37 lines
1.3 KiB
Markdown
37 lines
1.3 KiB
Markdown
# Baselines Directory Policy
|
|
|
|
This directory is for **sanitized operator artifacts only**.
|
|
|
|
## What belongs here
|
|
|
|
- markdown summaries of controller state
|
|
- redacted JSON examples that have been intentionally scrubbed
|
|
- operator notes that support future change windows
|
|
|
|
## What does not belong here
|
|
|
|
- raw UniFi controller exports
|
|
- full `networkconf` / `portconf` dumps captured straight from the API
|
|
- VPN client/server config exports
|
|
- any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config
|
|
|
|
## Why this rule exists
|
|
|
|
A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.
|
|
|
|
See:
|
|
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
|
|
- `docs/operations/SECRETS_MANAGEMENT.md`
|
|
|
|
## Safe workflow
|
|
|
|
1. Capture raw exports outside the main repo or in the encrypted secrets repo.
|
|
2. Inspect them for secret-bearing fields.
|
|
3. Commit only a markdown summary or an explicitly redacted artifact.
|
|
4. Prefer human-readable summaries over raw appliance dumps.
|
|
5. Enable the repo guardrail in each clone:
|
|
```bash
|
|
git config core.hooksPath .githooks
|
|
chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh
|
|
```
|