Add security and git policies, make repo a model example

- Never commit secrets; comprehensive .gitignore with fetch URL - Never force-push to main - go mod tidy before committing - make hooks target with Go repo detection - Add .editorconfig, .prettierrc, .prettierignore - Template files URL for new repo setup
2026-02-22 16:06:13 +01:00 · 2026-02-22 16:06:13 +01:00 · 06f279fa5b
commit 06f279fa5b
parent d7f14f7517
6 changed files with 63 additions and 4 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[Makefile]
+indent_style = tab
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,21 @@
+# OS
 .DS_Store
+Thumbs.db
+
+# Editors
 *.swp
 *.swo
 *~
+*.bak
+.idea/
+.vscode/
+*.sublime-*
+
+# Node
 node_modules/
+
+# Environment / secrets
+.env
+.env.*
+*.pem
+*.key
--- a/.prettierignore
+++ b/.prettierignore
@ -0,0 +1,2 @@
+node_modules/
+yarn.lock
--- a/.prettierrc
+++ b/.prettierrc
@ -0,0 +1,3 @@
+{
+    "tabWidth": 4
+}
--- a/10
+++ b/10
@ -1,4 +1,4 @@
-.PHONY: test lint fmt fmt-check check docker
+.PHONY: test lint fmt fmt-check check docker hooks

 PRETTIER := yarn run prettier

@ -19,3 +19,11 @@ check: test lint fmt-check

 docker:
 	docker build -t prompts .
+
+hooks:
+	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
+	@if [ -f go.mod ]; then \
+		printf 'go mod tidy\ngo fmt ./...\ngit diff --exit-code -- go.mod go.sum || { echo "go mod tidy changed files; please stage and retry"; exit 1; }\n' >> .git/hooks/pre-commit; \
+	fi
+	@printf 'make check\n' >> .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@ -12,8 +12,10 @@ Version: 2026-02-22

 - Every repo with software must have a root `Makefile` with these targets:
  `make test`, `make lint`, `make fmt` (writes), `make fmt-check`
-  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`), and
-  `make docker`.
+  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`),
+  `make docker`, and `make hooks` (installs pre-commit hook). A model
+  Makefile is at
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.

 - Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
  instead of invoking the underlying tools directly. The Makefile is the
@ -43,9 +45,20 @@ Version: 2026-02-22

 - `main` must always pass `make check`, no exceptions.

+- Never commit secrets. `.env` files, credentials, API keys, and
+  private keys must be in `.gitignore`. No exceptions.
+
+- `.gitignore` should be comprehensive from the start: OS files
+  (`.DS_Store`), editor files (`.swp`, `*~`), language build artifacts,
+  and `node_modules/`. Fetch the standard `.gitignore` from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore`
+  when setting up a new repo.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly
  by name.

+- Never force-push to `main`.
+
 - Make all changes on a feature branch. You can do whatever you want on
  a feature branch.

@ -84,7 +97,8 @@ Version: 2026-02-22

 - First commit of a new repo should contain only `README.md`.

- Go module root: `sneak.berlin/go/<name>`.
+- Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy`
+  before committing.

 - Use SemVer.

@ -112,6 +126,10 @@ Version: 2026-02-22
    - `static/` — static assets (images, fonts, etc.)
    - `web/` — web frontend source

+- When setting up a new repo, files from the `prompts` repo may be used
+  as templates. Fetch them from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<filename>`.
+
 - New repos must contain at minimum:
    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
    - `REPO_POLICIES.md` (copy from the `prompts` repo)