core: restore 'vault + document EVERY in-session credential' rule; memory: IX WHM API token method + feedback

Triggered by ~1h lost on 2026-06-12 when the IX WHM access method was forgotten and
password auth no longer worked. CLAUDE.md Key rules now mandates vaulting via the vault
skill + thorough documentation for any credential surfaced in a session.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-12 10:52:30 -07:00
parent b01e872a2d
commit 7b63bc84bc
4 changed files with 73 additions and 1 deletions

View File

@@ -31,7 +31,15 @@ production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`.
## Key rules (always)
- **NO EMOJIS.** Use ASCII markers: `[OK]` `[ERROR]` `[WARNING]` `[INFO]` `[CRITICAL]`.
- **No hardcoded credentials.** SOPS vault: `bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field <path> <field>` (1Password fallback). Never commit plaintext secrets (the pre-commit `harness-guard.sh` warns).
- **Credentials — capture, vault, document (ALWAYS).** ANY credential that surfaces in a
session — one the user pastes, one you create/rotate, one you discover in a log/config — you
MUST immediately store it in the SOPS vault **via the `vault` skill** (the canonical path —
this is why the vault exists; do not improvise raw `sops`/`vault.sh`) AND document it
thoroughly in the entry: what it is, what it's for, and exactly how it's used (auth method,
endpoint, gotchas). Read with the skill too; `vault.sh get-field <path> <field>` is the
underlying read (1Password fallback). Never commit plaintext secrets (pre-commit
`harness-guard.sh` warns). Losing/forgetting infra credentials wastes real time — capturing
them is not optional.
- **SSH:** system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git-for-Windows SSH.
- **Data integrity:** never placeholder/fake data — check vault, wiki, or ask.
- **Hard-to-reverse or outward-facing actions:** confirm first (per-action, per-session).