status(redfix): harden B-redfix-8 close-criteria — e3b0c44298fc1c14 is the empty-input tell, not a rotation
Wake #39 (2a61c09) carried no VETO/finding/inbox and nothing to advance, but it did surface a
false-close hazard in STATUS's own operator instructions: "A different digest => rotated => close
B-redfix-8" licensed closing an open HIGH public-credential exposure on a broken probe.
/srv/cc-ci/.testenv lives on the ORCHESTRATOR, not cc-ci. Run over `ssh cc-ci` the sentinel command
hashes empty input and prints sha256("")[:16] = e3b0c44298fc1c14 — a different digest with no rotation.
STATUS now states where to run the probe, names e3b0c44298fc1c14 as the empty-input tell that must NOT
close the item, and disambiguates the three conflated digests: 3fcea78925015fc9 = sha256(credential
value) = the only rotation sentinel; 1994fd8d… = sha256(whole served blob), immutable; e3b0c44298fc1c14
= sha256(empty), a broken probe. Also records the exposure is now confirmed at VALUE level (the live
push-capable password appears verbatim in the public body), stronger than prior blob-equality.
Verified independently before writing: printf '' | sha256sum => e3b0c442…; ssh cc-ci ls .testenv =>
absent; orchestrator sentinel => 3fcea78925015fc9 (still UNROTATED).
Terminal condition unchanged: ## DONE, M1+M2 PASS, no VETO. B-redfix-8 stays OPEN/HIGH/operator-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01M7ZrNUJscccinFq5CM5VmP
This commit is contained in:
@ -1631,3 +1631,41 @@ verdict change: M1+M2 PASS stand, `## DONE` stands, no VETO. B-redfix-8 stays OP
|
||||
I cannot rotate a Class-A1 input (§4.4) and cannot rewrite published history (`--force` forbidden), so
|
||||
rotation by the operator is the only thing that revokes the exposure. `main.go` still untracked, still not
|
||||
mine to delete. Loop stops again.
|
||||
|
||||
## Builder wake — 2026-07-09, watchdog ping on `review(redfix)` wake #39 (`f65dfe7`)
|
||||
|
||||
Pulled and read the verdict. **Nothing to advance:** no standing VETO (the sole `## VETO` heading is the
|
||||
CLEARED F-redfix-4), no new finding, no `BUILDER-INBOX.md`, no gate CLAIMED, `## DONE` intact, M1+M2 PASS.
|
||||
Wake #39 is a re-confirmation, not a verdict against me.
|
||||
|
||||
**But it exposed a false-close hazard in my own STATUS text**, so the ping was not a no-op. STATUS said,
|
||||
flatly: "A different digest ⇒ rotated ⇒ close B-redfix-8." The Adversary then documented that a probe run
|
||||
over `ssh cc-ci` cannot open `/srv/cc-ci/.testenv` (it lives on the **orchestrator**), hashes empty input,
|
||||
and prints `e3b0c44298fc1c14` — *a different digest, with no rotation*. My own instructions therefore
|
||||
licensed closing an open HIGH public-credential exposure on the strength of a broken probe. Given that a
|
||||
rebooted loop or the operator reads STATUS (not REVIEW) for the remedy, that is a live risk of silently
|
||||
declaring a still-live, push-capable, publicly-served credential "inert."
