# Baselines Directory Policy This directory is for **sanitized operator artifacts only**. ## What belongs here - markdown summaries of controller state - redacted JSON examples that have been intentionally scrubbed - operator notes that support future change windows ## What does not belong here - raw UniFi controller exports - full `networkconf` / `portconf` dumps captured straight from the API - VPN client/server config exports - any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config ## Why this rule exists A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident. See: - `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md` - `docs/operations/SECRETS_MANAGEMENT.md` ## Safe workflow 1. Capture raw exports outside the main repo or in the encrypted secrets repo. 2. Inspect them for secret-bearing fields. 3. Commit only a markdown summary or an explicitly redacted artifact. 4. Prefer human-readable summaries over raw appliance dumps. 5. Enable the repo guardrails in each clone: ```bash git config core.hooksPath .githooks chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh ``` 6. Before a risky push or cleanup branch, run the manual checks too: ```bash scripts/scan-secret-bearing-artifacts.sh --tracked scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD ```