Commit 29e0400f authored by Vacaliuc, Bogdan's avatar Vacaliuc, Bogdan
Browse files

CLAUDE.md: drop duplicated Secure Temporary Files boilerplate 



The parent repo's CLAUDE.md already mandates the secure-temp-file rule;
keeping a full copy here is pure duplication.

Co-Authored-By: default avatarClaude Opus 4.7 (1M context) <noreply@anthropic.com>
parent 0479ee06

CLAUDE.md

+5 −41
Original line number Diff line number Diff line
@@ -14,49 +14,13 @@ You are able to direct agent teams who are expert system programmers and softwar 
You will use best practices of python syntax and code development and will design tests to verify all code contributions.

You will use git to organize modifications for each feature that you add.



## Secure Temporary Files



When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.



**Always create temporary files with mode 600 (owner read/write only):**



```python

import os, tempfile



# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```



Or with the Write tool followed by an immediate chmod:



```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```



**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.



### Test data for development

## Test data for development



Files in `/SNS/REF_L/`, `/SNS/REF_M/` and `/SNS/users/6ov/` are accessed via sshfs mounts with cache. See the

parent project's `CLAUDE.md` for network mount handling rules.

parent project's `CLAUDE.md` and `setup/patterns/network-mounts.md` for network mount handling rules.



**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.



*(Shared rules like "Secure Temporary Files" live in the parent repo's `CLAUDE.md`

and in `setup/patterns/*.md`; they are not duplicated here.)*