Manual audit pass against 0xmariowu/AgentLint's evidence-backed checks
(MIT, drawn from 265 versions of Anthropic's internal Claude Code
system prompt).
Findings and fixes:
- Identity sections ("You are the assistant running inside ...") removed
from BOOCHAT.md (line 3) and BOOCODER.md (line 5). The model already
knows where it's running; the openers were emphatic decoration.
- CLAUDE.local.md added to .gitignore (.env was already covered).
Claude Code's Glob tool ignores .gitignore by default, which means
any local override file was otherwise readable by any agent walking
the workspace.
- CLAUDE.md unchanged — already passes all 10 checks. Emphasis density
0.58/1000 words (under Anthropic's 1.4/1000 endpoint); two IMPORTANT/
MUST references are load-bearing (tsc-noEmit footgun, v1.13.7
includeUsage invariant); zero identity sections; zero --no-verify
references; 27,682 chars (under the 40,000-char silent-drop limit).
Line count (153) is over the 60-120 target band, but the brief
explicitly forbids structural rewrites in the audit pass.
Targets not in scope:
- /opt/boocode/AGENTS.md does not exist in this repo (removed in v1.12,
per CLAUDE.md:152). The global agent registry lives at /data/AGENTS.md
(bind-mounted from outside the repo); can't be touched by this batch.
- No .github/workflows/ directory — SHA-pin audit (step 8) skipped.
Cumulative effect: model spends fewer tokens parsing instruction-file
ceremony in BOOCHAT/BOOCODER and receives sharper priority signal per
Anthropic's measured-evolution data. Zero code changes.
The /data dir is host-mounted into the container at /data:ro and holds
the global AGENTS.md seed (v1.8.1). It is part of the deployment
contract — anyone cloning needs to mkdir data/ + cp AGENTS.md into it
themselves — so the directory itself should never be tracked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Dockerfile: install git + openssh-client in runtime image; pre-populate
/root/.ssh/known_hosts with the Tailscale ssh-keyscan for
100.114.205.53:2222 (Gitea SSH). Without these, the bootstrap push
step from inside the container fails with "command not found" or
host-key prompts.
- docker-compose.yml: mount ./secrets/boocode_gitea as
/root/.ssh/id_ed25519:ro so the container can authenticate to Gitea
over SSH for the initial push.
- .gitignore: add secrets/ so the keypair never lands in the repo.
- project_bootstrap.ts: rewrite the Gitea-returned ssh_url's hostname
from git.indifferentketchup.com to 100.114.205.53 before adding it
as origin, so the push hits the Tailscale interface that the
known_hosts entry covers.
- CreateProjectModal.tsx: preview label now reads "Folder:
/opt/projects/<name>" to match the new BOOTSTRAP_ROOT (was /opt/).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
