tractatus

john/tractatus

Fork 0

Commit graph

Author	SHA1	Message	Date
TheFlow	b6d143c816	fix(deploy): Exclude entire docs/ from production deployment 356 internal files (19MB) were on the production server filesystem at /var/www/tractatus/docs/ for ~128 days. Includes credential rotation procedures, VPS access references, Stripe financial details, and security audit reports. Files were NOT HTTP-accessible (Express serves only public/) but were world-readable on disk. Root cause: .rsyncignore used a denylist of specific file patterns rather than excluding the directory entirely. The denylist was incomplete and failed silently as new files were added. Fix: exclude docs/ and docs/** entirely. No production code reads from this directory. Verified by rsync dry-run and app health check. See: docs/SECURITY_INCIDENT_REPORT_2026-02-11.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-11 21:42:02 +13:00

Author

SHA1

Message

Date

TheFlow

b6d143c816

fix(deploy): Exclude entire docs/ from production deployment

356 internal files (19MB) were on the production server filesystem
at /var/www/tractatus/docs/ for ~128 days. Includes credential
rotation procedures, VPS access references, Stripe financial
details, and security audit reports. Files were NOT HTTP-accessible
(Express serves only public/) but were world-readable on disk.

Root cause: .rsyncignore used a denylist of specific file patterns
rather than excluding the directory entirely. The denylist was
incomplete and failed silently as new files were added.

Fix: exclude docs/ and docs/** entirely. No production code reads
from this directory. Verified by rsync dry-run and app health check.

See: docs/SECURITY_INCIDENT_REPORT_2026-02-11.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-11 21:42:02 +13:00

1 commit