From 10587584966a4e12f889bb845a32492e4a147571 Mon Sep 17 00:00:00 2001 From: TheFlow Date: Thu, 9 Oct 2025 15:47:20 +1300 Subject: [PATCH] security: create deployment exclusion list and safe deployment script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Critical Security Improvements: - Created .rsyncignore with comprehensive exclusion patterns - Prevents deployment of CLAUDE.md, .env.backup, session handoffs - Prevents deployment of internal docs and framework state - Created deploy-full-project-SAFE.sh with dry-run safety check Security Response Actions: - Deleted CLAUDE.md from production (contained port 27017, db names) - Deleted .env.backup from production (contained credentials) - Deleted 5+ session handoff documents from production - Deleted internal planning docs (PHASE-2-*, SECURITY_AUDIT_REPORT) Root Cause: Previous deployment used rsync without exclusion filters, syncing entire project directory including sensitive internal documentation. Prevention: - All future deployments must use .rsyncignore - deploy-full-project-SAFE.sh enforces dry-run before deployment - deploy-frontend.sh already safe (public/ only) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .rsyncignore | 106 ++++++++++++++++++++++++++++ scripts/deploy-full-project-SAFE.sh | 100 ++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 .rsyncignore create mode 100755 scripts/deploy-full-project-SAFE.sh diff --git a/.rsyncignore b/.rsyncignore new file mode 100644 index 00000000..5af7ece7 --- /dev/null +++ b/.rsyncignore @@ -0,0 +1,106 @@ +# Tractatus Production Deployment - Exclusion List +# Prevents sensitive internal files from being deployed to production + +# ============================================ +# CRITICAL: Internal Documentation +# ============================================ +CLAUDE.md +CLAUDE.md.backup +CLAUDE_*.md +*_Tractatus_Maintenance_Guide.md +SESSION_CLOSEDOWN_*.md +SESSION-HANDOFF-*.md +NEXT_SESSION.md +ClaudeWeb*.md +Tractatus-Website-Complete-Specification-*.md +DEPLOYMENT-*.md + +# ============================================ +# CRITICAL: Session State & Framework +# ============================================ +.claude/ +.claude/** + +# ============================================ +# CRITICAL: Credentials & Secrets +# ============================================ +.env +.env.* +!.env.example +*.key +*.pem +*.p12 +*.pfx +secrets/ +credentials/ + +# ============================================ +# CRITICAL: Internal Documentation Directories +# ============================================ +docs/session-handoff-*.md +docs/SECURITY_AUDIT_REPORT.md +docs/FRAMEWORK_FAILURE_*.md +docs/PHASE-2-*.md +docs/IMPLEMENTATION_PROGRESS_*.md +docs/DOCUMENT_SECURITY_GOVERNANCE.md + +# ============================================ +# Development Files +# ============================================ +node_modules/ +.git/ +.gitignore +package-lock.json +*.log +logs/ +npm-debug.log* +.DS_Store +Thumbs.db + +# ============================================ +# Database & Backups +# ============================================ +data/ +dump/ +backups/ +*.sql +*.sql.gz +*.dump + +# ============================================ +# Build & Test +# ============================================ +coverage/ +.nyc_output/ +dist/ +build/ +tmp/ +temp/ +*.tmp + +# ============================================ +# IDE & Editor +# ============================================ +.vscode/ +.idea/ +*.swp +*.swo +*~ + +# ============================================ +# SSH Keys (extra safety) +# ============================================ +*.ssh/ +id_rsa* +id_ed25519* + +# ============================================ +# Local Scripts (deployment from local only) +# ============================================ +scripts/deploy-*.sh +scripts/validate-public-sync.js +scripts/session-init.js +scripts/check-session-pressure.js +scripts/pre-action-check.js +scripts/recover-framework.js +scripts/framework-watchdog.js diff --git a/scripts/deploy-full-project-SAFE.sh b/scripts/deploy-full-project-SAFE.sh new file mode 100755 index 00000000..71fb194e --- /dev/null +++ b/scripts/deploy-full-project-SAFE.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +## +## SAFE Full Project Deployment Script +## Uses .rsyncignore to exclude sensitive files +## +## WARNING: Only use this for initial deployment or major updates +## For regular deployments, use deploy-frontend.sh instead +## + +set -e + +# Colors +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' + +DEPLOY_KEY="/home/theflow/.ssh/tractatus_deploy" +REMOTE_USER="ubuntu" +REMOTE_HOST="vps-93a693da.vps.ovh.net" +REMOTE_PATH="/var/www/tractatus" +PROJECT_ROOT="/home/theflow/projects/tractatus" + +echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo -e "${YELLOW} TRACTATUS FULL PROJECT DEPLOYMENT (SAFE MODE)${NC}" +echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo "" + +# Check if .rsyncignore exists +if [ ! -f "$PROJECT_ROOT/.rsyncignore" ]; then + echo -e "${RED}ERROR: .rsyncignore not found!${NC}" + echo "This file is required to prevent sensitive data deployment." + echo "Expected location: $PROJECT_ROOT/.rsyncignore" + exit 1 +fi + +# Show excluded patterns +echo -e "${GREEN}Security Check: .rsyncignore loaded${NC}" +echo "Excluded patterns:" +head -20 "$PROJECT_ROOT/.rsyncignore" | grep -v "^#" | grep -v "^$" | sed 's/^/ - /' +echo " ... (see .rsyncignore for full list)" +echo "" + +# Confirm deployment +echo -e "${YELLOW}WARNING: This will sync the ENTIRE project directory${NC}" +echo "Source: $PROJECT_ROOT" +echo "Destination: $REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH" +echo "" +read -p "Continue? (yes/NO): " confirm + +if [ "$confirm" != "yes" ]; then + echo "Deployment cancelled." + exit 0 +fi + +echo "" +echo -e "${GREEN}Starting deployment...${NC}" +echo "" + +# Dry run first +echo -e "${YELLOW}[1/2] Running dry-run to preview changes...${NC}" +rsync -avzn --delete \ + -e "ssh -i $DEPLOY_KEY" \ + --exclude-from="$PROJECT_ROOT/.rsyncignore" \ + "$PROJECT_ROOT/" \ + "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/" \ + | tail -20 + +echo "" +read -p "Dry-run complete. Proceed with actual deployment? (yes/NO): " confirm2 + +if [ "$confirm2" != "yes" ]; then + echo "Deployment cancelled after dry-run." + exit 0 +fi + +# Actual deployment +echo "" +echo -e "${YELLOW}[2/2] Deploying to production...${NC}" +rsync -avz --delete \ + -e "ssh -i $DEPLOY_KEY" \ + --exclude-from="$PROJECT_ROOT/.rsyncignore" \ + "$PROJECT_ROOT/" \ + "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/" + +echo "" +echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo -e "${GREEN} DEPLOYMENT COMPLETE${NC}" +echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" +echo "" +echo "Next steps:" +echo "1. Verify sensitive files NOT deployed:" +echo " ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'ls -la /var/www/tractatus/CLAUDE.md 2>/dev/null || echo NOT FOUND (good)'" +echo "" +echo "2. Restart server if needed:" +echo " ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'sudo systemctl restart tractatus'" +echo "" +echo "3. Test site: https://agenticgovernance.digital" +echo ""