Files
truenas-stacks/home/doris-dashboard/docs/baselines

Baselines Directory Policy

This directory is for sanitized operator artifacts only.

What belongs here

  • markdown summaries of controller state
  • redacted JSON examples that have been intentionally scrubbed
  • operator notes that support future change windows

What does not belong here

  • raw UniFi controller exports
  • full networkconf / portconf dumps captured straight from the API
  • VPN client/server config exports
  • any artifact containing keys, tokens, passwords, cookies, CSRF material, or embedded auth config

Why this rule exists

A raw UniFi baseline export committed during the 2026-05-22 network redesign documentation pass contained WireGuard private keys and triggered a real secret-leak incident.

See:

  • docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md
  • docs/operations/SECRETS_MANAGEMENT.md

Safe workflow

  1. Capture raw exports outside the main repo or in the encrypted secrets repo.
  2. Inspect them for secret-bearing fields.
  3. Commit only a markdown summary or an explicitly redacted artifact.
  4. Prefer human-readable summaries over raw appliance dumps.
  5. Enable the repo guardrails in each clone:
    git config core.hooksPath .githooks
    chmod +x .githooks/pre-commit .githooks/pre-push scripts/scan-secret-bearing-artifacts.sh
    
  6. Before a risky push or cleanup branch, run the manual checks too:
    scripts/scan-secret-bearing-artifacts.sh --tracked
    scripts/scan-secret-bearing-artifacts.sh --git-range origin/main..HEAD