john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/PUBLIC_REPO_CHECKLIST.md
TheFlow 65703afff3 security(gitignore): add 23 missing protection patterns for sensitive files 
SECURITY GAPS FIXED:
- Payment IDs: .stripe-ids.json
- Deployment configs: .rsyncignore
- Session closedowns: "closedown prompt", CLOSEDOWN*.txt/md
- Internal planning: SCHEDULED_TASKS.md, SITE_IMPROVEMENT_PRIORITIES.md,
  TRACTATUS_BRAND_SYSTEM.md, UI_TRANSFORMATION_PROJECT_PLAN.md
- Internal PDFs: CLAUDE_WEB_BRIEF.pdf, EXECUTIVE_BRIEF*.pdf
- Internal docs: docs/analysis/, docs/analysis-archive-*/,
  docs/FIND_STRIPE*.md, docs/FRAMEWORK_FAILURE*.md, docs/PRODUCTION_DEPLOYMENT*.md
- Temporary files: deployment-output.txt, migration-output.txt,
  PERPLEXITY_USER_PROMPT.txt, ECONOMIST_LETTER_*.docx

RESULT: .gitignore expanded from 171 → 193 lines
STATUS: All sensitive files now protected from accidental git commits

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-21 18:56:47 +13:00

7.3 KiB
Raw Blame History

PUBLIC REPOSITORY CHECKLIST

Repository: tractatus-framework (GitHub Public) Purpose: Open source implementation for external developers Last Security Audit: 2025-10-21

What SHOULD Be in Public Repo

Code (Open Source)

  • src/ - All framework services and application code
  • tests/ - Unit and integration tests
  • public/ - Website frontend (HTML, CSS, JS, assets)
  • scripts/ - Public utility scripts (migrations, generators, utilities)

Documentation (Public)

  • README.md - World-class implementer-focused documentation
  • LICENSE - Apache 2.0 license
  • CODE_OF_CONDUCT.md - Community guidelines
  • SETUP_INSTRUCTIONS.md - Installation guide
  • NOTICE - Attribution notices
  • docs/markdown/ - Published documentation
  • docs/case-studies/ - Public case studies (educational)
  • docs/api/ - API reference documentation
  • docs/architecture/ - Architecture diagrams and explanations

Configuration (Public)

  • .env.example - Example environment variables
  • .env.test - Test environment configuration
  • .gitignore - Git ignore patterns
  • .eslintrc.json - ESLint configuration
  • jest.config.js - Jest test configuration
  • tailwind.config.js - Tailwind CSS configuration
  • package.json - Node dependencies
  • package-lock.json - Dependency lock file

What MUST NOT Be in Public Repo

Internal Directories (Entire)

  • .claude/ - Framework session state, metrics, archives
  • governance/ - Internal operational governance documents
  • For Claude Web/ - Internal development specifications
  • umami-local/ - Analytics local setup
  • docs/planning/ - Internal project planning
  • docs/testing/ - Internal test reports
  • docs/outreach/ - Internal marketing/outreach
  • docs/stripe-analysis/ - Internal payment analysis
  • docs/economist-analysis/ - Internal research analysis
  • docs/framework-incidents/ - Internal incident reports
  • docs/deployment-logs/ - Internal deployment records
  • docs/analysis-archive-*/ - Internal analysis archives

Internal Development Documents

  • CLAUDE.md - Internal Claude Code instructions
  • CLAUDE_*.md - Internal development guides
  • ClaudeWeb*.md - Internal web development specs
  • PRE_APPROVED_COMMANDS.md - Internal command whitelist
  • BACKEND_FRONTEND_MAPPING.md - Internal architecture docs

Session & Planning Documents

  • SESSION*.md - Session handoffs
  • OPTIMAL_NEXT_SESSION*.md - Session startup prompts
  • ARCHIVE_SUMMARY*.md - Session archives
  • CLOSEDOWN*.md / *.txt - Session closedowns
  • MEETING_NOTES*.md - Internal meeting notes

Internal Planning

  • PITCH-*.md - Internal pitch documents
  • PHASE-*.md - Internal phase planning
  • EXECUTIVE_BRIEF*.md - Internal executive briefs
  • TRACTATUS_BRAND_SYSTEM.md - Internal branding
  • UI_TRANSFORMATION_PROJECT_PLAN.md - Internal UI planning
  • SITE_IMPROVEMENT_PRIORITIES.md - Internal priorities
  • SCHEDULED_TASKS.md - Internal task scheduling
  • Tractatus-Website-Complete-Specification*.md - Internal specs

