Documentation, templates, and Claude Code skills. No executable code beyond:

• A Python SessionStart hook script template (in skills/complex-project-discipline/docs/12_CLAUDE_CODE_HARNESS_PATTERN.md) — read-only operation, stdlib-only, no network, no file writes.
• Bash command examples in checklists and docs — illustrative, not auto-executed.
• A JSON config template (templates/claude_settings.json) — must be adapted to user's project.

There is no runtime, no service, no database. The repo is a static documentation asset.

• ❌ Real API tokens, passwords, SSH keys, certificates.
• ❌ Real credentials of any kind.
• ❌ Personal information of partners, customers, or third parties.
• ❌ Specific server addresses or infrastructure identifiers.
• ❌ Project-specific identifiers from the source project (organization names, partner relationships, gate IDs, request IDs, SHA hashes).

If you find any of the above committed by accident, please report it immediately.

If you discover a security issue (e.g. accidentally committed credential, harmful pattern in a template, exploitable example in documentation), please:

1. Do NOT open a public issue. That would amplify the vulnerability before it can be fixed.
2. Open a private security advisory via GitHub: Report a vulnerability.
3. Or, if you prefer email, contact the maintainer via the GitHub profile listed in the repo metadata.

• Acknowledgment: within 7 days.
• Initial assessment: within 14 days.
• Fix or mitigation: depends on severity, but typically within 30 days for high-severity issues.

✅ In-scope:

• Accidentally committed credentials.
• Templates that, if naively adopted, would weaken security (e.g. a claude_settings.json template missing important deny rules).
• Documentation that recommends an unsafe pattern.

❌ Out-of-scope:

• Vulnerabilities in tools the documentation references (Claude Code, git, Docker, Cloudflare). Report those to the respective vendors.
• Theoretical attacks on patterns that require operator misuse to exploit.
• "This pattern is too restrictive" — that's a feature request, not a vulnerability.

If you adopt patterns from this repo into your own project, you are responsible for:

• Replacing all placeholder values (<PROJECT>, <your-domain>, <short-sha>, cfut_..., etc) with your real values stored securely (secret manager, environment variables, etc).
• Not committing real credentials to your fork or downstream repo.
• Reviewing the deny list in templates/claude_settings.json and adapting it to your project's threat model.
• Independently verifying that patterns suit your specific context (compliance requirements, regulatory environment, scale).

Released under MIT License. Patterns are provided "as is" without warranty. The maintainer is not liable for damages arising from adoption.