Merge pull request #2415 from coreinfrastructure/tweak_claude

Use ',' as the temporary file prefix.

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

,whitespace.txt

@@ -0,0 +1,2 @@
+This line has trailing spaces   
+And this one too  

.eslintignore

@@ -8,3 +8,5 @@
 # The "application.js" file only contains comments, and the
 # ESLint parser has trouble with comment-only files, so skip it:
 **/application.js
+# Ignore temporary files beginning with comma:
+,*

.rubocop.yml

@@ -56,6 +56,7 @@ AllCops:
     - 'railroader/**/*'
     - '.pryrc'
     - 'license_okay'
+    - ',*'
 
 # This will ALWAYS be disabled. We *want* to be able disable cops.
 Style/DisableCopsWithinSourceCodeDirective:

CLAUDE.md

@@ -25,7 +25,7 @@ This is the **OpenSSF Best Practices Badge** project (formerly CII Best Practice
 ### Code Quality & Linting
 
 - `rake` or `rake default` - Run complete CI pipeline (linting, tests, security checks).
-- `rake rubocop` - Ruby style checker  
+- `rake rubocop` - Ruby style checker
 - `rake rails_best_practices` - Rails-specific best practices source checker
 - `rake markdownlint` - Markdown linting
 - `rake eslint` - JavaScript linting
@@ -83,7 +83,7 @@ not done on the local system.
 Security is *extremely* important to this project. Some features:
 
 - **Encrypted Data**: User emails encrypted with AES-256-GCM
-- **Blind Indexing**: Email searches use blind indices for privacy  
+- **Blind Indexing**: Email searches use blind indices for privacy
 - **CSRF Protection**: All forms protected with Rails CSRF tokens
 - **Rate Limiting**: Uses `rack-attack` for DoS protection
 - **Content Security Policy**: Strict CSP headers via `secure_headers` gem
@@ -121,7 +121,7 @@ The file `docs/assurance-case.md` explains why we *believe* this is secure.
 
 ## Key Configuration Files
 
-- `config/application.rb` - Core Rails app configuration  
+- `config/application.rb` - Core Rails app configuration
 - `config/routes.rb` - Complex routing with locale support
 - `lib/tasks/default.rake` - Custom rake tasks including full CI pipeline
 
@@ -169,7 +169,7 @@ Security is *VERY* important in this application.
 Key environment variables for development:
 
 - `RAILS_ENV` - Rails environment (development/test/production)
-- `EMAIL_ENCRYPTION_KEY` - 64 hex digits for email encryption  
+- `EMAIL_ENCRYPTION_KEY` - 64 hex digits for email encryption
 - `EMAIL_BLIND_INDEX_KEY` - 64 hex digits for email search indices
 - `BADGEAPP_REAL_PRODUCTION` - Set to "true" only on true production site
 - `PUBLIC_HOSTNAME` - Hostname for the application
@@ -192,7 +192,7 @@ Key environment variables for development:
 ### Security Considerations
 
 - Badge image URLs must be canonical for CDN caching
-- All user input requires validation and sanitization  
+- All user input requires validation and sanitization
 - Session timeouts are enforced - don't extend arbitrarily
 - Rate limiting is aggressive - be aware when testing
 
@@ -204,3 +204,11 @@ Key environment variables for development:
 - `docs/` - Extensive documentation including security assurance case
 - `lib/tasks/default.rake` - CI pipeline and custom tasks
 - `test/` - Comprehensive test suite
+
+## Miscellaneous
+
+IMPORTANT: Never have trailing whitespace in text-like files including
+source code and markdown files.
+
+IMPORTANT: When creating temporary files, always prefix their names with
+a comma to distinguish them.

config/rails_best_practices.yml

@@ -6,7 +6,7 @@
 features: true
 spec: true
 without_color: true
-exclude: ["railroader/"]
+exclude: ["railroader/", "^,.*"]
 
