fix(redfix): correct STATUS — A-redfix-1 is 78 copies not 1; insteadOf root cause falsified; sweep runs deployed /etc/cc-ci
Adversary wake #53/#54 reaffirm DONE + no VETO (no gate impact), but both correct STATUS text (Builder-owned): 1. A-redfix-1 "sole copy" withdrawn: 78 world-readable cred-bearing .git/config, sentinel 3fcea78925015fc9. Exposure confirmed; Adversary's /root/.gitconfig insteadOf root cause FALSIFIED three ways (clone does not persist insteadOf rewrites — tested, git 2.47.2; /etc/cc-ci config predates .gitconfig by 2wk; live fetch_recipe uses a non-persisted http.extraHeader token since9b33fdf, so 0/215 numeric runs carry it). Real generator: CCCI_SKIP_FETCH copytree of credentialed /root/.abra/recipes (0700) into 0755 run tree. STATUS steps 3-4 rewritten; filed B-redfix-9 (deferred). Falsification sent via ADVERSARY-INBOX.md. 2. Sweep mechanism: runs deployed /etc/cc-ci (main @d11f8f5), not origin/main. Verified first-hand. DONE stands; no VETO; no DoD item touched. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Y9GyBPF1EgTTh6277Xjj7k
This commit is contained in:
@ -37,7 +37,18 @@ The four `A-redfix-*` findings are also non-blocking and are accounted for here,
|
||||
B-redfix-5 precondition below is rewritten accordingly: two unfalsifiable probes deleted, the wedge
|
||||
described as a weekly alternating DOWN/UP outage that raises no alert, and the precondition re-anchored
|
||||
from "slot clean at merge time" to **"never deploy `07fc6d4`"**. The trap is **not armed** and **cannot be
|
||||
armed by autonomous node activity** (`origin/main`, the tree the sweep runs, has `WARM_CANONICAL = False`).
|
||||
armed by autonomous node activity** (the tree the sweep runs has `WARM_CANONICAL = False`).
|
||||
|
||||
**MECHANISM CORRECTED (wake #54; Adversary REVIEW wake #54, re-verified first-hand by the Builder).** The
|
||||
sweep does **not** run `origin/main`. `nightly-sweep.service` ExecStart is a nix-store wrapper that sets
|
||||
`CCCI_REPO=/etc/cc-ci` and execs `cc-ci-run "$CCCI_REPO/runner/nightly_sweep.py"`, so the tree that
|
||||
executes is the **deployed checkout `/etc/cc-ci`** (branch `main` @ `d11f8f5`, clean). The guarantee is a
|
||||
property of **what is deployed to `/etc/cc-ci`**, so a future **deploy** — not a merge to `origin/main` —
|
||||
is what could arm the wedge. Conclusion unchanged (trap disarmed); only the named tree was wrong. Verify:
|
||||
|
||||
ssh cc-ci 'git -C /etc/cc-ci rev-parse --abbrev-ref HEAD; grep -n "^WARM_CANONICAL" /etc/cc-ci/tests/keycloak/recipe_meta.py;
|
||||
git -C /etc/cc-ci merge-base --is-ancestor 07fc6d4 HEAD && echo ARMED || echo disarmed'
|
||||
# EXPECTED: main / 16:WARM_CANONICAL = False / disarmed (a real assignment, not the line-15 comment)
|
||||
|
||||
All four corrected operator-facing *descriptions*, not DoD items. No VETO at wake #43 (`b358b7e`) or wake #44
|
||||
(`84a1666`, 2026-07-09T08:47Z). **Note on provenance:** A-redfix-2's false half entered this file at `f64d102`
|
||||
@ -102,6 +113,29 @@ action that actually revokes the exposure.
|
||||
ssh cc-ci 'git -C /etc/cc-ci remote set-url origin \
|
||||
https://git.autonomic.zone/recipe-maintainers/cc-ci.git && chmod 600 /etc/cc-ci/.git/config'
|
||||
|
||||
**CORRECTION (wake #54, Builder, 2026-07-09T10:2xZ): `/etc/cc-ci/.git/config` is 1 of 78 world-readable
|
||||
copies — step 3 alone fixes 1/78.** The "sole copy" claim above is **withdrawn** (Adversary falsified it
|
||||
independently, REVIEW/BACKLOG wake #53). Scope, re-derived first-hand — 78 world-readable cred-bearing
|
||||
`.git/config`, all carrying sentinel `3fcea78925015fc9` (= the same live password):
|
||||
**68** under `/var/lib/cc-ci-runs/manual-*/abra/recipes/*/`, **8** in `/nix/store` (0444, read-only, clears
|
||||
on GC), **1** `/tmp/v`, **1** `/etc/cc-ci`. Verify:
|
||||
|
||||
ssh cc-ci 'find / -xdev -name config -path "*/.git/*" 2>/dev/null | while read f; do
|
||||
grep -q "autonomic-bot:" "$f" || continue
|
||||
setpriv --reuid=1000 --regid=1000 --clear-groups cat "$f" >/dev/null 2>&1 && echo "$f"; done | wc -l'
|
||||
# EXPECTED: 78 (after remediation: 0, ignoring /nix/store)
|
||||
|
||||
4. **Scrub the other 77 (A-redfix-1, widened).** The generator is the **credentialed `origin` in the canonical
|
||||
clones** `/root/.abra/recipes/*/.git/config`, which `fetch_recipe`'s `CCCI_SKIP_FETCH=1` staging path
|
||||
(`runner/run_recipe_ci.py:348-353`, `shutil.copytree`) copies into the world-traversable run tree
|
||||
(`/var/lib/cc-ci-runs`, `0755`). The canonical copies are themselves shielded by `/root` = `0700`; the
|
||||
run-dir copies are not. Strip userinfo at the source, then scrub the copies:
|
||||
|
||||
ssh cc-ci 'for d in /root/.abra/recipes/*/; do r=$(basename "$d");
|
||||
git -C "$d" remote set-url origin https://git.autonomic.zone/recipe-maintainers/$r.git 2>/dev/null; done
|
||||
rm -rf /tmp/v
|
||||
find /var/lib/cc-ci-runs -path "*/.git/config" -exec grep -lq "autonomic-bot:" {} \; -delete'
|
||||
|
||||
Stripping the userinfo does **not** break the clone: the sweep only ever *fetches*, and the mirror serves
|
||||
this repo anonymously (that is precisely what B-redfix-8 exploits). Verified 2026-07-09T09:1xZ —
|
||||
`GIT_TERMINAL_PROMPT=0 git -c credential.helper= ls-remote https://git.autonomic.zone/recipe-maintainers/cc-ci.git HEAD`
|
||||
|
||||
Reference in New Issue
Block a user