39 lines
1.7 KiB
Markdown
39 lines
1.7 KiB
Markdown
# CLAUDE.md
|
|
|
|
See [README.md](README.md).
|
|
|
|
## Publishing & privacy — run this check before EVERY push
|
|
|
|
This repo is public (mirrored to Codeberg) and rsynced to the live site on
|
|
every push to `main`. A work email (`…@<employer>`) was once leaked here in
|
|
example config; scrubbing the files was not enough, because it also lived in
|
|
git **history and tags** and had to be erased with a history reset + force-push
|
|
(and may already be cached by third parties). So the guard must run *before*
|
|
the push, not after.
|
|
|
|
**Before any `git push`, scan for personal/work emails and secrets. If anything
|
|
prints, do NOT push — replace it with a placeholder first.**
|
|
|
|
```sh
|
|
# Flags any email address that is not an approved example/contact address.
|
|
# Empty output = clean. Any output = stop and fix.
|
|
git grep -InE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' \
|
|
| grep -viE '@example\.(com|org|io|net)|caseywitt@proton\.me'
|
|
|
|
# Also reject obvious secrets:
|
|
git grep -InE '(BEGIN [A-Z ]*PRIVATE KEY|api[_-]?key|secret|token)[=:]' || true
|
|
```
|
|
|
|
Rules for anything committed to a public repo:
|
|
|
|
- **No work or private email addresses.** In examples use `someone@example.com`,
|
|
`*@example.com`, generic personas (`admin`, `alice`, `sam`), and party names
|
|
like `Acme`.
|
|
- **No real personal names** beyond the maintainer's chosen public identity.
|
|
- **No secrets, keys, or tokens.**
|
|
- The **only** real address allowed in published content is the maintainer's
|
|
deliberate public contact, `caseywitt@proton.me`.
|
|
|
|
If a leak ever reaches a remote: fixing the working tree is insufficient — rewrite
|
|
or reset history, delete affected tags/branches, force-push to every remote
|
|
(`origin` **and** `codeberg`), and treat the leaked value as already exposed.
|