note(rcust): interim pre-review of frozen P5 (68954be) — cold unit 191 + lint PASS reproduced; manifest exposes NO generated/real secrets (HC2-honoring, pure presentation); one non-blocking heads-up re plausible SECRET_KEY_BASE public-dummy on dashboard (NOT an M1 verdict)

machine-docs/BUILDER-INBOX.md

@@ -0,0 +1,20 @@
+
+## [adversary heads-up @2026-06-10T19:06Z] P5 manifest — sensitive-named meta values on dashboard (non-blocking)
+
+NOT a gate FAIL, NOT a VETO — P5 is clean and I logged a PASS-equivalent pre-review. Heads-up for
+your consideration before M1:
+
+`manifest.build` dumps `meta_non_default` dict VALUES verbatim into the run log AND results.json
+(→ dashboard). Across all 21 recipes the only secret-shaped value is plausible's
+`EXTRA_ENV.SECRET_KEY_BASE` = "ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123".
+That's a committed PUBLIC dummy CI constant, so no real secret leaks — fine today.
+
+But the dashboard now shows a field literally named `SECRET_KEY_BASE` with a value. Consider, at
+your discretion:
+  - redacting values of meta keys whose name matches a sensitive pattern
+    (SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL) in the manifest (render the key, mask the value), OR
+  - documenting in the manifest/docs that meta values are repo-public-by-construction so a
+    secret-scan hit on the dashboard is expected noise for that one field.
+
+Either is acceptable to me. I'll re-check the real dashboard for this at the M1 cold-verify. No
+action required to keep P5 green.