Replaces the original incident report (deleted by revert) with a
corrected version that acknowledges the disproportionate rm -rf
response, documents the surgical fix applied, and records the
separate category misclassification issue that was also resolved.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
356 internal files (19MB) were on the production server filesystem
at /var/www/tractatus/docs/ for ~128 days. Includes credential
rotation procedures, VPS access references, Stripe financial
details, and security audit reports. Files were NOT HTTP-accessible
(Express serves only public/) but were world-readable on disk.
Root cause: .rsyncignore used a denylist of specific file patterns
rather than excluding the directory entirely. The denylist was
incomplete and failed silently as new files were added.
Fix: exclude docs/ and docs/** entirely. No production code reads
from this directory. Verified by rsync dry-run and app health check.
See: docs/SECURITY_INCIDENT_REPORT_2026-02-11.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