 AddModelVirtualAttributeCheck: { }
 AlwaysAddDbIndexCheck: { }

dockerfiles/README.md

@@ -14,15 +14,20 @@ installed on your computer (Install instructions are
 2. "cd" into that directory and modify the Dockerfile
    to point to the correct base image.
 3. Log in to DockerHub
+
     ~~~~sh
     docker login -u <username>
     ~~~~
+
 4. Build the docker image (replace `<tag>` below with for example
    `2.5.1-stretch`.
+
     ~~~~sh
     docker build -t <username>/cii-bestpractices:<tag> .
     ~~~~
+
 5. Push your image.
+
     ~~~~sh
     docker push <username>/cii-bestpractices:<tag>
     ~~~~

lib/tasks/default.rake

@@ -17,6 +17,7 @@
 # minimize what we install in production, and we try to make our
 # CI system similar to production.
 
+require 'English'
 require 'json'
 
 # NOTE: Our default runs test:all, not just test.
@@ -191,7 +192,8 @@ end
 desc 'Run markdownlint (mdl) - check for markdown problems on **.md files'
 task :markdownlint do
   # The default configuration is in .mdlrc + style config/markdown_style.rb
-  sh 'bundle exec mdl *.md docs/*.md'
+  # Exclude temporary files beginning with comma
+  sh 'find . -name "*.md" ! -name ",*" -print0 | xargs -0 bundle exec mdl'
 end
 
 # Apply JSCS to look for issues in JavaScript files.
@@ -242,24 +244,45 @@ end
 # Don't do whitespace checks on these YAML files:
 YAML_WS_EXCEPTIONS ||= ':!test/vcr_cassettes/*.yml'
 
-desc 'Check for trailing whitespace in latest proposed (git) patch.'
+desc 'Check for trailing whitespace in all text files.'
 task :whitespace_check do
-  if ENV['CI'] # CircleCI modifies database.yml
-    sh "git diff --check -- . ':!config/database.yml' #{YAML_WS_EXCEPTIONS}"
+  puts 'Checking for trailing whitespace...'
+
+  # Find all files, exclude directories we don't want, exclude comma-prefixed
+  # files, use file to identify text files, then check for trailing whitespace
+  # This won't handle filenames with \n but those shouldn't be in our repo!
+  cmd = <<~SHELL
+    find . -type f ! -name ',*' \
+      ! -path './vendor/*' ! -path './node_modules/*' \
+      ! -path './railroader/*' ! -path './tmp/*' ! -path './.git/*' \
+      ! -path './log/*' ! -path './test/vcr_cassettes/*' \
+      ! -path './license_finder_report.html' \
+      ! -path './coverage/index.html' \
+      -print0 | \
+    xargs -0 file | \
+    awk -F': ' '$2 ~ /(text|script)/ && $2 !~ /(executable|binary)/ \
+      {print $1}' | \
+    xargs grep -l '[[:space:]]$' 2>/dev/null || true
+  SHELL
+
+  output = `#{cmd}`
+
+  if output.empty?
+    puts 'No trailing whitespace found.'
   else
-    sh "git diff --check -- . #{YAML_WS_EXCEPTIONS}"
+    puts 'Trailing whitespace found in these files:'
+    puts output
+    exit 1
   end
 end
 
 desc 'Check YAML syntax (except project.yml, which is not straight YAML)'
 task :yaml_syntax_check do
-  require 'English'
-
   # Don't check "project.yml" - it's not a straight YAML file, but instead
   # it's processed by ERB (even though the filename doesn't admit it).
   puts 'Checking YAML syntax...'
 
-  find_cmd = "find . -name '*.yml' ! -name 'projects.yml' " \
+  find_cmd = "find . -name '*.yml' ! -name 'projects.yml' ! -name ',*' " \
              "! -path './railroader/*' ! -path './vendor/*' " \
              '-exec bundle exec yaml-lint {} + 2>&1'