From 537fd47818f647a8a35779e26a22b129f6c9f4f7 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 07:45:19 +0100 Subject: [PATCH] M7/D6 gate CLAIMED: rotation doc + redaction; M6.5 PASS recorded Co-Authored-By: Claude Opus 4.7 (1M context) --- BACKLOG.md | 9 +++++++-- STATUS.md | 8 ++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/BACKLOG.md b/BACKLOG.md index 6152678..b071999 100644 --- a/BACKLOG.md +++ b/BACKLOG.md @@ -104,8 +104,13 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver held (per-recipe tests// + recipe_meta EXTRA_ENV only). Awaiting Adversary. ### M7 — Secrets hardening (D6) -- [ ] Full sops model, rotation doc, log redaction + leak test -- [ ] Gate: M7 — secret-grep finds nothing +- [x] Full sops model + rotation doc (docs/secrets.md: 3 classes, decryption chain, rotation per + class) + log redaction filter (run_recipe_ci masks /run/secrets/* values in stage output, + live-streaming preserved). Adversary leak scans clean (baseline + recipe-CI logs). +- [x] Gate: M7 — secret-grep finds nothing → **CLAIMED 2026-05-27**. No-plaintext: harness never + prints secrets, abra doesn't echo generated ones, reconciles redirect secret-gen to /dev/null, + dashboard shows status only; redaction filter as belt-and-suspenders. Awaiting Adversary + (re-grep published logs + dashboard; optionally follow a rotation procedure). ### M8 — Dashboard (D7) - [x] Overview page + badges: dashboard/dashboard.py + modules/dashboard.nix — live at diff --git a/STATUS.md b/STATUS.md index 4186c12..16ac313 100644 --- a/STATUS.md +++ b/STATUS.md @@ -6,10 +6,10 @@ GREEN through Drone (build #39). Next: enroll recipes 3–6 (remaining D10 categ **In-flight:** M6.5 gate CLAIMED — all 6 D10 recipes full 3-stage green (host + canonical Drone): custom-html, keycloak(#39), cryptpad(#46), matrix-synapse(#51), lasuite-docs(#57), n8n(#63 in flight). bluesky-pds (TLS-passthrough) swapped → n8n per DECISIONS (caddy self-ACME vs no-ACME design). -**M8/D7 dashboard LIVE** at ci.commoninternet.net (overview + badges, 6 recipes; /hook still bridge). -Next unblocked (while awaiting Adversary on M6.5): M7 secrets hardening (D6 rotation doc + redaction), -M8 PR-comment outcome reflection, M9 docs/reproducibility (D8/D9), and the full -single-`!testme`-on-a-recipe-PR E2E (D10/M10). +**M6.5 PASS** (Adversary). **M8/D7 dashboard LIVE** (overview + badges, 6 recipes; /hook still bridge). +**M7/D6 CLAIMED** (docs/secrets.md rotation doc + log redaction filter; leak scans clean). Next +unblocked: M8 PR-comment outcome reflection, M9 docs/reproducibility (D8/D9), and the full +single-`!testme`-on-a-recipe-PR E2E (D10/M10 — the Adversary-flagged remaining proof). **Last updated:** 2026-05-27 (M6.5 CLAIMED — 6/6 recipes 3-stage green across all D10 categories) ## Gate: M6.5 — CLAIMED, awaiting Adversary (2026-05-27)