then
+ENV_IGNORED=false
+for epath in "${IGNORE_ENV_FILES[@]+${IGNORE_ENV_FILES[@]}}"; do
+[ "$file" = "$epath" ] && ENV_IGNORED=true && break
+done
+if [ "$ENV_IGNORED" = "false" ]; then
 ENV_FILE_VIOLATIONS+=("$file")
 fi
+fi
 
 # Check for high-entropy strings (potential keys/secrets)
 if [ -f "$file" ] && [ -r "$file" ]; then
@@ -207,6 +232,13 @@ fi
 
 # 7. Suspicious file type check - detect potentially dangerous file types
 if [ -f "$file" ]; then
+# Check if file is in the suspicious-filetypes ignore list
+FILETYPE_IGNORED=false
+for fpath in "${IGNORE_SUSPICIOUS_FILETYPES[@]+${IGNORE_SUSPICIOUS_FILETYPES[@]}}"; do
+[ "$file" = "$fpath" ] && FILETYPE_IGNORED=true && break
+done
+
+if [ "$FILETYPE_IGNORED" = "false" ]; then
 # Check for suspicious file extensions
 if echo "$file" | grep -iE "\.(exe|dll|so|dylib|bin|deb|rpm|msi|dmg|pkg|app)$" >/dev/null; then
 SUSPICIOUS_FILETYPE_VIOLATIONS+=("$file (executable/binary)")
@@ -233,6 +265,7 @@ SUSPICIOUS_FILETYPE_VIOLATIONS+=("$file (build artifact/cache)")
 fi
 fi
 fi
+fi
 done <<< "$CHANGED_FILES"
 
 echo ""

.github/security/ignore-env-files.txt

@@ -0,0 +1,4 @@
+# Exact file paths excluded from the environment-file check.
+# These are NOT actual .env files — they are templates/documentation.
+
+src/local_deep_research/defaults/.env.template

.github/security/ignore-suspicious-filetypes.txt

@@ -0,0 +1,5 @@
+# Exact file paths excluded from the suspicious-file-type check.
+# These are legitimate assets required by the application.
+
+src/local_deep_research/web/static/sounds/error.mp3
+src/local_deep_research/web/static/sounds/success.mp3

.gitignore

@@ -90,6 +90,7 @@
 !.github/**/*.sh
 !.github/**/*.py
 !.github/CODEOWNERS
+!.github/security/*.txt
 !.gitleaksignore
 
 # Allow installer files only in installers directory (text scripts only)