Applied "Single Source of Truth with Contextual Pointers" pattern:
README.md changes:
- Simplified "Security Note" section to brief warning + bullets
- Removed detailed file list (now only in SECURITY.md)
- Kept inline warning in Quick Start (contextual, at point of use)
- Added bullets describing what SECURITY.md covers
- Result: Brief, clear, points to authoritative source
Documentation strategy:
- SECURITY.md = single source of truth (all details)
- Other docs = brief inline warnings + links to SECURITY.md
- Inline warnings kept at critical moments (e.g., creating config.yaml)
- Platform-specific notes stay in platform guides
Added .maintenance-notes.md:
- Documents the documentation strategy
- Explains what goes where and why
- Provides guidance for future updates
- Helps prevent redundancy creep
Benefits:
- Easier to maintain (update SECURITY.md, others just link)
- Still highly visible (warnings at critical steps)
- No loss of information (everything in SECURITY.md)
- Clear ownership (each file owns specific info)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated README.md:
- Added prominent security warning about config.yaml containing secrets
- Clarified that config.yaml is gitignored and never committed
- Added step-by-step Quick Start with security notes
- Added "Security Note" section listing protected files
- Added Documentation section linking to all guides including SECURITY.md
- Added note about API keys stored in ~/.llm/keys.json
Updated QUICKSTART.md:
- Added security warning box when copying config.yaml
- Explained that file contains secrets and is gitignored
- Added reference to SECURITY.md for complete guidance
Updated MASTODON_SETUP.md:
- Added prominent link to SECURITY.md at top of Security Considerations
- Clarified that credential files are gitignored
- Added note about *_clientcred.secret and *_usercred.secret files
All documentation now clearly explains:
- Where secrets go (config.yaml, ~/.llm/keys.json)
- What's protected by .gitignore
- Where to find complete security information (SECURITY.md)
- How to safely configure the bot
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Enhanced .gitignore to protect:
- Configuration files with secrets (config.yaml, .env files)
- Mastodon credential files (*_clientcred.secret, *_usercred.secret)
- API keys and tokens (*.key, *.token, *.pem, credentials.json)
- Database files (may contain user data)
- Backup files (may contain sensitive data)
- LLM API key directories (.llm/, .openai/, .anthropic/)
Added SECURITY.md documentation covering:
- Where secrets are stored
- What is/isn't committed to git
- Best practices for credential management
- Production secret management options
- What to do if secrets are accidentally committed
- Pre-commit hook examples
- Security audit checklist
Verified all patterns with test suite - all sensitive files properly ignored.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Govbot is an AI-powered governance bot that interprets natural language
constitutions and facilitates collective decision-making across social
platforms.
Core features:
- Agentic architecture with constitutional reasoning (RAG)
- Platform-agnostic design (Mastodon, Discord, Telegram, etc.)
- Action primitives for flexible governance processes
- Temporal awareness for multi-day proposals and voting
- Audit trail with constitutional citations
- Reversible actions with supermajority veto
- Works with local (Ollama) and cloud AI models
Platform support:
- Mastodon: Full implementation with streaming, moderation, and admin skills
- Discord/Telegram: Platform abstraction ready for implementation
Documentation:
- README.md: Architecture and overview
- QUICKSTART.md: Getting started guide
- PLATFORMS.md: Platform implementation guide for developers
- MASTODON_SETUP.md: Complete Mastodon deployment guide
- constitution.md: Example governance constitution
Technical stack:
- Python 3.11+
- SQLAlchemy for state management
- llm CLI for model abstraction
- Mastodon.py for Mastodon integration
- Pydantic for configuration validation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
