Adopt deny-by-default .claude gitignore; record git-hygiene audit
The cross-repo git-hygiene audit (ROADMAP item 6) found the documented canonical .claude/ block was allow-by-default and would have un-ignored a password-bearing .claude/launch.json. Switch portability.md to a deny-by-default .claude/* + allow-list block and align the two retrofit summaries. Mark item 6 done with residuals; refresh Current state.
This commit is contained in:
Keysat
@@ -93,12 +93,22 @@ should carry this so any vendor's agent surfaces pending items at session start:
|
||||
- `/roundup` is built: a cross-project status report that reads every repo's
|
||||
AGENTS.md/ROADMAP.md plus the inbox and groups all to-dos by priority — reads and reports
|
||||
only; deciding focus stays with the user.
|
||||
- The inbox-check line and canonical `.gitignore` are now threaded into the retrofit flow
|
||||
(playbook + `/retrofit` guide), so new repos inherit them — but they're **not yet in other
|
||||
*existing* repos**; a shallow scan shows the `.claude`/git setup is inconsistent across
|
||||
repos.
|
||||
- Specced in `ROADMAP.md`, not built: the cross-repo git-hygiene audit (item 6, HIGH), the
|
||||
`new-project` bootstrap, the cross-repo quality-gate standard, and the SessionStart hook.
|
||||
- Next session: (1) run the cross-repo git-hygiene audit (ROADMAP item 6, HIGH); (2) build
|
||||
the `new-project` bootstrap (item 5); (3) add `/capture`, `/triage`, `/roundup` to README's
|
||||
"The rhythm" section.
|
||||
- The cross-repo git-hygiene audit (ROADMAP item 6) is **DONE**: all 9 git repos under
|
||||
`~/Projects` audited (one read-only `portability-checker` each). No safety issues anywhere —
|
||||
zero tracked `.env`/`.DS_Store`/`*.local.json`, all in-repo symlinks relative. 6 repos
|
||||
remediated (inbox-check line + canonical `.gitignore`) and pushed; `recap-relay` is
|
||||
committed locally only (no git remote).
|
||||
- The audit drove a **standards change**: `portability.md`'s canonical `.claude/` block is now
|
||||
**deny-by-default** (`.claude/*` + an allow-list of the shared wiring). The old
|
||||
allow-by-default block would have un-ignored `premier-gunner`'s password-bearing
|
||||
`.claude/launch.json` — deny-by-default keeps stray scratch/secrets out by default. The two
|
||||
retrofit summaries were updated to match.
|
||||
- The inbox-check line + canonical `.gitignore` are threaded into the retrofit flow *and* now
|
||||
live in the 6 remediated repos. Still missing from `ten31-transcripts` (needs a mini-retrofit)
|
||||
and from the many **non-git folders** under `~/Projects` (unprotected work).
|
||||
- Specced in `ROADMAP.md`, not built: the `new-project` bootstrap (item 5), the cross-repo
|
||||
quality-gate standard (item 1), and the SessionStart hook (item 3). Item 6 residuals:
|
||||
`ten31-transcripts` mini-retrofit, a Gitea remote for `recap-relay`, the non-git-folder sweep.
|
||||
- Next session: (1) work the item-6 residuals — `ten31-transcripts` mini-retrofit and a remote
|
||||
for `recap-relay`; (2) build the `new-project` bootstrap (item 5); (3) add `/capture`,
|
||||
`/triage`, `/roundup` to README's "The rhythm" section.
|
||||
|
||||
Reference in New Issue
Block a user