# Baselines Directory Policy This directory is for **sanitized operator artifacts only**. ## What belongs here - markdown summaries of controller state - redacted JSON examples that have been intentionally scrubbed - operator notes that support future change windows ## What does not belong here - raw UniFi controller exports - full `networkconf` / `portconf` dumps captured straight from the API - VPN client/server config exports - any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config ## Why this rule exists A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident. See: - `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md` - `docs/operations/SECRETS_MANAGEMENT.md` ## Safe workflow 1. Capture raw exports outside the main repo or in the encrypted secrets repo. 2. Inspect them for secret-bearing fields. 3. Commit only a markdown summary or an explicitly redacted artifact. 4. Prefer human-readable summaries over raw appliance dumps.