docs: document codec allowlist as breaking change in SECURITY.md

Add section explaining the behavior change for callers using non-listed codecs, with instructions on how to extend the allowlists. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-01 06:10:35 +08:00 · 2026-03-18 19:50:23 +08:00
parent ad83a32283
commit f66e29cdb2
1 changed files with 19 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -30,6 +30,25 @@ If you discover a security vulnerability, please report it responsibly:
 4. We aim to acknowledge reports within 48 hours and release a fix within
   7 days for critical issues.

+## Codec Allowlists (Breaking Change)
+
+The kdenlive and shotcut melt backends validate `vcodec` and `acodec`
+parameters against `ALLOWED_VCODECS` / `ALLOWED_ACODECS` frozensets.
+Codecs not in the allowlist will raise `ValueError`.
+
+The allowlists cover all codecs used by existing export presets plus
+common hardware-accelerated variants. If your workflow requires an
+unlisted codec, extend the frozensets in `melt_backend.py`:
+
+```python
+from cli_anything.kdenlive.utils.melt_backend import ALLOWED_VCODECS
+# ALLOWED_VCODECS is a frozenset — create a new one to extend
+ALLOWED_VCODECS = ALLOWED_VCODECS | {"my_custom_codec"}
+```
+
+Similarly, `extra_args` cannot contain `vcodec=`, `acodec=`, or
+`-consumer` prefixes — use the dedicated function parameters instead.
+
 ## Security Guidelines for Harness Developers

 When building a new CLI harness, follow these rules: