diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-26 12:22:08 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-26 12:22:08 -0500 |
| commit | 7beb8d10451bd4c425bf71d22734a9cb1272f83c (patch) | |
| tree | 0320d40cbb2aacede2cb879b90701990c7b223d7 /claude-rules | |
| parent | e9d6ebecff43a39211b186c50cc9febd068bbd74 (diff) | |
| download | rulesets-7beb8d10451bd4c425bf71d22734a9cb1272f83c.tar.gz rulesets-7beb8d10451bd4c425bf71d22734a9cb1272f83c.zip | |
docs(protocols): gate credential-leak warnings on project type, not the credential
A session false-alarmed on a leak risk when restoring a credentials doc into a tracked .ai/ file. The reasoning was wrong: a tracked secret is only a public-leak risk where the repo can reach a public remote, which means code projects on public GitHub, the ones that already gitignore .ai/. Personal and documentation projects push to a private single-user repo on cjennings.net, so tracked credentials in their .ai/ files are fine and expected.
I added the rule next to the existing "should .ai/ be committed?" decision in protocols.org, since it's a direct corollary of the same code-vs-personal split. The "is this a leak?" question now resolves on which kind of project and remote it is, not on the mere presence of a credential in a tracked file.
Origin: an elibrary session raised the false alarm and Craig corrected it.
Diffstat (limited to 'claude-rules')
0 files changed, 0 insertions, 0 deletions