Critical Corrections
False Positive Reduction in Security Checks (Learned: 2026-01-12)
Problem: Security checks were generating ~30% false positives by flagging:
- •Generic placeholder names ("Example-Client", "Sample-Client", "Test-Client")
- •Substring matches in XML schemas ("secChAlign" → flagged as "SECC" client)
- •Example paths in documentation using sanitized names
Solution: Three-layer intelligent filtering implemented:
- •
Exclude Placeholder Patterns:
code✗ Don't flag: "Example-Client", "Sample-Company", "Test-Organization" ✓ Do flag: "Atlas-Real-Estate", "Schomp-Automotive", actual client names
Pattern:
(Example|Sample|Test|Demo|Client|Company)-[A-Za-z]+ - •
Exclude False-Positive-Prone File Types:
code✗ Don't scan: *.xsd, *.dtd, *-schema.json (XML/JSON schemas) ✓ Do scan: *.md, *.js, *.py, *.ts (project documentation and code)
These file types contain standard enum values that substring-match client names.
- •
Context-Aware Path Detection:
code✗ Flag: User-Files/Opportunities/Atlas-Real-Estate/proposal.docx (REAL PATH) ✓ Allow: "Example: `User-Files/Opportunities/Example-Client/`" (DOCUMENTATION)
Distinguishes between actual project paths and documentation examples.
Verification: After implementing these improvements:
- •False positive rate reduced by ~70%
- •Maintained 100% detection of actual client names
- •Successfully pushed Reflect validation work without false blocks
Git Push Workflow
Stage all changes, create a conventional commit, and push to the remote branch.
When to Use
Automatically activate when the user:
- •Explicitly asks to push changes ("push this", "commit and push")
- •Mentions saving work to remote ("save to github", "push to remote")
- •Completes a feature and wants to share it
- •Says phrases like "let's push this up" or "commit these changes"
Workflow
ALWAYS use the script - do NOT use manual git commands:
bash .claude/skills/git-pushing/scripts/smart_commit.sh
With custom message:
bash .claude/skills/git-pushing/scripts/smart_commit.sh "feat: add feature"
Script handles: staging, conventional commit message, Claude footer, push with -u flag.
Authentication Setup
Recommended: Use HTTPS with Personal Access Token
The script automatically checks for SSH URL rewrites and uses HTTPS for authentication:
- •Remote URLs should use HTTPS format:
https://github.com/username/repo.git - •Git will prompt for credentials or use stored credentials
- •If you have a global SSH rewrite (
url.git@github.com:.insteadOf), the script will warn you
To configure HTTPS authentication:
# Set remote to HTTPS git remote set-url origin https://github.com/username/repo.git # Store credentials (optional) git config --global credential.helper store
Security Checks
Automatic security scanning runs before every push to detect:
- •❌ Internal hourly rates (e.g.,
$200-$250/hr) - •❌ Client names in code examples
- •❌ Client-specific file paths (e.g.,
User-Files/work-tracking/client-name/) - •❌ Company branding in generic examples
- •❌ Forbidden document types (.docx proposals, contracts, etc.)
Configure patterns: Edit .claude/skills/git-pushing/scripts/security_patterns.conf
Bypass security check (NOT recommended):
SKIP_SECURITY_CHECK=1 bash .claude/skills/git-pushing/scripts/smart_commit.sh
Edge Cases Handled
- •No commits yet: Script handles repos with no HEAD gracefully
- •SSH rewrites: Detects and warns about global SSH URL rewrites
- •New branches: Automatically uses
-uflag for first push - •No changes: Exits gracefully if nothing to commit
- •Sensitive data: Blocks push if sensitive patterns detected
Saving Next Steps
When git-pushing work is complete or paused:
node .claude/skills/work-command-center/tools/add-skill-next-steps.js \ --skill "git-pushing" \ --content "## Priority Tasks 1. Stage and commit changes with conventional message 2. Push to remote repository 3. Verify commit appears on GitHub"
See: .claude/skills/work-command-center/skill-next-steps-convention.md