From f66e29cdb26c1a67746262b94bc0f2d5f036e71d Mon Sep 17 00:00:00 2001 From: ZJZAC Date: Wed, 18 Mar 2026 19:50:23 +0800 Subject: [PATCH] docs: document codec allowlist as breaking change in SECURITY.md Add section explaining the behavior change for callers using non-listed codecs, with instructions on how to extend the allowlists. Co-Authored-By: Claude Opus 4.6 (1M context) --- SECURITY.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 0e372fc28..0dc9e7766 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -30,6 +30,25 @@ If you discover a security vulnerability, please report it responsibly: 4. We aim to acknowledge reports within 48 hours and release a fix within 7 days for critical issues. +## Codec Allowlists (Breaking Change) + +The kdenlive and shotcut melt backends validate `vcodec` and `acodec` +parameters against `ALLOWED_VCODECS` / `ALLOWED_ACODECS` frozensets. +Codecs not in the allowlist will raise `ValueError`. + +The allowlists cover all codecs used by existing export presets plus +common hardware-accelerated variants. If your workflow requires an +unlisted codec, extend the frozensets in `melt_backend.py`: + +```python +from cli_anything.kdenlive.utils.melt_backend import ALLOWED_VCODECS +# ALLOWED_VCODECS is a frozenset — create a new one to extend +ALLOWED_VCODECS = ALLOWED_VCODECS | {"my_custom_codec"} +``` + +Similarly, `extra_args` cannot contain `vcodec=`, `acodec=`, or +`-consumer` prefixes — use the dedicated function parameters instead. + ## Security Guidelines for Harness Developers When building a new CLI harness, follow these rules: