From 06f279fa5b6badb04473628f7c512510b881498c Mon Sep 17 00:00:00 2001
From: sneak <sneak@sneak.berlin>
Date: Sun, 22 Feb 2026 16:06:13 +0100
Subject: [PATCH] Add security and git policies, make repo a model example

- Never commit secrets; comprehensive .gitignore with fetch URL
- Never force-push to main
- go mod tidy before committing
- make hooks target with Go repo detection
- Add .editorconfig, .prettierrc, .prettierignore
- Template files URL for new repo setup
---
 .editorconfig    | 12 ++++++++++++
 .gitignore       | 16 ++++++++++++++++
 .prettierignore  |  2 ++
 .prettierrc      |  3 +++
 Makefile         | 10 +++++++++-
 REPO_POLICIES.md | 24 +++++++++++++++++++++---
 6 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 .editorconfig
 create mode 100644 .prettierignore
 create mode 100644 .prettierrc

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..2fe0ce0
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[Makefile]
+indent_style = tab
diff --git a/.gitignore b/.gitignore
index 31f0a5f..c5a0882 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,21 @@
+# OS
 .DS_Store
+Thumbs.db
+
+# Editors
 *.swp
 *.swo
 *~
+*.bak
+.idea/
+.vscode/
+*.sublime-*
+
+# Node
 node_modules/
+
+# Environment / secrets
+.env
+.env.*
+*.pem
+*.key
diff --git a/.prettierignore b/.prettierignore
new file mode 100644
index 0000000..23d67fc
--- /dev/null
+++ b/.prettierignore
@@ -0,0 +1,2 @@
+node_modules/
+yarn.lock
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 0000000..0a02bce
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,3 @@
+{
+    "tabWidth": 4
+}
diff --git a/Makefile b/Makefile
index d80fcbc..8ea462e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: test lint fmt fmt-check check docker
+.PHONY: test lint fmt fmt-check check docker hooks
 
 PRETTIER := yarn run prettier
 
@@ -19,3 +19,11 @@ check: test lint fmt-check
 
 docker:
 	docker build -t prompts .
+
+hooks:
+	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
+	@if [ -f go.mod ]; then \
+		printf 'go mod tidy\ngo fmt ./...\ngit diff --exit-code -- go.mod go.sum || { echo "go mod tidy changed files; please stage and retry"; exit 1; }\n' >> .git/hooks/pre-commit; \
+	fi
+	@printf 'make check\n' >> .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit
diff --git a/REPO_POLICIES.md b/REPO_POLICIES.md
index 192dd17..4643607 100644
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@@ -12,8 +12,10 @@ Version: 2026-02-22
 
 - Every repo with software must have a root `Makefile` with these targets:
   `make test`, `make lint`, `make fmt` (writes), `make fmt-check`
-  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`), and
-  `make docker`.
+  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`),
+  `make docker`, and `make hooks` (installs pre-commit hook). A model
+  Makefile is at
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
 
 - Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
   instead of invoking the underlying tools directly. The Makefile is the
@@ -43,9 +45,20 @@ Version: 2026-02-22
 
 - `main` must always pass `make check`, no exceptions.
 
+- Never commit secrets. `.env` files, credentials, API keys, and
+  private keys must be in `.gitignore`. No exceptions.
+
+- `.gitignore` should be comprehensive from the start: OS files
+  (`.DS_Store`), editor files (`.swp`, `*~`), language build artifacts,
+  and `node_modules/`. Fetch the standard `.gitignore` from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore`
+  when setting up a new repo.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly
   by name.
 
+- Never force-push to `main`.
+
 - Make all changes on a feature branch. You can do whatever you want on
   a feature branch.
 
@@ -84,7 +97,8 @@ Version: 2026-02-22
 
 - First commit of a new repo should contain only `README.md`.
 
-- Go module root: `sneak.berlin/go/<name>`.
+- Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy`
+  before committing.
 
 - Use SemVer.
 
@@ -112,6 +126,10 @@ Version: 2026-02-22
     - `static/` — static assets (images, fonts, etc.)
     - `web/` — web frontend source
 
+- When setting up a new repo, files from the `prompts` repo may be used
+  as templates. Fetch them from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<filename>`.
+
 - New repos must contain at minimum:
     - `README.md`, `.git`, `.gitignore`, `.editorconfig`
     - `REPO_POLICIES.md` (copy from the `prompts` repo)