Commit e7fc763c authored by Vacaliuc, Bogdan's avatar Vacaliuc, Bogdan
Browse files

CLAUDE.md: drop duplicated Secure Temp Files boilerplate 



The parent repo's CLAUDE.md already mandates the secure-temp-file rule;
archiver-query usage is now also documented centrally in
setup/patterns/sns-archiver-and-logs.md on main.

Co-Authored-By: default avatarClaude Opus 4.7 (1M context) <noreply@anthropic.com>
parent 7124e861

CLAUDE.md

+8 −41
Original line number Diff line number Diff line
@@ -83,49 +83,16 @@ match for all 128 data rows). Same query path applies to BL4B. 
Full docs: `setup/docs/sns-archiver-query.md` on `main`.

Plan: `plan/archiver-query-tool.md` on `main`.



## Secure Temporary Files



When a task requires writing a temporary script or data file (e.g. to work around

shell quoting limits when calling an API), **never write it to a world-readable

path**.  `/tmp` on a multi-user Linux system is mode 1777 — files created there

with default umask are readable by every local user.



**Always create temporary files with mode 600 (owner read/write only):**



```python

import os, tempfile



# Preferred: tempfile.NamedTemporaryFile — mode 600 by default

with tempfile.NamedTemporaryFile('w', suffix='.py', delete=False) as fh:

    fh.write(script_content)

    tmp_path = fh.name

try:

    # use tmp_path ...

finally:

    os.unlink(tmp_path)   # always clean up

```



Or with the Write tool followed by an immediate chmod:



```bash

# After writing the file, restrict permissions immediately

chmod 600 /path/to/tempfile

```



**Additional rules:**

- Never embed credentials (tokens, passwords, keys) in files under `plan/`,

  `tests/`, or any other committed path.  Use environment variables or

  `~/.netrc` / `~/.config` files (also mode 600) instead.

- Delete temporary files as soon as they are no longer needed — use a

  `try/finally` block or the `delete=True` default of `NamedTemporaryFile`.

- If a script must be written to `/tmp` via the Write tool (which cannot set

  permissions atomically), run `chmod 600 <path>` in the very next Bash call

  before the file is used.



### Test data for development

## Test data for development



Files in `/SNS/REF_L/` and `/SNS/users/6ov/` are accessed via sshfs mounts with cache. See the

parent project's `CLAUDE.md` for network mount handling rules.

parent project's `CLAUDE.md` and `setup/patterns/network-mounts.md` for network mount

handling rules.



**Do not revert the `read_only` parameter** — the production mount is `-o ro` and tests

will fail with `OSError: [Errno 30] Read-only file system` without it.



*(Shared rules live in the parent repo — "Secure Temporary Files" in parent

`CLAUDE.md`, FUSE/sshfs handling in `setup/patterns/network-mounts.md`,

archiver-query and scan-server patterns in

`setup/patterns/sns-archiver-and-logs.md`. Not duplicated here.)*