tractatus

john/tractatus

Fork 0

Commit graph

Author	SHA1	Message	Date
TheFlow	2298d36bed	fix(submissions): restructure Economist package and fix article display - Create Economist SubmissionTracking package correctly: * mainArticle = full blog post content * coverLetter = 216-word SIR— letter * Links to blog post via blogPostId - Archive 'Letter to The Economist' from blog posts (it's the cover letter) - Fix date display on article cards (use published_at) - Target publication already displaying via blue badge Database changes: - Make blogPostId optional in SubmissionTracking model - Economist package ID: 68fa85ae49d4900e7f2ecd83 - Le Monde package ID: 68fa2abd2e6acd5691932150 Next: Enhanced modal with tabs, validation, export 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-24 08:47:42 +13:00
TheFlow	6312f8e580	refactor(public): remove 6 internal project files from public repository Removed files: - SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (internal security doc) - .claude/instruction-history.json (project-specific governance rules) - scripts/add-security-rules-2025-10-21.js (dated, project-specific) - scripts/apply-governance-audit-2025-10-21.js (dated, project-specific) - docs/governance/GOVERNANCE_LEARNINGS_2025-10-21.md (internal learnings) - docs/governance/GOVERNANCE_RULES_AUDIT_2025-10-21.md (internal audit) These are internal to the tractatus project, not framework resources. Public repo should contain only framework implementation code and docs. Updated .gitignore to prevent future commits of similar files.	2025-10-22 17:08:23 +13:00
TheFlow	af58ce01b6	fix(security): comprehensive security incident response for API key exposure INCIDENT SUMMARY: - Date: 2025-10-21 - Severity: CRITICAL → MEDIUM (credential revoked before exploitation) - Exposed: Anthropic API key (ID 5043627, name: family-history-ocr) - Location: docs/STRIPE_LIVE_MODE_DEPLOYMENT.md (commit 31345d5c) - Detection: GitHub secret scanning (automatic) - Revocation: Anthropic (automatic, within hours) - Financial Impact: $0 (no unauthorized usage) ROOT CAUSE - 5 FAILURE POINTS: 1. No credential redaction in documentation (PREVENTION) 2. Framework fade - BoundaryEnforcer not used (ENFORCEMENT) 3. No pre-commit secret detection (DETECTION) 4. No credential audit in pre-deployment checklist (MITIGATION) 5. Single-layer security model, not defense-in-depth (ARCHITECTURAL) NEW GOVERNANCE RULES: - inst_069: Credential Handling in Documentation (SYSTEM, HIGH, PERMANENT) - Requires ALL credentials redacted with example-only values - Patterns: sk-ant-api03-EXAMPLE-REDACTED, sk_live_EXAMPLE_REDACTED - Mandatory secret detection scan before commits - inst_070: Pre-Commit Secret Detection (SYSTEM, HIGH, PERMANENT) - Requires gitleaks or detect-secrets as pre-commit hook - BLOCKS commits containing secrets - False positives require user approval + documentation - inst_071: Enhanced Pre-Deployment Checklist (OPERATIONAL, HIGH, PERMANENT) - Replaces inst_054 with 8 steps including secret detection - Step 2: gitleaks detect --source . - Step 3: Credential audit (grep for sk-, pk-, secret, password) - Step 8: Public repository content review - inst_072: Assume Breach - Defense in Depth (STRATEGIC, HIGH, PERMANENT) - Layer 1 - Prevention: Never commit credentials - Layer 2 - Mitigation: Redact credentials in docs - Layer 3 - Detection: Pre-commit secret scanning (automated) - Layer 4 - Backstop: GitHub secret scanning - Layer 5 - Recovery: Credential rotation procedures DOCUMENTATION: - SECURITY_INCIDENT_POST_MORTEM_2025-10-21.md (comprehensive analysis) - SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (15-step action plan) - scripts/install-gitleaks-hook.sh (automated installation) - scripts/add-security-rules-2025-10-21.js (rules migration) ADDITIONAL FINDINGS: Comprehensive credential scan revealed additional exposed credentials in internal repository (not public): - Same Anthropic key in .env file - Same key in internal docs/STRIPE_LIVE_MODE_DEPLOYMENT.md - Stripe test keys in .env - JWT production secret in .env HUMAN ACTIONS REQUIRED: 1. Rotate Anthropic API key (CRITICAL) 2. Rotate JWT secret (CRITICAL) 3. Remove credentials from internal repository files 4. Install gitleaks pre-commit hook 5. Decide on git history cleanup (Option A/B/C) VERSION UPDATE: - instruction-history.json: 3.6 → 3.7 - Total rules: 68 → 72 - Active rules: 56 → 59 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-22 00:31:30 +13:00

