docs(CLAUDE.md): require a PII/secret scan before every push

CLAUDE.md

@@ -1,3 +1,39 @@
 # CLAUDE.md
 
 See [README.md](README.md).
+
+## Publishing & privacy — run this check before EVERY push
+
+This repo is public (mirrored to Codeberg) and rsynced to the live site on
+every push to `main`. A work email (`…@<employer>`) was once leaked here in
+example config; scrubbing the files was not enough, because it also lived in
+git **history and tags** and had to be erased with a history reset + force-push
+(and may already be cached by third parties). So the guard must run *before*
+the push, not after.
+
+**Before any `git push`, scan for personal/work emails and secrets. If anything
+prints, do NOT push — replace it with a placeholder first.**
+
+```sh
+# Flags any email address that is not an approved example/contact address.
+# Empty output = clean. Any output = stop and fix.
+git grep -InE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' \
+  | grep -viE '@example\.(com|org|io|net)|caseywitt@proton\.me'
+
+# Also reject obvious secrets:
+git grep -InE '(BEGIN [A-Z ]*PRIVATE KEY|api[_-]?key|secret|token)[=:]' || true
+```
+
+Rules for anything committed to a public repo:
+
+- **No work or private email addresses.** In examples use `someone@example.com`,
+  `*@example.com`, generic personas (`admin`, `alice`, `sam`), and party names
+  like `Acme`.
+- **No real personal names** beyond the maintainer's chosen public identity.
+- **No secrets, keys, or tokens.**
+- The **only** real address allowed in published content is the maintainer's
+  deliberate public contact, `caseywitt@proton.me`.
+
+If a leak ever reaches a remote: fixing the working tree is insufficient — rewrite
+or reset history, delete affected tags/branches, force-push to every remote
+(`origin` **and** `codeberg`), and treat the leaked value as already exposed.