Prevent accidental inclusion of local artifacts and sensitive file patterns

[umwelt]

Context

A recent cleanup identified that local development artifacts (e.g. symlinks and temporary files) can be unintentionally included in the repository. While no sensitive data was exposed, we should enforce safeguards to prevent this class of issue entirely.

Objective

Ensure that local, temporary, and potentially sensitive files are never committed to the repository.

Actions

1. Update .gitignore

Add and enforce ignore rules for:

tmp/
*.b64
.zhtp/
keystore*
*.key
*.pem
.env

2. Pre-commit hook (required)

Implement a pre-commit hook that blocks commits containing:

• symlinks

• files inside tmp/

• files matching:

  • *.b64
  • keystore*
  • .zhtp/*

Example checks:

• detect symlinks in staged files
• pattern match against restricted paths and extensions

3. Repository scan (one-time)

Run a full scan of the repository (including history if needed) to confirm:

• no keystore references
• no encoded artifacts (*.b64)
• no local environment folders

4. CI safeguard (recommended)

Add a CI step that fails builds if restricted patterns are detected in commits or PRs.

5. Developer guidelines

Document and communicate:

• no local paths or environment-specific artifacts in commits
• no encoded files unless explicitly required and reviewed
• use environment variables or secure storage for any sensitive material

Acceptance Criteria

• .gitignore updated and enforced
• pre-commit hook active and tested
• CI check in place (if implemented)
• repository verified clean
• team informed of new guidelines

Notes

This is a preventive measure to enforce repository hygiene and avoid non-functional artifacts entering version control.

[github-actions]

This GitHub issue proposes measures to prevent the accidental inclusion of local artifacts and sensitive files in a repository. Specifically, it suggests updating .gitignore to exclude common temporary files, symlinks, sensitive patterns (e.g., .env, .pem, *.b64), and environment-specific folders. Additional safeguards include implementing a pre-commit hook that blocks restricted files, performing a one-time repository scan to ensure no sensitive artifacts exist, and potentially adding a CI step to catch such issues in future commits or pull requests. Lastly, the issue emphasizes the need to document developer guidelines outlining best practices for managing sensitive data and local files. The objectives are to ensure repository cleanliness, enhance security, and enforce consistent practices across the team.

[HuffmanMainNode]

Hello, I agree. Safeguards are in order. I've begun an official audit for security. I will be publishing my findings in this Repository.