VARASYS/ZDDC-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC-website/CLAUDE.md
Me Here dfdf7ab996
All checks were successful
Deploy content to live site / deploy (push) Successful in 2s
Details
docs(CLAUDE.md): require a PII/secret scan before every push
2026-06-11 13:37:28 -05:00

1.7 KiB
Raw Permalink Blame History

CLAUDE.md

See README.md.

Publishing & privacy — run this check before EVERY push

This repo is public (mirrored to Codeberg) and rsynced to the live site on every push to main. A work email (…@<employer>) was once leaked here in example config; scrubbing the files was not enough, because it also lived in git history and tags and had to be erased with a history reset + force-push (and may already be cached by third parties). So the guard must run before the push, not after.

Before any git push, scan for personal/work emails and secrets. If anything prints, do NOT push — replace it with a placeholder first.

# Flags any email address that is not an approved example/contact address.
# Empty output = clean. Any output = stop and fix.
git grep -InE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' \
  | grep -viE '@example\.(com|org|io|net)|caseywitt@proton\.me'

# Also reject obvious secrets:
git grep -InE '(BEGIN [A-Z ]*PRIVATE KEY|api[_-]?key|secret|token)[=:]' || true

Rules for anything committed to a public repo:

  • No work or private email addresses. In examples use someone@example.com, *@example.com, generic personas (admin, alice, sam), and party names like Acme.
  • No real personal names beyond the maintainer's chosen public identity.
  • No secrets, keys, or tokens.
  • The only real address allowed in published content is the maintainer's deliberate public contact, caseywitt@proton.me.

If a leak ever reaches a remote: fixing the working tree is insufficient — rewrite or reset history, delete affected tags/branches, force-push to every remote (origin and codeberg), and treat the leaked value as already exposed.