Author

SHA1

Message

Date

TheFlow

2298d36bed

fix(submissions): restructure Economist package and fix article display

- Create Economist SubmissionTracking package correctly:
  * mainArticle = full blog post content
  * coverLetter = 216-word SIR— letter
  * Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge

Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150

Next: Enhanced modal with tabs, validation, export

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-24 08:47:42 +13:00

TheFlow

6312f8e580

refactor(public): remove 6 internal project files from public repository

Removed files:
- SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (internal security doc)
- .claude/instruction-history.json (project-specific governance rules)
- scripts/add-security-rules-2025-10-21.js (dated, project-specific)
- scripts/apply-governance-audit-2025-10-21.js (dated, project-specific)
- docs/governance/GOVERNANCE_LEARNINGS_2025-10-21.md (internal learnings)
- docs/governance/GOVERNANCE_RULES_AUDIT_2025-10-21.md (internal audit)

These are internal to the tractatus project, not framework resources.
Public repo should contain only framework implementation code and docs.

Updated .gitignore to prevent future commits of similar files.

2025-10-22 17:08:23 +13:00

TheFlow

af58ce01b6

fix(security): comprehensive security incident response for API key exposure

INCIDENT SUMMARY:
- Date: 2025-10-21
- Severity: CRITICAL → MEDIUM (credential revoked before exploitation)
- Exposed: Anthropic API key (ID 5043627, name: family-history-ocr)
- Location: docs/STRIPE_LIVE_MODE_DEPLOYMENT.md (commit 31345d5c)
- Detection: GitHub secret scanning (automatic)
- Revocation: Anthropic (automatic, within hours)
- Financial Impact: $0 (no unauthorized usage)

ROOT CAUSE - 5 FAILURE POINTS:
1. No credential redaction in documentation (PREVENTION)
2. Framework fade - BoundaryEnforcer not used (ENFORCEMENT)
3. No pre-commit secret detection (DETECTION)
4. No credential audit in pre-deployment checklist (MITIGATION)
5. Single-layer security model, not defense-in-depth (ARCHITECTURAL)

NEW GOVERNANCE RULES:
- inst_069: Credential Handling in Documentation (SYSTEM, HIGH, PERMANENT)
  - Requires ALL credentials redacted with example-only values
  - Patterns: sk-ant-api03-EXAMPLE-REDACTED, sk_live_EXAMPLE_REDACTED
  - Mandatory secret detection scan before commits

- inst_070: Pre-Commit Secret Detection (SYSTEM, HIGH, PERMANENT)
  - Requires gitleaks or detect-secrets as pre-commit hook
  - BLOCKS commits containing secrets
  - False positives require user approval + documentation

- inst_071: Enhanced Pre-Deployment Checklist (OPERATIONAL, HIGH, PERMANENT)
  - Replaces inst_054 with 8 steps including secret detection
  - Step 2: gitleaks detect --source .
  - Step 3: Credential audit (grep for sk-, pk-, secret, password)
  - Step 8: Public repository content review

- inst_072: Assume Breach - Defense in Depth (STRATEGIC, HIGH, PERMANENT)
  - Layer 1 - Prevention: Never commit credentials
  - Layer 2 - Mitigation: Redact credentials in docs
  - Layer 3 - Detection: Pre-commit secret scanning (automated)
  - Layer 4 - Backstop: GitHub secret scanning
  - Layer 5 - Recovery: Credential rotation procedures

DOCUMENTATION:
- SECURITY_INCIDENT_POST_MORTEM_2025-10-21.md (comprehensive analysis)
- SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (15-step action plan)
- scripts/install-gitleaks-hook.sh (automated installation)
- scripts/add-security-rules-2025-10-21.js (rules migration)

ADDITIONAL FINDINGS:
Comprehensive credential scan revealed additional exposed credentials in
internal repository (not public):
- Same Anthropic key in .env file
- Same key in internal docs/STRIPE_LIVE_MODE_DEPLOYMENT.md
- Stripe test keys in .env
- JWT production secret in .env

HUMAN ACTIONS REQUIRED:
1. Rotate Anthropic API key (CRITICAL)
2. Rotate JWT secret (CRITICAL)
3. Remove credentials from internal repository files
4. Install gitleaks pre-commit hook
5. Decide on git history cleanup (Option A/B/C)

VERSION UPDATE:
- instruction-history.json: 3.6 → 3.7
- Total rules: 68 → 72
- Active rules: 56 → 59

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-22 00:31:30 +13:00

3 commits