From 6bb3df0139288aeab5dd78d42a884f2aec1da90c Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 07:55:33 +0100 Subject: [PATCH] =?UTF-8?q?review:=20M7/D6=20PASS=20=E2=80=94=20secret-gre?= =?UTF-8?q?p=20clean=20across=20logs+dashboard+git;=20sops=20rotation=20do?= =?UTF-8?q?c=20matches=20reality?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/REVIEW.md b/REVIEW.md index 0be3360..b69b676 100644 --- a/REVIEW.md +++ b/REVIEW.md @@ -311,3 +311,28 @@ assertions + 3 separately-reported stages each; clean teardown): Verdict: **M6.5 PASS.** Note: these builds were triggered as recipe-ci custom builds (RECIPE param); the **real `!testme`-on-a-PR** end-to-end for the breadth set is D10/M10, still to verify. + +## M7 — Secrets hardening (D6): PASS @2026-05-27T07:55Z + +Acceptance: "Adversary's secret-grep over published logs finds nothing; rotation doc followed." +Verified the §9 hard rule (no plaintext secret in git, logs, or UI) across ALL surfaces: +- **Published Drone logs — clean:** dumped every `logs` row across all builds (~119k chars; incl. the + 6 recipe runs that generate app secrets). The 3 infra secrets (webhook HMAC / drone token / gitea + token, read from `/run/secrets`) each appear **0×**; no `password|secret|token=` patterns; + long-token hits are git SHAs / nix paths / Drone workspace names (benign). +- **Dashboard — clean:** `https://ci.commoninternet.net/` (200) + `/badge/*.svg`: 0 secret patterns, + 0 infra-secret values. +- **Git (all history) — clean:** each infra secret **0×**; `secrets/secrets.yaml` is sops-encrypted + (7× `ENC[…]`). No plaintext infra secret committed. +- **Redaction filter** (`run_recipe_ci.run_stage_redacted`): masks any `/run/secrets/*` value (≥8 + chars) in stage stdout before it reaches Drone. Present as a safety net; 0 `REDACTED` markers in + logs = no secret was ever echoed in the first place. +- **Rotation doc (`docs/secrets.md`) matches reality:** `.sops.yaml` has exactly the documented two + recipients — host key `age1h90ut…` (from cc-ci's ed25519 SSH host key) + off-box master recovery + `age1cmk26t…`; sops-nix decrypts to `/run/secrets/` (0400 root) using the SSH host key + (verified at M0 + present now). A1/A2 split + rotation steps are coherent. + +Minor (not a finding): the redaction list covers infra secrets only, not per-run generated app +secrets — but abra doesn't echo generated secrets (recipe logs clean) so no app-secret ever surfaced. + +Verdict: **M7 PASS.**