core: restore 'vault + document EVERY in-session credential' rule; memory: IX WHM API token method + feedback
Triggered by ~1h lost on 2026-06-12 when the IX WHM access method was forgotten and password auth no longer worked. CLAUDE.md Key rules now mandates vaulting via the vault skill + thorough documentation for any credential surfaced in a session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -31,7 +31,15 @@ production, data-loss. Detail: EXTENDED + `.claude/OLLAMA.md`.
|
||||
|
||||
## Key rules (always)
|
||||
- **NO EMOJIS.** Use ASCII markers: `[OK]` `[ERROR]` `[WARNING]` `[INFO]` `[CRITICAL]`.
|
||||
- **No hardcoded credentials.** SOPS vault: `bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field <path> <field>` (1Password fallback). Never commit plaintext secrets (the pre-commit `harness-guard.sh` warns).
|
||||
- **Credentials — capture, vault, document (ALWAYS).** ANY credential that surfaces in a
|
||||
session — one the user pastes, one you create/rotate, one you discover in a log/config — you
|
||||
MUST immediately store it in the SOPS vault **via the `vault` skill** (the canonical path —
|
||||
this is why the vault exists; do not improvise raw `sops`/`vault.sh`) AND document it
|
||||
thoroughly in the entry: what it is, what it's for, and exactly how it's used (auth method,
|
||||
endpoint, gotchas). Read with the skill too; `vault.sh get-field <path> <field>` is the
|
||||
underlying read (1Password fallback). Never commit plaintext secrets (pre-commit
|
||||
`harness-guard.sh` warns). Losing/forgetting infra credentials wastes real time — capturing
|
||||
them is not optional.
|
||||
- **SSH:** system OpenSSH (`C:\Windows\System32\OpenSSH\ssh.exe`), never Git-for-Windows SSH.
|
||||
- **Data integrity:** never placeholder/fake data — check vault, wiki, or ask.
|
||||
- **Hard-to-reverse or outward-facing actions:** confirm first (per-action, per-session).
|
||||
|
||||
Reference in New Issue
Block a user