diff --git a/CLAUDE.md b/CLAUDE.md index f0b5cdc..6e489d2 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,3 +1,39 @@ # CLAUDE.md See [README.md](README.md). + +## Publishing & privacy — run this check before EVERY push + +This repo is public (mirrored to Codeberg) and rsynced to the live site on +every push to `main`. A work email (`…@`) was once leaked here in +example config; scrubbing the files was not enough, because it also lived in +git **history and tags** and had to be erased with a history reset + force-push +(and may already be cached by third parties). So the guard must run *before* +the push, not after. + +**Before any `git push`, scan for personal/work emails and secrets. If anything +prints, do NOT push — replace it with a placeholder first.** + +```sh +# Flags any email address that is not an approved example/contact address. +# Empty output = clean. Any output = stop and fix. +git grep -InE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' \ + | grep -viE '@example\.(com|org|io|net)|caseywitt@proton\.me' + +# Also reject obvious secrets: +git grep -InE '(BEGIN [A-Z ]*PRIVATE KEY|api[_-]?key|secret|token)[=:]' || true +``` + +Rules for anything committed to a public repo: + +- **No work or private email addresses.** In examples use `someone@example.com`, + `*@example.com`, generic personas (`admin`, `alice`, `sam`), and party names + like `Acme`. +- **No real personal names** beyond the maintainer's chosen public identity. +- **No secrets, keys, or tokens.** +- The **only** real address allowed in published content is the maintainer's + deliberate public contact, `caseywitt@proton.me`. + +If a leak ever reaches a remote: fixing the working tree is insufficient — rewrite +or reset history, delete affected tags/branches, force-push to every remote +(`origin` **and** `codeberg`), and treat the leaked value as already exposed.