Adopt deny-by-default .claude gitignore; record git-hygiene audit
The cross-repo git-hygiene audit (ROADMAP item 6) found the documented canonical .claude/ block was allow-by-default and would have un-ignored a password-bearing .claude/launch.json. Switch portability.md to a deny-by-default .claude/* + allow-list block and align the two retrofit summaries. Mark item 6 done with residuals; refresh Current state.
This commit is contained in:
Keysat
+27
-17
@@ -104,23 +104,33 @@ the CLAUDE.md symlink, ROADMAP.md, the canonical `.gitignore`, and the inbox-che
|
||||
is generic vs. stack-specific (does it call a `/harden` step from item 1 to install the
|
||||
stack's linter+hook?); whether the workshop output also seeds the first `## Current state`.
|
||||
|
||||
## 6. Cross-repo git-hygiene audit + remediation — HIGH PRIORITY
|
||||
## 6. Cross-repo git-hygiene audit + remediation ✅ DONE (2026-06-14)
|
||||
|
||||
**Why:** a shallow scan of `~/Projects` (2026-06-14) shows the `.claude`/git setup is *not*
|
||||
consistent across repos. Git repos with the full AGENTS.md + `.claude` + `.gitignore` setup:
|
||||
`CRM`, `premier-gunner`, `recap-relay`, `recap`, `spark-control`, `standards`, `Workout-log`.
|
||||
Outliers: `ten31-transcripts` has a `CLAUDE.md` but **no `.claude/` dir** (possible real file
|
||||
instead of an AGENTS.md symlink — the stale-retrofit failure); `start-os` has neither (likely
|
||||
an external/upstream repo). Plus many non-git folders (unprotected work). We don't yet know,
|
||||
per repo, what inside `.claude/` is committed vs gitignored, or whether in-repo symlinks are
|
||||
relative.
|
||||
Fanned out one read-only `portability-checker` per git repo under `~/Projects`. **No safety
|
||||
issues anywhere:** zero tracked `.env` / `.DS_Store` / `*.local.json`, and every in-repo
|
||||
symlink is relative. The gaps were consistency: the inbox-check line was missing in all 7
|
||||
non-standards repos, and only `standards` had a complete canonical `.gitignore`.
|
||||
|
||||
**Do:** fan out one read-only `portability-checker` (or `Explore`) per git repo under
|
||||
`~/Projects`, each reporting: is `CLAUDE.md` a relative symlink to `AGENTS.md` or a real
|
||||
file; what's in `.claude/` and which of it is tracked vs gitignored (esp. `settings.local.json`
|
||||
committed by mistake, or shared `settings.json`/rules symlinks missing); whether `.gitignore`
|
||||
carries the canonical block; any absolute in-repo symlinks. Synthesize one compliance matrix +
|
||||
a prioritized remediation list, then a follow-up pass fixes each repo (its own commit).
|
||||
**Fixed — 6 repos, one commit each, pushed** (`CRM`, `premier-gunner`, `recap`,
|
||||
`spark-control`, `Workout-log`; `recap-relay` committed locally — see residuals): added the
|
||||
repo-tagged inbox-check line and normalized `.gitignore`.
|
||||
|
||||
**Open questions:** treat non-git folders (flag for retrofit) vs. external upstreams
|
||||
(`start-os`?) differently; report-only first vs. auto-fix.
|
||||
**Standard improved by the audit:** the documented canonical `.claude/` block was
|
||||
allow-by-default and would have *un-ignored* `premier-gunner`'s password-bearing
|
||||
`.claude/launch.json`. Switched `portability.md` (and the two retrofit summaries) to a
|
||||
**deny-by-default `.claude/*` + allow-list** of the shared wiring.
|
||||
|
||||
**Residual follow-ups:**
|
||||
- **`ten31-transcripts` (MAJOR) — needs its own mini-retrofit.** Despite the name it's an
|
||||
active Xcode/Swift app with no `.claude/` at all. Scaffold `.claude/settings.json`; decide
|
||||
whether to reorganize its flat `docs/NN_*.md` into `docs/guides/` + `.claude/rules/` symlinks.
|
||||
Too big for the mechanical pass.
|
||||
- **`recap-relay` has no git remote** — committed locally only; create a Gitea repo + push.
|
||||
- **`premier-gunner/s9pk/.gitignore`** lacks the secrets/Claude lines (low priority; the root
|
||||
`.gitignore` covers `.env` tree-wide already).
|
||||
- **Many non-git folders under `~/Projects` are unprotected work** (discount-watcher,
|
||||
expense-organizer, giga, heart-rate, licensing, one-river, satoshi-sleep, START9 PACKAGING,
|
||||
ten31-agents/-command-center/-signal-engine, timestamp-converter, timestamp-newspaper,
|
||||
website-landing, Grand-Cayman-paddleboard). Each needs `git init` + retrofit, or an explicit
|
||||
"scratch, don't track" decision.
|
||||
- **`start-os`** is an external upstream (Start9Labs/start-os) — out of scope, no action.
|
||||
|
||||
Reference in New Issue
Block a user