Ive got the basics of a vendors whitelist in trunk.
This will require a change of habits while adding new vendors (maybe...)
All common file types that are used for styling are permitted, so for the most part that should take care of most of the libraries that add some sort of style. (css, js images etc) PHP libraries normally dont need browser access, so your often fine there.
Just keep in mind that if a non-style file type is used, the default is to deny the browser access to it. swf html json xml and other non-style files will need a rule put in the htaccess to enable browser access to them.
On another note: to start with ive basically whitelisted every file in the vendors directory. Im now in the process of researching and testing each one (or until I get tired of it) to remove all the unnecessarily whitelisted files.
All htacess files are located in the main tiki root, or contained within the immediate subdirectories. You dont need to go searching through several levels of subdirectries, there will be no htaccess there. Subdirectories and all its contents are controlled by the main subdirectory. Rules that apply to the entire tiki website are located in the root htaccess.