diff --git a/SECURITY.md b/SECURITY.md index 85232c0..4b40be1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -34,3 +34,22 @@ appreciated — please give us time to release a fix before any public disclosur project directories. Review the paths you grant access to. - `qti-core` produces QTI packages from local markdown; it makes no network calls as part of generation. + +## Data protection + +This is a public repository. QuestionForge works with a teacher's exam material +in local project directories — none of that material belongs here. Git history +is permanent, so the rules below apply to code, tests, examples, documentation +and commit messages alike. + +- **Never commit real personal data:** names (students, colleagues, teachers), + school or institution names, personal-identity numbers, file paths containing + a username (`/Users/...`), or secrets (API keys, tokens, `.env`). +- **Never commit real exam material:** actual exam questions, question banks and + assessment data stay in your local project. Examples and test fixtures use + fabricated questions only. +- **Use fabricated or anonymised data in every example and test** — for example + `School A`, `Colleague_A`, `/path/to/project`, an invented question. +- **Already committed something real?** Deleting the file is not enough — it + stays in the git history forever. Stop, scrub the history, rotate any exposed + secret, and resolve it before the next push. diff --git a/docs/decisions/017-track-repo-policy-rules.md b/docs/decisions/017-track-repo-policy-rules.md index 509c773..488df93 100644 --- a/docs/decisions/017-track-repo-policy-rules.md +++ b/docs/decisions/017-track-repo-policy-rules.md @@ -1,7 +1,8 @@ --- type: decision -status: active +status: superseded created: 2026-06-24 +superseded: 2026-07-07 origin: code project: QuestionForge relates_to: [ADR-015, ADR-016] @@ -9,6 +10,14 @@ relates_to: [ADR-015, ADR-016] # ADR-017: Track the three repo-policy rules in `.claude/rules/` +> **Superseded** by ACDM ADR-017 (*Rule distribution — `.claude/` is dev-tooling; +> public policy lives in conventional docs*, 2026-06-24) and walked back in #33: +> the "read by repo-tooling" rationale below was wrong — the tooling that reads +> these rules is local and has them on disk regardless of git-tracking, and +> `.claude/rules/*.md` are agent instructions, not contributor-facing policy. +> `.claude/` is now wholly gitignored; the public data-protection policy lives +> in `SECURITY.md`. The text below is kept as the historical record. + ## Context `.claude/` holds Claude Code / ACDM configuration. Historically the whole