thermiteau/mav-bp-source-control
skills/mav-bp-source-control/SKILL.md
Source control conventions for all projects. Covers the requirement for remote repositories, repository hygiene, .gitignore standards, and sensitive file protection. Applied as a foundational requirement for all projects.
$ install --global
skillsauthnpx skillsauth add thermiteau/maverick mav-bp-source-controlInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 2:38 AM215.9s1 file scanned
SKILL.md
- name:
- mav-bp-source-control
- description:
- Source control conventions for all projects. Covers the requirement for remote repositories, repository hygiene, .gitignore standards, and sensitive file protection. Applied as a foundational requirement for all projects.
Source Control Standards
Ensure all projects use source control with a remote repository, maintain clean history, and protect sensitive files.
Principles
- All projects must use source control — git is the standard; no exceptions
- Remote repository is mandatory — local-only git is a hard fail; code must be pushed to a remote
- Protect sensitive files — credentials, secrets, and environment files must never be committed
- Maintain clean history — no large binaries, no build artifacts, no generated files in the repository
Remote Repository Requirement
This is a HARD REQUIREMENT. A project without a remote repository is not under source control in any meaningful sense. Local-only git provides no backup, no collaboration, and no CI/CD integration.
Validation
Run the following check at the start of any workflow:
git remote -v
- If no remote is configured, stop and flag this as a blocking issue
- The remote must be reachable — a configured remote pointing to a deleted or inaccessible repository is also a failure
- Acceptable remotes: GitHub, GitLab, Bitbucket, Azure DevOps, or any hosted git service
What to Do When No Remote Exists
- Do not proceed with implementation work — source control is a prerequisite
- Inform the user that a remote repository is required
- Offer to help create one (e.g.,
gh repo create) if the user has the appropriate tooling - Only continue once
git remote -vshows a valid remote
Validation Checks
Before beginning work on any project, verify these source control fundamentals:
| Check | Command / Method | Pass Criteria |
| ------------------------ | ----------------------------------------- | -------------------------------------------- |
| Remote exists | git remote -v | At least one remote with a valid URL |
| .gitignore exists | Check for .gitignore in repo root | File exists and is non-empty |
| No secrets in repo | Scan for .env, credentials, key files | No sensitive files tracked in git |
| Clean working state | git status | Understood; no unexpected untracked files |
.gitignore Requirements
Every repository must have a .gitignore file at the root. It must cover the following categories:
Required Categories
| Category | Examples |
| --------------------- | ------------------------------------------------------------------- |
| Build output | dist/, build/, out/, target/, *.o, *.pyc, __pycache__/ |
| Dependencies | node_modules/, .venv/, vendor/ |
| Environment files | .env, .env.local, .env.*.local |
| IDE files | .idea/, .vscode/ (except shared settings), *.swp, *.swo |
| OS files | .DS_Store, Thumbs.db, desktop.ini |
| Test/coverage output | coverage/, .nyc_output/, htmlcov/, .pytest_cache/ |
| Logs | *.log, logs/ |
Guidance
- Start from a language-appropriate template (e.g., GitHub's
gitignoretemplates) - Add project-specific entries as needed
- Never use
.gitignoreas a substitute for not generating files in the first place — if a build step creates output, configure it to write outside the repo or to a gitignored directory - Review
.gitignorewhen adding new tools or frameworks to the project
Sensitive File Protection
Secrets, credentials, and keys must never be committed to the repository. This is non-negotiable.
Files That Must Never Be Committed
| File / Pattern | Contains |
| --------------------------- | --------------------------------- |
| .env, .env.* | Environment variables, secrets |
| credentials.json | Service account credentials |
| *.pem, *.key | Private keys |
| *secret*, *token* | API tokens, secret keys |
| aws-credentials, ~/.aws | AWS access keys |
| *.p12, *.pfx | Certificate bundles with keys |
Enforcement
- All patterns above must be in
.gitignore - If a secret has been committed historically, it must be rotated immediately — removing it from the repo is not sufficient
- Use environment variables or secret managers (AWS Secrets Manager, Vault, etc.) instead of files
- CI/CD pipelines should use secret injection, not checked-in credential files
Detection
To check if secrets are currently tracked:
# Check for common secret file patterns in tracked files
git ls-files | grep -iE '\.env$|\.env\.|credentials|\.pem$|\.key$|secret|token'
If any results appear, investigate immediately.
