Improve security

2026-03-07 15:34:23 +00:00
parent add685a326
commit 611de57bf8
31 changed files with 3617 additions and 58 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -25,3 +25,24 @@ AI coding tools (Copilot, Claude) will reuse any values they see in context. A r
 Before committing test files, verify no identifier matches a real person:
 - No number outside the reserved fictitious ranges above
 - No name that corresponds to a real contact used as a literal identifier
+
+## Naming: Avoid Ambiguous Role Labels
+
+**Never use "User", "Bot", "Us", or "Them" as role labels without qualification — these terms are context-dependent and misleading in this codebase.**
+
+GIA acts in multiple roles simultaneously:
+- It is a Django **User** (account holder) from the perspective of external services (XMPP, WhatsApp, Signal).
+- It is a **component** (gateway/bot) from the perspective of contacts.
+- The human who owns and operates the GIA instance is the **account holder** or **operator** (not "user", which collides with `User` model).
+- Remote people the system communicates with are **contacts**.
+
+Preferred terms:
+
+| Avoid              | Prefer                                                          |
+| ------------------ | --------------------------------------------------------------- |
+| "User" (ambiguous) | "account holder" or "operator" (for the Django `User`)         |
+| "Bot"              | "component" or "gateway" (for the XMPP/transport layer)        |
+| "Us"               | name the specific actor: "GIA", "the component", "the operator" |
+| "Them"             | "contact" or "remote party"                                     |
+
+Apply this in: comments, template labels, log messages, and variable names.