The finding
Auditing my own document set, I found a live credential stored in plaintext in one of the reference docs — a service username and a password, committed to a network share the whole team could read, sitting next to the API endpoint it authenticated against. I flagged it for rotation and redaction.
That is a genuine failure, and it is mine. It is also exactly the failure the standards themselves warn against: the coding standard has a security section that mandates a secrets manager and states, in as many words, never commit secrets. The doc set knew better than the doc set.
A rule I wrote, believe in, and enforce on others did not stop me from pasting a password into a reference doc while debugging an API.Rules rely on attention. Mechanisms don’t.engineering-standards SOP system, §9 — what I’d improve
prose
a standard a person is asked to remember
──▶agent context
a standard a model reads before it writes
──▶executable rule
a standard that fails the commit
That last rung is the one this page stands on. Below is a rule from the same system, running as a mechanism — in your browser now, and on the commit that shipped this section.
The rule, and the thing that keeps it
thoughts/shared/{plans,research}/YYYY-MM-DD-<TICKET>-<slug>.md
filename✗
The linter decides. This page does not get a vote.
That convention was written down, committed, and correct. Across the twelve artifacts that existed before anything enforced it, it was followed once. The eleven that missed it are still here, grandfathered — a lint that blocks every commit on day one gets disabled on day two.
── pre-commit ──────────────────────────────
✓ lint-filenames: passed
✓ leak-scan: no secrets, no identifiers on shipping surfaces
✓ check-filename-rule: the rendered rule matches the enforced rule
────────────────────────────────────────────
This repository’s pre-commit hook, on the commit that shipped this section. Line two is the scanner the finding above should have had. Line three checks that the rule on this page is the same string line one enforces. Bypass is --no-verify — and if you find yourself typing it, the rule is wrong. Fix the rule, not the commit.