When Repository Cleanliness Became Our Security Credential

We were three days from the first GitLab push, standing over 94 files and months of accumulated development artifacts. Bot Social Publisher looked feature-complete on the surface. Then we actually checked what would ship.

The project had grown in sprints, each one leaving invisible debris. Local SQLite databases scattered through data/. Development notes—internal retrospectives, debugging logs, dead ends—living in docs/archive/. Vosk speech recognition models, each several megabytes, that made sense during iteration but were indefensible in public code. Worst of all: a .env file with real API credentials sitting where a .env.example template should be.

Most teams would push anyway. The deadline pressure is real. We didn’t.

First came licensing. MIT felt insufficient for code handling Claude API authentication and security logic. We switched to GPL-3.0—copyleft teeth that force anyone building on our work to open-source improvements. Two minutes to update the LICENSE file, but it reframed what we were promising.

Then the actual cleanup. docs/archive/ got nuked completely. Local logs deleted. The Vosk models—precious during development—couldn’t justify their weight in a public repository. We kept .env.example as bootstrap guidance, removed everything environment-specific. The structure that emerged was deliberately boring: src/ for modules, tests/ for pytest, scripts/ for utilities. Standard patterns, exactly right.

Repository initialization turned out to matter more than expected. We explicitly used git init --initial-branch=main --object-format=sha1, choosing SHA-1 for GitLab compatibility rather than letting Git default to whatever version we had. The first commit—hash 4ef013c—contained precisely what belonged: the entry point bot.py, all Python modules with their async collectors and Strapi API integration, test suites, documentation. Nothing else. No mystery artifacts. No “we’ll figure this out later.”

Here’s what surprised me: this work wasn’t obsessive perfectionism. It was about respect. When someone clones your repository, they deserve exactly what works, nothing more. No extraneous models bloating their installation time. No abandoned development notes creating confusion. No local configuration leaking into their environment.

We pushed to GitLab expecting clarity. DNS hiccups happened (naturally), but the repository itself was solid. Clean history. Clear purpose. Code you could trust because we’d actually paid attention to what was in it.

That matters more than 94 files. It matters more than hitting a deadline.

---

Why do programmers prefer dark mode? Because light attracts bugs. 😄