Commit bec39270 authored by Vacaliuc, Bogdan's avatar Vacaliuc, Bogdan
Browse files

CLAUDE.md: drop duplicated Secure Temp Files and outdated sshfs section 



- Secure Temporary Files boilerplate is already in parent CLAUDE.md.
- "sshfs Stall Protection" section saying -o intr must be passed is outdated:
  sshfs 3.x rejects -o intr, rclone still needs it — full story is in
  setup/patterns/network-mounts.md on main.

Kept: all DANGLE/mDANGLE investigation findings (runtime-vs-substitutions
table, BDST backlash trap, air-pad sequencing, profibus URIP chain,
file-locations map, Galil controller mapping, open mechanical question).

Co-Authored-By: default avatarClaude Opus 4.7 (1M context) <noreply@anthropic.com>
parent 1a48721e

CLAUDE.md

+6 −55
Original line number Diff line number Diff line
@@ -176,64 +176,15 @@ BDST trap and will limit achievable scan tolerance even after `BDST=0`. Candidat 
air-pad supply pressure or valve timing, motor shaft coupling slip, encoder-to-arm

coupling, drivetrain backlash/compliance. Needs hands-on diagnosis.



## Secure Temporary Files



When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.



**Always create temporary files with mode 600 (owner read/write only):**



```python

import os, tempfile



# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```



Or with the Write tool followed by an immediate chmod:



```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```



**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.



### Test data for development

## Test data for development



Files in `/SNS/REF_M/` and `/SNS/users/6ov/` are accessed via sshfs mounts. See the

parent project's `CLAUDE.md` for network mount handling rules.

parent project's `CLAUDE.md` and `setup/patterns/network-mounts.md` for network mount

handling rules.



**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.



## sshfs Stall Protection



### Mount options



The SNS sshfs mounts **must** include `-o intr` for SIGALRM to work:



```bash

sshfs ${USER}@analysis.sns.gov:/SNS/REF_M/ ~/SNS/REF_M \

  -o ro,intr,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3

```



Without `-o intr`, any blocking sshfs syscall (including `os.listdir`) puts the

calling process into **D-state** where signals cannot interrupt it. The current

production mounts lack this flag — see `mount | grep SNS` to verify.
 
*(Shared rules live in the parent repo — "Secure Temporary Files" in parent

`CLAUDE.md`, FUSE/sshfs handling including the `-o intr` generation story in

`setup/patterns/network-mounts.md`. Not duplicated here.)*