Files
Hermes Agent d62a391cbf
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Layer secret leak guardrails
2026-05-22 21:23:15 +00:00

42 lines
1.5 KiB
Markdown

# Baselines Directory Policy
This directory is for **sanitized operator artifacts only**.
## What belongs here
- markdown summaries of controller state
- redacted JSON examples that have been intentionally scrubbed
- operator notes that support future change windows
## What does not belong here
- raw UniFi controller exports
- full `networkconf` / `portconf` dumps captured straight from the API
- VPN client/server config exports
- any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config
## Why this rule exists
A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.
See:
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
- `docs/operations/SECRETS_MANAGEMENT.md`
## Safe workflow
1. Capture raw exports outside the main repo or in the encrypted secrets repo.
2. Inspect them for secret-bearing fields.
3. Commit only a markdown summary or an explicitly redacted artifact.
4. Prefer human-readable summaries over raw appliance dumps.
5. Enable the repo guardrails in each clone:
```bash
git config core.hooksPath .githooks
chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh
```
6. Before a risky push or cleanup branch, run the manual checks too:
```bash
scripts/scan-secret-bearing-artifacts.sh --tracked
scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD
```