john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/.rsyncignore
TheFlow c416d18ff7 fix(deploy): Exclude entire docs/ from production deployment 
356 internal files (19MB) were on the production server filesystem
at /var/www/tractatus/docs/ for ~128 days. Includes credential
rotation procedures, VPS access references, Stripe financial
details, and security audit reports. Files were NOT HTTP-accessible
(Express serves only public/) but were world-readable on disk.

Root cause: .rsyncignore used a denylist of specific file patterns
rather than excluding the directory entirely. The denylist was
incomplete and failed silently as new files were added.

Fix: exclude docs/ and docs/** entirely. No production code reads
from this directory. Verified by rsync dry-run and app health check.

See: docs/SECURITY_INCIDENT_REPORT_2026-02-11.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 21:42:02 +13:00

117 lines
2.6 KiB
Text
Raw Blame History

# Tractatus Production Deployment - Exclusion List
# Prevents sensitive internal files from being deployed to production
# ============================================
# CRITICAL: Internal Documentation
# ============================================
CLAUDE.md
CLAUDE.md.backup
CLAUDE_*.md
*_Tractatus_Maintenance_Guide.md
SESSION_CLOSEDOWN_*.md
SESSION-HANDOFF-*.md
NEXT_SESSION.md
NEXT_SESSION_PRIORITIES.md
ClaudeWeb*.md
Tractatus-Website-Complete-Specification-*.md
DEPLOYMENT-*.md
# ============================================
# CRITICAL: Session State & Framework
# ============================================
.claude/
.claude/**
# ============================================
# CRITICAL: Credentials & Secrets
# ============================================
.env
.env.*
!.env.example
*.key
*.pem
*.p12
*.pfx
secrets/
credentials/
# ============================================
# CRITICAL: Internal Documentation Directory
# ============================================
# The docs/ directory is ENTIRELY internal. No production
# code reads from it (Express serves only public/).
# Previous approach used a denylist of specific patterns,
# which repeatedly failed as new files were added.
# Fix: exclude the entire directory.
# See: docs/SECURITY_INCIDENT_REPORT_2026-02-11.md
docs/
docs/**
# ============================================
# Development Files
# ============================================
node_modules/
# ============================================
# AL Integration - Large Model Files
# ============================================
al-integration/models/
al-integration/venv/
demos/**/venv/
demos/*/venv/
.git/
.gitignore
package-lock.json
*.log
logs/
npm-debug.log*
.DS_Store
Thumbs.db
# ============================================
# Database & Backups
# ============================================
data/
dump/
backups/
*.sql
*.sql.gz
*.dump
# ============================================
# Build & Test
# ============================================
coverage/
.nyc_output/
dist/
build/
tmp/
temp/
*.tmp
# ============================================
# IDE & Editor
# ============================================
.vscode/
.idea/
*.swp
*.swo
*~
# ============================================
# SSH Keys (extra safety)
# ============================================
*.ssh/
id_rsa*
id_ed25519*
# ============================================
# Local Scripts (deployment from local only)
# ============================================
scripts/deploy-*.sh
scripts/validate-public-sync.js
scripts/session-init.js
scripts/check-session-pressure.js
scripts/pre-action-check.js
scripts/recover-framework.js
scripts/framework-watchdog.js
Reference in a new issue View git blame Copy permalink