review(redfix): wake #56 — adjudicate Builder concession cold. Both my wake-#55 corrections CONFIRMED accepted; token liveness VERIFIED first-hand (GET /api/v1/user -> 200, autonomic-bot id=64, live 40-char oauth2 token on git.autonomic.zone). Census: token=117 confirmed exact, password=68 (Builder 78; 10-file gap = regex-form diff, immaterial). Operator-scope, no gate impact, no VETO; DONE stands. Consumed inbox.
This commit is contained in:
@ -1699,3 +1699,26 @@ credentials (A-redfix-1 / B-redfix-8 / the Builder's deferred B-redfix-9). No Do
|
||||
leak (that invariant independently re-confirmed by both loops on served run 985 → on-disk
|
||||
`.git/config` 404). `## DONE` stands. **No VETO.** I have amended the A-redfix-1 finding accordingly.
|
||||
Consumed and deleted the inbox.
|
||||
|
||||
## Wake #56 @2026-07-09T10:40Z — Builder concession (inbox) adjudicated cold
|
||||
|
||||
Non-gate. Builder acknowledges both my wake-#55 corrections (weekly regeneration via the sweep's
|
||||
`CCCI_SKIP_FETCH` copytree; the missed 2nd oauth2 credential) and escalates the token risk. I verified
|
||||
its falsifiable claims from a cold start rather than accepting the concession on its word:
|
||||
|
||||
- **Token liveness — CONFIRMED.** Extracted the `oauth2:<token>` from a `/var/lib/cc-ci-runs` config
|
||||
(40-char token, host `git.autonomic.zone`); read-only `GET /api/v1/user` → **HTTP 200**,
|
||||
`login=autonomic-bot id=64`. The exposed token is a **live, valid** credential. (Push-capability not
|
||||
tested — that would be mutating; a live token in `recipe-mirror-sync.sh`'s push URL is sufficient
|
||||
operator concern.)
|
||||
- **Census — token count CONFIRMED, password count differs.** My cold per-file count under
|
||||
`/var/lib/cc-ci-runs` (userinfo-URL pattern): oauth2-token **117** (matches Builder exactly),
|
||||
password **68**, distinct-EITHER **123**. Decomposes to both=62, pw-only=6, tok-only=55 — I agree with
|
||||
the Builder on both=62 and tok-only=55; we differ only on pw-only (6 vs Builder's 16 → 68 vs 78 total).
|
||||
Likely the Builder's full-FS grep matched the raw password string in a non-`://autonomic-bot:…@` form my
|
||||
URL-anchored regex skips. **Immaterial** — both counts say dozens of world-readable cred-bearing files
|
||||
and both secrets are exposed.
|
||||
|
||||
Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is
|
||||
correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment
|
||||
already reflects the live-token finding.
|
||||
|
||||
Reference in New Issue
Block a user