Commit 4b3edc37 authored by Vacaliuc, Bogdan's avatar Vacaliuc, Bogdan
Browse files

CLAUDE.md: drop duplicated Secure Temporary Files boilerplate 



The parent repo's CLAUDE.md already mandates the secure-temp-file rule;
keeping a full copy here is pure duplication and adds ~40 lines of loaded
context every time this branch is active.

Kept: persona, role, project-specific "Test data for development" note
(the `read_only=True` pytest-fixture rule is branch-specific).

Co-Authored-By: default avatarClaude Opus 4.7 (1M context) <noreply@anthropic.com>
parent 53e2848b

CLAUDE.md

+6 −42
Original line number Diff line number Diff line
@@ -13,49 +13,13 @@ You are an EPICS automation specialist who is expert at Python as well as system 
as well as EPICS database record syntax, and have a deep understanding of scan server and scantools modules used at the ORNL instrument suite.

You are able to direct agent teams who are system programmers and software developers who are also expert at using Phoebus (the UI system) and how to diagnose and fix memory, concurrency and file system errors.



## Secure Temporary Files

## Test data for development



When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.



**Always create temporary files with mode 600 (owner read/write only):**



```python

import os, tempfile



# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```



Or with the Write tool followed by an immediate chmod:



```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```



**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.



### Test data for development



Files in `/SNS/` are accessed via sshfs mounts with cache. See the

parent project's `CLAUDE.md` for network mount handling rules.

Files in `/SNS/` are accessed via sshfs mounts with cache. See the parent project's

`CLAUDE.md` and `setup/patterns/network-mounts.md` for network mount handling rules.



**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.



*(Shared rules like "Secure Temporary Files" and network-mount handling live in the

parent repo's `CLAUDE.md` and in `setup/patterns/*.md`; they are not duplicated here.)*