topos.config¶

Project configuration for Topos — the .topos.toml allowlist.

Security findings are contextual: a call like yaml.load may be an intentional, trusted pattern in (say) an ML-experiments project. The allowlist lets a project acknowledge such patterns so they stop being reported as actionable findings.

Anti-gaming stance¶

The allowlist is advisory and fully disclosed, never a silent score lift (see topos.evaluation.suppression). To make casual gaming costly, every entry requires a non-empty ``reason``; entries without one are dropped. The canonical SECURE verdict is always computed from the full registry regardless of this file.

class topos.config.AllowEntry(pattern, reason, scope='**')[source]

Bases: object

A single acknowledged-risk entry from [secure.allow].

pattern

reason

scope = '**'

matches_path(rel_path)[source]: Whether this entry’s scope glob covers rel_path (posix).

class topos.config.ToposConfig(allow=<factory>, root=None)[source]

Bases: object

Resolved project configuration.

allow

root = None

property allow_patterns

entries_for(file_path)[source]: Allow entries whose scope covers file_path.

topos.config.find_config_file(start)[source]: Walk up from start (file or dir) to locate .topos.toml.

topos.config.load_topos_config(start)[source]

Load the nearest .topos.toml at or above start.

Returns an empty config (no allowlist) when no file is found or the file is malformed — configuration is best-effort and never fatal.

topos.config.merge_cli_allows(config, allows)[source]: Merge one-off --allow CLI patterns into config (scope **).