Repository Hygiene
No Large Binaries
- Do not commit binary files larger than 1 MB — use Git LFS, an artifact store, or a CDN
- Exceptions: small icons, fonts, or test fixtures that are genuinely part of the source
- Common offenders: database dumps, compiled binaries, media files, ZIP archives
No Build Artifacts
dist/,build/,out/, compiled files, bundled assets — these are generated from source and must not be committed- CI/CD pipelines produce artifacts; the repository stores source
Empty Directories
- Git does not track empty directories — use
.gitkeepfiles to preserve directory structure where needed - Only use
.gitkeepwhen the empty directory is meaningful (e.g., a required output directory)
Repository Size
- Keep the repository lean — large repos slow cloning, CI, and developer onboarding
- Periodically audit with
git count-objects -vHor similar tools - If the repo has grown large due to historical mistakes, consider
git filter-repoto clean history (with team coordination)
Branching and Commit Conventions
For detailed branching strategy, commit message format, merge conflict handling, and branch lifecycle, refer to:
mav-git-workflow
This skill covers:
- Branch naming conventions (
<type>/<issue>-<desc>) - Protected branch (
main) - Conventional Commits format
- Merge and rebase strategies
- Branch cleanup after merge
Detecting Source Control Issues
When auditing a project or starting work, flag these patterns:
| Pattern | Issue | Fix |
| ------------------------------------------ | ------------------------------- | --------------------------------------------------------- |
| No remote configured | Local-only repo — hard fail | Create remote repo and push |
| No .gitignore file | Nothing is excluded from tracking| Create .gitignore with required categories |
| .env or credentials tracked in git | Secrets exposed in history | Remove from tracking, add to .gitignore, rotate secrets |
| node_modules/ or dist/ committed | Build/dependency artifacts in repo| Remove from tracking, add to .gitignore |
| Large binaries in repo (>1 MB) | Bloated repository | Move to Git LFS or external storage |
| No .gitkeep in required empty dirs | Directory structure lost on clone| Add .gitkeep where needed |
| Sensitive file patterns missing from .gitignore | Future risk of secret commits | Add missing patterns to .gitignore |
| Remote URL points to deleted/moved repo | Effectively no remote | Update remote URL to valid repository |
Related Skills
thermiteau/skills/do-test
development
VerifiedTrustedCommunity
--- name: do-test description: Write or update tests for a code change. Operates in two modes: `unit` (module-scoped, fast, deterministic) and `integration` (crosses module / service / database boundaries). Intended to be invoked once per testable change from inside a do-issue-* or do-epic phase. Mode is required. argument-hint: mode: unit or integration user-invocable: true disable-model-invocation: false --- **Depends on:** mav-bp-unit-testing, mav-bp-integration-testing, mav-local-verificati
9SKILL.mdUpdated May 21, 2026
thermiteau/do-code
development
VerifiedTrustedCommunity
Implement a focused code change. Use this skill as the wrapper for any implementation work so the Maverick workflow report captures what was done and so the agent applies the project's coding standards before editing. Intended to be invoked once per task from inside a do-issue-* or do-epic phase, not standalone.
9SKILL.mdUpdated May 21, 2026
thermiteau/mav-stacked-prs
testing
VerifiedTrustedCommunity
How to stack a PR on top of an unmerged sibling branch, and how to retarget it to the repo's default branch once the sibling merges. Prevents orphan-merge incidents when a dependent story is ready before its parent.
9SKILL.mdUpdated Apr 28, 2026
thermiteau/mav-multi-instance-coordination
development
VerifiedTrustedCommunity
Claim, lease, heartbeat, and release protocols for when multiple Claude Code instances may act on the same issue or epic concurrently. GitHub labels and marker comments are the coordination surface; local state is a cache.
9SKILL.mdUpdated Apr 28, 2026