|
||||
|
||||
Verified all three digest claims myself before writing them down (no "should work"):
|
||||
|
||||
$ printf '' | sha256sum | cut -c1-16
|
||||
e3b0c44298fc1c14 # the empty-input tell
|
||||
$ ssh cc-ci 'ls /srv/cc-ci/.testenv'
|
||||
ls: cannot access '/srv/cc-ci/.testenv': No such file or directory # absent on cc-ci, as claimed
|
||||
$ python3 -c '...sha256(GITEA_PASSWORD)[:16]...' # on the orchestrator
|
||||
3fcea78925015fc9 # still UNROTATED
|
||||
|
||||
So STATUS now (a) says where to run the probe, (b) names `e3b0c44298fc1c14` as the empty-input tell that
|
||||
must NOT close the item, (c) disambiguates the three digests that have been conflated twice now
|
||||
(value sentinel `3fcea789…`, whole-blob `1994fd8d…`, empty `e3b0c442…`), and (d) records that the exposure
|
||||
is confirmed at *value* level — the live push-capable password appears verbatim in the public body, which
|
||||
is a stronger claim than the blob-equality prior wakes established.
|
||||
|
||||
This is the one edit worth making. I did **not** manufacture a re-confirmation commit: the phase is
|
||||
terminal and re-asserting an unchanging state on a 10-minute cadence is the churn both loops stood down
|
||||
from. B-redfix-8 stays OPEN/HIGH/operator-only; sole close path is a *correctly computed* sentinel that
|
||||
differs from `3fcea78925015fc9`.
|
||||
|
||||
**Unrelated, surfaced not touched:** an untracked `main.go` (281 B, Go hello-world HTTP server on :8080)
|
||||
sits at the repo root of this clone. Not mine, foreign to this Nix repo, absent from git and from
|
||||
`origin/main`. Left in place — not committed (would pollute the repo), not deleted (not mine to destroy).
|
||||
|
||||
@ -40,12 +40,24 @@ must equal object size):
|
||||
|
||||
An unauthenticated fetch of the raw URL returning **HTTP 200 / 33408 bytes** is the leak, not an error page.
|
||||
|
||||
**HOW to confirm it is still the live credential** (commits to the value without republishing it):
|
||||
**HOW to confirm it is still the live credential** (commits to the value without republishing it).
|
||||
Run this **on the orchestrator** — `/srv/cc-ci/.testenv` lives there, **not** on `cc-ci`:
|
||||
|
||||
python3 -c 'import hashlib,re;v=re.search(r"^GITEA_PASSWORD=(.*)$",open("/srv/cc-ci/.testenv").read(),re.M).group(1).strip().strip(chr(34)).strip(chr(39));print(hashlib.sha256(v.encode()).hexdigest()[:16])'
|
||||
|
||||
**EXPECTED.** Prints `3fcea78925015fc9` while still unrotated. **A different digest ⇒ rotated ⇒ `14c7dee`
|
||||
is inert ⇒ close B-redfix-8.**
|
||||
is inert ⇒ close B-redfix-8** — *but only if the probe was sound.* Two known-bad probes yield a different
|
||||
digest without any rotation, and must NOT be used to close this item:
|
||||
|
||||
- **`e3b0c44298fc1c14` is the empty-input tell, not a rotation.** Running the command over `ssh cc-ci`
|
||||
fails to open `.testenv`, hashes the empty string, and prints `sha256("")[:16]` = `e3b0c44298fc1c14`
|
||||
(check: `printf '' | sha256sum`). Fix the probe; do not close B-redfix-8.
|
||||
- **Do not conflate the three digests.** `3fcea78925015fc9` = sha256(credential *value*)[:16] — the only
|
||||
rotation sentinel. `1994fd8d…` = sha256(the whole served *blob*) — immutable, changes never.
|
||||
`e3b0c44298fc1c14` = sha256(empty) — a broken probe.
|
||||
|
||||
Exposure confirmed at **value level** (Adversary, 2026-07-09T07:34Z): the currently-valid, push-capable
|
||||
password appears **verbatim** in the publicly served body, not merely "a blob that once held a secret."
|
||||
|
||||
**REMEDY (operator).** Rotate the Gitea bot password, then update `/srv/cc-ci/.testenv`. The credential is a
|
||||
Class-A1 external infra input (plan §4.4) — the Builder must not rotate or invent it. History rewrite is not
|
||||
|
||||
Reference in New Issue
Block a user