Internal Scripts

  • scripts/deploy-*.sh - Deployment scripts (contain server details)
  • scripts/session-init.js - Framework session initialization
  • scripts/check-session-pressure.js - Session monitoring
  • scripts/analyze-violations.js - Violation analysis
  • scripts/hook-validators/ - Pre-action hook validators
  • scripts/framework-components/ - Framework enforcement components
  • scripts/reset-admin-password.js - Admin utilities

Internal Docs Files

  • docs/DEPLOYMENT*.md - Deployment documentation
  • docs/MULTI_PROJECT*.md - Multi-project governance
  • docs/DOCUMENT_AUDIT*.md - Internal audits
  • docs/DOCUMENT_OPTIMIZATION*.md - Internal optimization
  • docs/DOCUMENT_REORGANIZATION*.md - Internal reorganization
  • docs/DOCUMENT_SECURITY*.md - Internal security docs
  • docs/BLOG-POST-OUTLINES.md - Internal content planning
  • docs/PHASE-*.md - Phase planning documents
  • docs/STRIPE_*.md - Payment integration internals
  • docs/KOHA*.md - Donation system internals
  • docs/SECURITY_AUDIT*.md - Internal security audits
  • docs/FRAMEWORK_FAILURE*.md - Internal incident analysis
  • docs/BENCHMARK*.md - Internal performance benchmarks
  • docs/IMPLEMENTATION_PROGRESS*.md - Internal progress tracking
  • docs/BOOTSTRAPPING*.md - Internal bootstrapping docs
  • docs/GOVERNANCE-RULE-LIBRARY.md - Internal rule library
  • docs/SIMULATION*.md - Internal simulations
  • docs/SESSION*.md - Session documentation
  • docs/API_MEMORY*.md - Internal API memory research
  • docs/HOOKS*.md - Internal hook documentation

Sensitive Files

  • *.key - Encryption keys
  • *.pem - SSL certificates
  • *.p12 / *.pfx - Certificate bundles
  • .stripe-ids.json - Payment IDs
  • .rsyncignore - Deployment patterns
  • ADMIN_LOGIN_INSTRUCTIONS.md - Admin credentials
  • .admin-credentials.local - Admin credentials
  • secrets/ - Secrets directory
  • credentials/ - Credentials directory

Build Artifacts & Temporary Files

  • deployment-output.txt - Deployment logs
  • migration-output.txt - Migration logs
  • closedown prompt - Session closedown prompts
  • old claude md file - Old backups
  • PERPLEXITY_USER_PROMPT.txt - Research prompts
  • ECONOMIST_LETTER_*.docx - External correspondence
  • /tmp/*.md - Temporary markdown files
  • Screenshot*.png - Screenshots
  • *.backup / *.bak - Backup files

🔒 Security Verification Checklist

Before pushing to public GitHub, verify:

  • No server IP addresses in any file
  • No SSH key references or paths
  • No API keys or credentials
  • No payment system IDs or secrets
  • No internal meeting notes or strategy docs
  • No session handoffs or development logs
  • No deployment scripts with production details
  • No internal planning or pitch documents
  • .gitignore is comprehensive and up-to-date
  • All files contain only public-appropriate content

📊 Current Repository Stats

Total tracked files: 6,435

  • src/: 85 files
  • tests/: 35 files
  • public/: 178 files (mostly assets)
  • scripts/: 111 files
  • docs/: 107 files
  • root: 13 files

Last cleaned: 2025-10-21 Files removed: 226 internal/sensitive files .gitignore: 193 lines (comprehensive protection)

🔄 Weekly Maintenance

As per inst_062, the README.md requires weekly review. Use this checklist:

Every Monday:

  1. Review README.md for accuracy
  2. Update "Last Updated" date if material changes made
  3. Verify all links still work
  4. Check for new internal files that shouldn't be public
  5. Run: git ls-files | grep -E "(CLAUDE|SESSION|PITCH|PHASE|MEETING|governance|\.claude)" → should return nothing

📝 Notes

  • The internal repository (tractatus) contains ALL files for development
  • The public repository (tractatus-framework) is a SUBSET for open source
  • .gitignore ensures accidental commits of internal files are prevented
  • Use git status before pushing to verify no internal files are staged

Last Updated: 2025-10-21