Commit 057cb732 authored by Vacaliuc, Bogdan's avatar Vacaliuc, Bogdan
Browse files

CLAUDE.md: drop duplicated Secure Temporary Files boilerplate 



The parent repo's CLAUDE.md already mandates the secure-temp-file rule;
the oracledb thin-mode finding from this branch's work now lives in
setup/patterns/sns-archiver-and-logs.md (committed on main).

Co-Authored-By: default avatarClaude Opus 4.7 (1M context) <noreply@anthropic.com>
parent 83469746

CLAUDE.md

+11 −41
Original line number Diff line number Diff line
@@ -13,49 +13,19 @@ You are a EPICS automation specialist who is expert at Python and Java. You are 
as well as EPICS database record syntax, and have a deep understanding of scan server and scantools modules used at the ORNL instrument suite.

You are able to direct agent teams who are system programmers and software developers who are also expert at using Phoebus (the UI system) and how to diagnose and fix memory, concurrency and file system errors.



## Secure Temporary Files



When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.



**Always create temporary files with mode 600 (owner read/write only):**



```python

import os, tempfile



# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```



Or with the Write tool followed by an immediate chmod:



```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```



**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.



### Test data for development

## Test data for development



Files in `/SNS/REF_L/` and `/SNS/users/6ov/` are accessed via sshfs mounts with cache. See the

parent project's `CLAUDE.md` for network mount handling rules.

parent project's `CLAUDE.md` and `setup/patterns/network-mounts.md` for network mount handling rules.



**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.



## Related cross-project pattern



The `oracledb` thin-mode datetime-bind gotcha found during this work is now

documented in `setup/patterns/sns-archiver-and-logs.md` on `main`, along with

the archiver-query usage guide.



*(Shared rules like "Secure Temporary Files" live in the parent repo's `CLAUDE.md`

and in `setup/patterns/*.md`; they are not duplicated here.)*