docs: modify threat model and other small improvements (#31)

Author: julio-rocketchat

website/docs/configuration.md

@@ -9,20 +9,27 @@ Everything about how Layne behaves on a given repo lives in `config/layne.json`.
 ```json title="config/layne.json"
 {
   "$global": {
+    "mode": "changed_files",
+    "contextLines": 8,
+    "timeoutMinutes": 10,
     "semgrep": {
+      "enabled": true,
       "extraArgs": ["--config", "auto"]
     },
     "trufflehog": {
+      "enabled": true,
       "extraArgs": []
     },
     "trigger": {
       "on": "pull_request"
     },
     "labels": {
-      "onFailure":       ["needs-security-review"],
-      "removeOnFailure": ["security-ok"],
-      "onSuccess":       ["security-ok"],
-      "removeOnSuccess": ["needs-security-review"]
+      "onFailure":        ["needs-security-review"],
+      "removeOnFailure":  ["security-ok"],
+      "onSuccess":        ["security-ok"],
+      "removeOnSuccess":  ["needs-security-review"],
+      "onException":      ["security-exception-used"],
+      "removeOnException": ["needs-security-review"]
     },
     "notifications": {
       "rocketchat": {
@@ -31,7 +38,12 @@ Everything about how Layne behaves on a given repo lives in `config/layne.json`.
       }
     },
     "comment": {
-      "enabled": false
+      "enabled":  false,
+      "template": null
+    },
+    "exceptionApprovers": {
+      "users": ["security-lead"],
+      "teams": ["acme/security-team"]
     }
   }
 }
@@ -113,7 +125,7 @@ Hard time limit for a single scan job. If the limit is reached, the job is rethr
 - **Default:** `10`
 - Accepts any positive integer
 
-Raise this for large monorepos where Semgrep takes a long time, or lower it to fail fast on repos that should scan quickly.
+Raise this for large monorepos where scanners may take a long time, or lower it to fail fast on repos that should scan quickly.
 
 ```json title="config/layne.json"
 {
@@ -326,11 +338,6 @@ When an exception approval is used, you can configure a label to be added or rem
 
 If a label listed in `onFailure`, `onSuccess`, or `onException` does not exist on the repository, Layne creates it automatically with a neutral gray color (`#ededed`). You do not need to pre-create labels.
 
-### Global vs per-repo
-
-A per-repo `labels` block replaces the `$global` block entirely - it is not merged key-by-key. If neither `$global` nor the repo defines a `labels` key, the feature is a no-op for that repo.
-
-
 ## Exception Approvals
 
 Configure specific users or teams who can approve PRs that would otherwise fail. See [Exception Approvals](./exception-approvals.md) for full documentation.

website/docs/local-development.md

@@ -1,6 +1,6 @@
 # Local Development
 
-This guide explains how to run Layne entirely on your own machine so you can develop and test features without touching production. By the end, you will have a real GitHub App delivering live webhooks to your laptop, and a way to replay those webhooks instantly without opening a real pull request every time.
+When developing new features or modifying Layne in general, you should avoid doing so in production. These steps will guide you through setting up a local development environment for Layne. 
 
 ## Prerequisites
 

website/docs/scanners/semgrep.md

@@ -53,6 +53,10 @@ Layne's reporter also handles `critical` severity (mapped to `failure`), but Sem
 
 **`extraArgs` replaces the default entirely.** If you set per-repo `extraArgs`, include everything you need - there is no merging with the global value.
 
+:::warning paths.include and paths.exclude in rules are not effective
+Semgrep rules support a `paths:` block to restrict which files a rule applies to. This does not work reliably with Layne. Because Layne passes an explicit list of file paths to Semgrep rather than a directory, Semgrep bypasses rule-level path filtering — `paths.include` and `paths.exclude` entries are silently ignored. This is a known issue. Avoid writing or relying on rules that use `paths:` filters when using Layne.
+:::
+
 ### `--disable-nosem`
 
 :::warning