cpatpa opens the Piper Alderman fork with the locks on, not the features

Before shipping anything new, cpatpa spent the first commit on security triage and a governance rulebook for everything that follows.

securityworkflow

This fork belongs to Piper Alderman, an Australian law firm, and the opening move tells you how seriously they're taking deployment. Instead of features, cpatpa landed a batch of security fixes and a strict process for review. Dead code holding sensitive backend credentials was deleted, a leaked database key was pulled from a shared config sample, and document uploads now reject oversized archives and a known class of malicious file that turns document parsers into a way in.

The governance is the real story. Every future change must spell out its security implications, log an audit entry for any new user-facing action, and respect a house style baked in for the firm: Australian English, local legal citation rules, metric units, and day-first dates. It reads like a firm that intends to enforce its standards at review time, not paper over them later.

So what Worth a look for any firm or legal-ops lead weighing how a serious deployment of a legal-AI tool should handle early security and review discipline.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from cpatpa/PIP, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`3130750f`	Add foundation docs and PR template (Phase 0)	Claude	2026-05-14	↗ GitHub
commit body Establishes the documentation skeleton and project conventions used throughout the PIP rebuild: - Instructions.md captures hard rules (AU English, no em dashes, PIP branding) and a decisions log. - docs/ split by audience: operator, admin, user, developer, security. - docs/developer/00-roadmap.md records the phased plan. - docs/developer/01-architecture.md maps the codebase. - docs/security/01-threat-model.md records the Phase 0 audit findings and remediation status. - CHANGELOG.md tracks changes from this point forward. - PR template enforces the merge checklist.

SHA

Subject

Author

Date

3130750f

Add foundation docs and PR template (Phase 0)

Claude

2026-05-14

↗ GitHub

commit body

Establishes the documentation skeleton and project conventions used
throughout the PIP rebuild:

- Instructions.md captures hard rules (AU English, no em dashes, PIP
  branding) and a decisions log.
- docs/ split by audience: operator, admin, user, developer, security.
- docs/developer/00-roadmap.md records the phased plan.
- docs/developer/01-architecture.md maps the codebase.
- docs/security/01-threat-model.md records the Phase 0 audit findings
  and remediation status.
- CHANGELOG.md tracks changes from this point forward.
- PR template enforces the merge checklist.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-358.md from inside the repo you want the changes in.