This document outlines security practices for the OpenFixture project to prevent sensitive personal data from being committed to the repository.
Issue: Hardcoded user-specific paths in scripts containing:
- Usernames
- Company names
- OneDrive/personal directory structures
Solution: Configuration template system with external config files.
Personal configuration files are now excluded from version control using .gitignore.
-
Copy the template file:
Copy-Item sync_to_kicad_config.ps1.template sync_to_kicad_config.ps1 -
Edit with your personal paths:
notepad sync_to_kicad_config.ps1
-
Never commit the config file:
- The
.gitignorefile automatically excludessync_to_kicad_config.ps1 - This keeps your personal paths private
- The
Your personal config file should contain:
# Your personal KiCad plugins directory
$PluginsDir = "C:\Users\YOUR_USERNAME\AppData\Roaming\kicad\9.0\3rdparty\plugins"DO NOT:
- β Commit
sync_to_kicad_config.ps1 - β Hardcode personal paths in tracked scripts
- β Include company-specific directory structures
- β Share config files with embedded credentials
DO:
- β Use the template system
- β Keep config files local only
- β Use environment variables when possible
- β Document config requirements in templates
The .gitignore file prevents the following from being committed:
sync_to_kicad_config.ps1- Personal KiCad paths*_config_local.ps1- Any local configuration*_local.toml- Local TOML configurations*.local.*- Any file marked as local
- User-specific paths and settings
- IDE configurations (
.vscode/,.idea/) - System files (
Thumbs.db,.DS_Store)
- Python bytecode (
__pycache__/,*.pyc) - Build artifacts (
build/,dist/) - Fixture output directories (
fixture*/) - DXF exports (except examples)
- Log files (
*.log)
*Copy*.py,*Copy*.bat, etc.*_backup.*,*_old.**.bak,*.tmp
Before committing changes:
- No personal file paths in committed code
- No usernames or company-specific paths
- Configuration templates updated (
.templatefiles) -
.gitignorecovers new sensitive file types - No credentials or API keys
- No personal email addresses in code
- Documentation uses generic examples
The sync_to_kicad.ps1 script now includes:
- Config file detection: Checks for
sync_to_kicad_config.ps1 - Auto-path detection: Attempts to find KiCad plugins directory automatically
- Helpful error messages: Guides users to create config if needed
The script searches these locations automatically:
%APPDATA%\kicad\9.0\3rdparty\plugins(Windows)%APPDATA%\kicad\8.0\3rdparty\plugins(Windows)~/.local/share/kicad/9.0/3rdparty/plugins(Linux)~/.local/share/kicad/8.0/3rdparty/plugins(Linux)
When adding features that require personal paths:
- Add to template: Update
sync_to_kicad_config.ps1.template - Document requirement: Add to this SECURITY.md file
- Update .gitignore: Add exclusion patterns if needed
- Use relative paths: When possible, use
$PSScriptRootor$RepoDir
# BAD - Hardcoded personal path
$MyPath = "C:\Users\JohnDoe\Documents\Project"
# GOOD - External configuration
if (Test-Path $ConfigFile) {
. $ConfigFile # Load $MyPath from here
} else {
# Use generic default or auto-detect
$MyPath = Join-Path $PSScriptRoot "default_location"
}If you find sensitive data committed to the repository:
- Do not create a public issue
- Contact the maintainers privately
- Document the issue: What data, where found
- Suggest fix: How to prevent future occurrences
For this project:
- Check commit history for exposed data
- Use
git filter-branchor BFG Repo-Cleaner if needed - Update
.gitignoreto prevent recurrence
# Search for personal usernames
git grep -i "YourUsername"
# Search for company names
git grep -i "CompanyName"
# Check for Windows user paths
git grep "C:\\Users\\"
# List what would be committed
git status --ignored# Test if sensitive files are ignored
git check-ignore sync_to_kicad_config.ps1
# Should output: sync_to_kicad_config.ps1Last Updated: February 15, 2026
Version: 2.0