security: create deployment exclusion list and safe deployment script

Critical Security Improvements: - Created .rsyncignore with comprehensive exclusion patterns - Prevents deployment of CLAUDE.md, .env.backup, session handoffs - Prevents deployment of internal docs and framework state - Created deploy-full-project-SAFE.sh with dry-run safety check Security Response Actions: - Deleted CLAUDE.md from production (contained port 27017, db names) - Deleted .env.backup from production (contained credentials) - Deleted 5+ session handoff documents from production - Deleted internal planning docs (PHASE-2-*, SECURITY_AUDIT_REPORT) Root Cause: Previous deployment used rsync without exclusion filters, syncing entire project directory including sensitive internal documentation. Prevention: - All future deployments must use .rsyncignore - deploy-full-project-SAFE.sh enforces dry-run before deployment - deploy-frontend.sh already safe (public/ only) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-09 15:47:20 +13:00 · 2025-10-09 15:47:20 +13:00 · 1058758496
commit 1058758496
parent f220ed9a94
2 changed files with 206 additions and 0 deletions
--- a/.rsyncignore
+++ b/.rsyncignore
@ -0,0 +1,106 @@
+# Tractatus Production Deployment - Exclusion List
+# Prevents sensitive internal files from being deployed to production
+
+# ============================================
+# CRITICAL: Internal Documentation
+# ============================================
+CLAUDE.md
+CLAUDE.md.backup
+CLAUDE_*.md
+*_Tractatus_Maintenance_Guide.md
+SESSION_CLOSEDOWN_*.md
+SESSION-HANDOFF-*.md
+NEXT_SESSION.md
+ClaudeWeb*.md
+Tractatus-Website-Complete-Specification-*.md
+DEPLOYMENT-*.md
+
+# ============================================
+# CRITICAL: Session State & Framework
+# ============================================
+.claude/
+.claude/**
+
+# ============================================
+# CRITICAL: Credentials & Secrets
+# ============================================
+.env
+.env.*
+!.env.example
+*.key
+*.pem
+*.p12
+*.pfx
+secrets/
+credentials/
+
+# ============================================
+# CRITICAL: Internal Documentation Directories
+# ============================================
+docs/session-handoff-*.md
+docs/SECURITY_AUDIT_REPORT.md
+docs/FRAMEWORK_FAILURE_*.md
+docs/PHASE-2-*.md
+docs/IMPLEMENTATION_PROGRESS_*.md
+docs/DOCUMENT_SECURITY_GOVERNANCE.md
+
+# ============================================
+# Development Files
+# ============================================
+node_modules/
+.git/
+.gitignore
+package-lock.json
+*.log
+logs/
+npm-debug.log*
+.DS_Store
+Thumbs.db
+
+# ============================================
+# Database & Backups
+# ============================================
+data/
+dump/
+backups/
+*.sql
+*.sql.gz
+*.dump
+
+# ============================================
+# Build & Test
+# ============================================
+coverage/
+.nyc_output/
+dist/
+build/
+tmp/
+temp/
+*.tmp
+
+# ============================================
+# IDE & Editor
+# ============================================
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# ============================================
+# SSH Keys (extra safety)
+# ============================================
+*.ssh/
+id_rsa*
+id_ed25519*
+
+# ============================================
+# Local Scripts (deployment from local only)
+# ============================================
+scripts/deploy-*.sh
+scripts/validate-public-sync.js
+scripts/session-init.js
+scripts/check-session-pressure.js
+scripts/pre-action-check.js
+scripts/recover-framework.js
+scripts/framework-watchdog.js
--- a/scripts/deploy-full-project-SAFE.sh
+++ b/scripts/deploy-full-project-SAFE.sh
@ -0,0 +1,100 @@
+#!/bin/bash
+
+##
+## SAFE Full Project Deployment Script
+## Uses .rsyncignore to exclude sensitive files
+##
+## WARNING: Only use this for initial deployment or major updates
+## For regular deployments, use deploy-frontend.sh instead
+##
+
+set -e
+
+# Colors
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+DEPLOY_KEY="/home/theflow/.ssh/tractatus_deploy"
+REMOTE_USER="ubuntu"
+REMOTE_HOST="vps-93a693da.vps.ovh.net"
+REMOTE_PATH="/var/www/tractatus"
+PROJECT_ROOT="/home/theflow/projects/tractatus"
+
+echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+echo -e "${YELLOW}   TRACTATUS FULL PROJECT DEPLOYMENT (SAFE MODE)${NC}"
+echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+echo ""
+
+# Check if .rsyncignore exists
+if [ ! -f "$PROJECT_ROOT/.rsyncignore" ]; then
+  echo -e "${RED}ERROR: .rsyncignore not found!${NC}"
+  echo "This file is required to prevent sensitive data deployment."
+  echo "Expected location: $PROJECT_ROOT/.rsyncignore"
+  exit 1
+fi
+
+# Show excluded patterns
+echo -e "${GREEN}Security Check: .rsyncignore loaded${NC}"
+echo "Excluded patterns:"
+head -20 "$PROJECT_ROOT/.rsyncignore" | grep -v "^#" | grep -v "^$" | sed 's/^/  - /'
+echo "  ... (see .rsyncignore for full list)"
+echo ""
+
+# Confirm deployment
+echo -e "${YELLOW}WARNING: This will sync the ENTIRE project directory${NC}"
+echo "Source: $PROJECT_ROOT"
+echo "Destination: $REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"
+echo ""
+read -p "Continue? (yes/NO): " confirm
+
+if [ "$confirm" != "yes" ]; then
+  echo "Deployment cancelled."
+  exit 0
+fi
+
+echo ""
+echo -e "${GREEN}Starting deployment...${NC}"
+echo ""
+
+# Dry run first
+echo -e "${YELLOW}[1/2] Running dry-run to preview changes...${NC}"
+rsync -avzn --delete \
+  -e "ssh -i $DEPLOY_KEY" \
+  --exclude-from="$PROJECT_ROOT/.rsyncignore" \
+  "$PROJECT_ROOT/" \
+  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/" \
+  | tail -20
+
+echo ""
+read -p "Dry-run complete. Proceed with actual deployment? (yes/NO): " confirm2
+
+if [ "$confirm2" != "yes" ]; then
+  echo "Deployment cancelled after dry-run."
+  exit 0
+fi
+
+# Actual deployment
+echo ""
+echo -e "${YELLOW}[2/2] Deploying to production...${NC}"
+rsync -avz --delete \
+  -e "ssh -i $DEPLOY_KEY" \
+  --exclude-from="$PROJECT_ROOT/.rsyncignore" \
+  "$PROJECT_ROOT/" \
+  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/"
+
+echo ""
+echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+echo -e "${GREEN}   DEPLOYMENT COMPLETE${NC}"
+echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+echo ""
+echo "Next steps:"
+echo "1. Verify sensitive files NOT deployed:"
+echo "   ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'ls -la /var/www/tractatus/CLAUDE.md 2>/dev/null || echo NOT FOUND (good)'"
+echo ""
+echo "2. Restart server if needed:"
+echo "   ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'sudo systemctl restart tractatus'"
+echo ""
+echo "3. Test site: https://agenticgovernance.digital"
+echo ""