john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: create deployment exclusion list and safe deployment script

Browse source 
Critical Security Improvements:
- Created .rsyncignore with comprehensive exclusion patterns
- Prevents deployment of CLAUDE.md, .env.backup, session handoffs
- Prevents deployment of internal docs and framework state
- Created deploy-full-project-SAFE.sh with dry-run safety check

Security Response Actions:
- Deleted CLAUDE.md from production (contained port 27017, db names)
- Deleted .env.backup from production (contained credentials)
- Deleted 5+ session handoff documents from production
- Deleted internal planning docs (PHASE-2-*, SECURITY_AUDIT_REPORT)

Root Cause:
Previous deployment used rsync without exclusion filters, syncing
entire project directory including sensitive internal documentation.

Prevention:
- All future deployments must use .rsyncignore
- deploy-full-project-SAFE.sh enforces dry-run before deployment
- deploy-frontend.sh already safe (public/ only)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
TheFlow 2025-10-09 15:47:20 +13:00
parent f220ed9a94
commit 1058758496
2 changed files with 206 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
.rsyncignore Normal file
View file

@ -0,0 +1,106 @@
# Tractatus Production Deployment - Exclusion List
# Prevents sensitive internal files from being deployed to production
# ============================================
# CRITICAL: Internal Documentation
# ============================================
CLAUDE.md
CLAUDE.md.backup
CLAUDE_*.md
*_Tractatus_Maintenance_Guide.md
SESSION_CLOSEDOWN_*.md
SESSION-HANDOFF-*.md
NEXT_SESSION.md
ClaudeWeb*.md
Tractatus-Website-Complete-Specification-*.md
DEPLOYMENT-*.md
# ============================================
# CRITICAL: Session State & Framework
# ============================================
.claude/
.claude/**
# ============================================
# CRITICAL: Credentials & Secrets
# ============================================
.env
.env.*
!.env.example
*.key
*.pem
*.p12
*.pfx
secrets/
credentials/
# ============================================
# CRITICAL: Internal Documentation Directories
# ============================================
docs/session-handoff-*.md
docs/SECURITY_AUDIT_REPORT.md
docs/FRAMEWORK_FAILURE_*.md
docs/PHASE-2-*.md
docs/IMPLEMENTATION_PROGRESS_*.md
docs/DOCUMENT_SECURITY_GOVERNANCE.md
# ============================================
# Development Files
# ============================================
node_modules/
.git/
.gitignore
package-lock.json
*.log
logs/
npm-debug.log*
.DS_Store
Thumbs.db
# ============================================
# Database & Backups
# ============================================
data/
dump/
backups/
*.sql
*.sql.gz
*.dump
# ============================================
# Build & Test
# ============================================
coverage/
.nyc_output/
dist/
build/
tmp/
temp/
*.tmp
# ============================================
# IDE & Editor
# ============================================
.vscode/
.idea/
*.swp
*.swo
*~
# ============================================
# SSH Keys (extra safety)
# ============================================
*.ssh/
id_rsa*
id_ed25519*
# ============================================
# Local Scripts (deployment from local only)
# ============================================
scripts/deploy-*.sh
scripts/validate-public-sync.js
scripts/session-init.js
scripts/check-session-pressure.js
scripts/pre-action-check.js
scripts/recover-framework.js
scripts/framework-watchdog.js

100
scripts/deploy-full-project-SAFE.sh Executable file
View file

@ -0,0 +1,100 @@
#!/bin/bash
##
## SAFE Full Project Deployment Script
## Uses .rsyncignore to exclude sensitive files
##
## WARNING: Only use this for initial deployment or major updates
## For regular deployments, use deploy-frontend.sh instead
##
set -e
# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'
DEPLOY_KEY="/home/theflow/.ssh/tractatus_deploy"
REMOTE_USER="ubuntu"
REMOTE_HOST="vps-93a693da.vps.ovh.net"
REMOTE_PATH="/var/www/tractatus"
PROJECT_ROOT="/home/theflow/projects/tractatus"
echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${YELLOW} TRACTATUS FULL PROJECT DEPLOYMENT (SAFE MODE)${NC}"
echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Check if .rsyncignore exists
if [ ! -f "$PROJECT_ROOT/.rsyncignore" ]; then
echo -e "${RED}ERROR: .rsyncignore not found!${NC}"
echo "This file is required to prevent sensitive data deployment."
echo "Expected location: $PROJECT_ROOT/.rsyncignore"
exit 1
fi
# Show excluded patterns
echo -e "${GREEN}Security Check: .rsyncignore loaded${NC}"
echo "Excluded patterns:"
head -20 "$PROJECT_ROOT/.rsyncignore" | grep -v "^#" | grep -v "^$" | sed 's/^/ - /'
echo " ... (see .rsyncignore for full list)"
echo ""
# Confirm deployment
echo -e "${YELLOW}WARNING: This will sync the ENTIRE project directory${NC}"
echo "Source: $PROJECT_ROOT"
echo "Destination: $REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"
echo ""
read -p "Continue? (yes/NO): " confirm
if [ "$confirm" != "yes" ]; then
echo "Deployment cancelled."
exit 0
fi
echo ""
echo -e "${GREEN}Starting deployment...${NC}"
echo ""
# Dry run first
echo -e "${YELLOW}[1/2] Running dry-run to preview changes...${NC}"
rsync -avzn --delete \
-e "ssh -i $DEPLOY_KEY" \
--exclude-from="$PROJECT_ROOT/.rsyncignore" \
"$PROJECT_ROOT/" \
"${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/" \
| tail -20
echo ""
read -p "Dry-run complete. Proceed with actual deployment? (yes/NO): " confirm2
if [ "$confirm2" != "yes" ]; then
echo "Deployment cancelled after dry-run."
exit 0
fi
# Actual deployment
echo ""
echo -e "${YELLOW}[2/2] Deploying to production...${NC}"
rsync -avz --delete \
-e "ssh -i $DEPLOY_KEY" \
--exclude-from="$PROJECT_ROOT/.rsyncignore" \
"$PROJECT_ROOT/" \
"${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/"
echo ""
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN} DEPLOYMENT COMPLETE${NC}"
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo "Next steps:"
echo "1. Verify sensitive files NOT deployed:"
echo " ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'ls -la /var/www/tractatus/CLAUDE.md 2>/dev/null || echo NOT FOUND (good)'"
echo ""
echo "2. Restart server if needed:"
echo " ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'sudo systemctl restart tractatus'"
echo ""
echo "3. Test site: https://agenticgovernance.digital"
echo ""