add secure coding AI review guides

[Copilot]

this PR is adding security-aware review checklists (for coderabbit PR reviews) that should be relevant for WLED.
The lists are based on the OWASP "top 10" from https://github.com/github/awesome-copilot/blob/main/instructions/security-and-owasp.instructions.md, and on lessons learned from past reviews.

---

This PR now includes:

• corrected docs filename spelling to match existing docs/*.instructions.md naming pattern:
  • docs/securecode.instructions.md
  • docs/secure-short.instructions.md
• follow-up adjustments to both guides based on review feedback, including:
  • explicit WLED threat-model assumptions (typical firewall/DMZ/VPN deployment)
  • removal of any mandatory TLS/HTTPS baseline expectation
  • clarification that protocol-defined unauthenticated UDP multicast/broadcast paths should not be flagged solely for lacking auth
  • OTA integrity guidance framed as checksum/hash/signature verification without requiring TLS
  • wording consistency and clarity improvements across both files
• additional verification against the suggested rule set from issuecomment-4393037994, with missing coverage added to docs/securecode.instructions.md, including concrete pattern guidance for:
  • UDP packet bounds and protocol range clamping
  • explicit JSON parse-error handling patterns
  • OTA integrity checks in Update.* paths
  • FreeRTOS stack/recursion safety checks
  • mDNS/hostname sanitization constraints
  • outbound URL validation (without HTTPS requirement)
  • optional unicast UDP source filtering (advisory)
  • CSRF Origin/Referer advisory checks for non-internet-exposed deployments
  • credential exposure checks in API/config serialization
  • security-event logging coverage
  • workflow action pinning and permission hardening specifics

Summary by CodeRabbit

• Documentation
  • Added security review guidelines and a 24-rule checklist covering critical security areas including buffer safety, input validation, authentication, secure defaults, and protection against common vulnerabilities.
  • Refined rule wording and priorities to better fit WLED’s technical constraints and realistic deployment model.

Summary by CodeRabbit

• Documentation

  • Added WLED-focused security and hardening guides: severity-prioritized checklists, low-noise reviewer workflow, AI-review guidance, firmware and Web UI security rules, secrets/logging standards, and CI/CD/supply-chain recommendations; updated agent guidance to reference the new security material.

• Chores

  • Expanded automated review configuration to cover firmware, Web UI, and usermods; refined trust-boundary/ingress rules and added path-scoped secret-scanning rules with explicit flagging and exemptions.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7488c845-9490-42a8-9268-f097b29dfc04

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

Walkthrough

Adds two WLED security guidance documents (hardening + securecode) and updates .coderabbit.yaml to reference them, applying path-scoped security rules for firmware, WebUI, and usermods plus secrets/supply-chain scanning.

Changes

Security Review Standards and CodeRabbit Configuration

Layer / File(s)	Summary
Hardening Rules, Trust-Boundary Model, and Output Format docs/hardening.instructions.md	Hardening instructions establish WLED threat-boundary ingress model, define CRITICAL and IMPORTANT hardening rules for firmware/WebUI/memory/auth/logging/workflow, and specify standardized reviewer output format requiring severity, exact file/line, and concrete fix direction.
Comprehensive Threat-Model Assumptions and Security Checklists docs/securecode.instructions.md	Securecode instructions add WLED-specific threat-model constraints and trust-boundary definitions, then provide categorized checklists: FW1–FW14 for firmware memory/validation/auth/OTA/FreeRTOS issues; WEB1–WEB7 for WebUI XSS/dynamic-code/postMessage/navigation; SEC1–SEC6 for secrets/logging; SC1–SC3 for supply-chain/CI; plus consolidated reviewer and AI behavior guidance.
CodeRabbit Path-Scoped Review Rules and Secrets Scanning Configuration .coderabbit.yaml	Updates references to the new docs, adds path-scoped review rules for firmware (wled00/**/*.{cpp,h,hpp,ino}), WebUI assets (wled00/data/**), and usermods (usermods/**/*.{cpp,h,hpp}), removes an obsolete disabled comment, and introduces secrets/sensitive-info scanning rules and exclusions for templates/placeholders.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• wled/WLED#5480: Both PRs modify .coderabbit.yaml to rework CodeRabbit reviews.path_instructions for firmware/WebUI/usermods; related guidance updates overlap.

Suggested reviewers

• netmindz
• DedeHai
• willmmiles
• Aircoookie

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'add secure coding AI review guides' clearly and accurately summarizes the main change: adding three new documentation files (securecode.instructions.md, hardening.instructions.md) and updating .coderabbit.yaml to configure AI-assisted security review guidance for the WLED project.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}