Adopt deny-by-default .claude gitignore; record git-hygiene audit
The cross-repo git-hygiene audit (ROADMAP item 6) found the documented canonical .claude/ block was allow-by-default and would have un-ignored a password-bearing .claude/launch.json. Switch portability.md to a deny-by-default .claude/* + allow-list block and align the two retrofit summaries. Mark item 6 done with residuals; refresh Current state.
This commit is contained in:
Keysat
+20
-5
@@ -72,8 +72,17 @@ symlinks; `ROADMAP.md`; `.claude/settings.json` (shared project settings and hoo
|
||||
deterministic behavior is part of the repo); `.claude/agents/*.md`, `.claude/commands/*.md`,
|
||||
`.claude/skills/` (project-scoped wrappers).
|
||||
|
||||
Gitignored (per-user, per-machine, or secret): `.claude/settings.local.json` and any
|
||||
`*.local.*` (personal permissions/overrides); `.env` and secrets (corollary 5); OS cruft.
|
||||
Gitignored (per-user, per-machine, secret, or session scratch): `.claude/settings.local.json`
|
||||
and any `*.local.*` (personal permissions/overrides); `.claude/worktrees/` and other Claude
|
||||
session/editor scratch that lands in `.claude/`; `.env` and secrets (corollary 5); OS cruft.
|
||||
|
||||
Because `.claude/` accumulates unpredictable scratch — worktrees, editor debug configs
|
||||
(sometimes carrying credentials), `.DS_Store` — **ignore it deny-by-default and allow-list
|
||||
only the shared wiring.** A blanket `.claude/*` plus `!` exceptions is safer than naming
|
||||
individual local files: a new kind of local scratch is ignored automatically, and a stray
|
||||
secret never slips in by default. (Already-tracked files stay tracked even under `.claude/*`,
|
||||
so a deliberate, secret-free editor config a repo wants to commit can simply be allow-listed
|
||||
with its own `!` line.)
|
||||
|
||||
Put these in the repo's **own committed `.gitignore`** — don't rely on a global
|
||||
excludesfile, which a fresh clone or another machine won't have. Canonical block:
|
||||
@@ -84,9 +93,15 @@ excludesfile, which a fresh clone or another machine won't have. Canonical block
|
||||
.env.*
|
||||
!.env.example
|
||||
|
||||
# Claude Code — commit shared config, ignore personal/local
|
||||
.claude/settings.local.json
|
||||
.claude/*.local.json
|
||||
# Claude Code — deny by default, allow-list shared wiring.
|
||||
# .claude/ also accumulates worktrees, editor configs, and OS cruft; commit
|
||||
# only the shared parts so new local scratch (or a stray secret) stays out.
|
||||
.claude/*
|
||||
!.claude/rules/
|
||||
!.claude/agents/
|
||||
!.claude/commands/
|
||||
!.claude/skills/
|
||||
!.claude/settings.json
|
||||
|
||||
# OS cruft
|
||||
.DS_Store
|
||||
|
||||
Reference in New Issue
Block a user