The finding
Auditing my own document set, I found a live credential stored in plaintext in one of the reference docs — a service username and a password, on a network share the whole team could read, sitting next to the API endpoint it authenticated against. I flagged it for rotation and redaction the same day.
The credential is the least interesting part. The standards already forbade it: the coding standard’s security section mandates a secrets manager and states, in as many words, never commit secrets. A correct rule, written down and read — and a secret still landed in plaintext. That is not a discipline problem, and more discipline will not retire it. It is structural. The doc set knew better than the doc set.
A control that depends on attention fails on the day attention is somewhere else. So the fix belongs at the foundation, not in the margins: enforcement on the commit path, for every author, every time — a standard that scales because it no longer needs to be remembered.Rules rely on attention. Mechanisms don’t.engineering-standards SOP system, §9 — what I’d improve
prose
a standard a person is asked to remember
──▶agent context
a standard a model reads before it writes
──▶executable rule
a standard that fails the commit
That last rung is the one this page stands on. Below is a rule from the same system, running as a mechanism — in your browser now, and on the commit that shipped this section.
The rule, and the thing that keeps it
thoughts/shared/{plans,research}/YYYY-MM-DD-<TICKET>-<slug>.md
filename✗
The linter decides. This page does not get a vote.
That convention was written down, committed, and correct. Across the twelve artifacts that existed before anything enforced it, it was followed once. The eleven that missed it are still here, grandfathered — a lint that blocks every commit on day one gets disabled on day two.
── pre-commit ──────────────────────────────
✓ lint-filenames: passed
✓ leak-scan: no secrets, no identifiers on shipping surfaces
✓ check-filename-rule: the rendered rule matches the enforced rule
────────────────────────────────────────────
This repository’s pre-commit hook, on the commit that shipped this section. Line two is the scanner the finding above should have had. Line three checks that the rule on this page is the same string line one enforces. Bypass is --no-verify — and if you find yourself typing it, the rule is wrong. Fix the rule, not the commit.