Files
truenas-stacks/home/doris-dashboard/docs/baselines/README.md

1.1 KiB

Baselines Directory Policy

This directory is for sanitized operator artifacts only.

What belongs here

  • markdown summaries of controller state
  • redacted JSON examples that have been intentionally scrubbed
  • operator notes that support future change windows

What does not belong here

  • raw UniFi controller exports
  • full networkconf / portconf dumps captured straight from the API
  • VPN client/server config exports
  • any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config

Why this rule exists

A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.

See:

  • docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md
  • docs/operations/SECRETS_MANAGEMENT.md

Safe workflow

  1. Capture raw exports outside the main repo or in the encrypted secrets repo.
  2. Inspect them for secret-bearing fields.
  3. Commit only a markdown summary or an explicitly redacted artifact.
  4. Prefer human-readable summaries over raw appliance dumps.