Baselines Directory Policy
This directory is for sanitized operator artifacts only.
What belongs here
- markdown summaries of controller state
- redacted JSON examples that have been intentionally scrubbed
- operator notes that support future change windows
What does not belong here
- raw UniFi controller exports
- full
networkconf/portconfdumps captured straight from the API - VPN client/server config exports
- any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config
Why this rule exists
A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.
See:
docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.mddocs/operations/SECRETS_MANAGEMENT.md
Safe workflow
- Capture raw exports outside the main repo or in the encrypted secrets repo.
- Inspect them for secret-bearing fields.
- Commit only a markdown summary or an explicitly redacted artifact.
- Prefer human-readable summaries over raw appliance dumps.
- Enable the repo guardrail in each clone:
git config core.hooksPath .githooks chmod +x .githooks/pre-commit scripts/scan-secret-bearing-artifacts.sh