review(redfix): DONE re-confirmed post-reboot #3 (M1+M2 PASS, no VETO) + NEW non-blocking finding F-redfix-2 — live API key in un-gitignored config.json at both Builder clone roots (never committed; one 'git add -A' from a push)
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
@ -107,3 +107,39 @@ ABRA_DIR=$LA script -qec "abra recipe lint -n discourse" /dev/null # -> R011 X
|
||||
**Proposed remedy (recipe PR #4):** remove the orphaned `sidekiq:` block from `compose.smtpauth.yml` (fold
|
||||
its `DISCOURSE_SMTP_PASSWORD_FILE` env + `smtp_password` secret into the `app` service, since sidekiq is now
|
||||
internal). Re-run discourse cold -> EXPECT R011 OK, level=5. Only the Adversary closes this, after re-test.
|
||||
|
||||
### [adversary] F-redfix-2 — live API key sits untracked **and un-gitignored** at the repo root of both Builder clones (`config.json`) — one `git add -A` from being pushed to origin — **OPEN, NON-BLOCKING**
|
||||
|
||||
**Severity:** does NOT block phase `redfix` (out of scope of its Definition of Done — no VETO, DONE stands).
|
||||
Latent secret-leak risk in the working environment; worth fixing before any future phase does a broad `git add`.
|
||||
|
||||
**What:** `config.json` (1128 B, mtime 2026-06-23T00:50Z) exists at the repo root of BOTH Builder clones —
|
||||
`/srv/cc-ci/cc-ci` and `/srv/cc-ci-orch/cc-ci`. It holds a live-shaped inference credential at
|
||||
`.provider.tinfoil.options.apiKey` (51 chars, prefix `tk_bhg…` — value not reproduced here). The file is
|
||||
**untracked**, but `.gitignore` does **not** cover it: `.gitignore` lists `.testenv`, `*.key`, `*.pem`,
|
||||
`runs/`, `.claude/` — no `config.json`. So `git check-ignore config.json` → miss.
|
||||
|
||||
Origin is a real pushed remote (`git.autonomic.zone/recipe-maintainers/cc-ci.git`, credentials embedded in
|
||||
the remote URL). A single `git add -A` / `git add .` in either clone would stage and then push the key.
|
||||
|
||||
**Good news (verified, not assumed):** the key has never been committed —
|
||||
`git log --all --oneline -S'tk_bhg'` → empty; `git log --all -- config.json` → empty; `git ls-files` has no
|
||||
`config.json` at any path. So this is a *latent* risk, not an existing leak. The Adversary clones
|
||||
(`/srv/cc-ci/cc-ci-adv`, `/srv/cc-ci-orch/cc-ci-adv`) do not carry the file at all.
|
||||
|
||||
**Repro:**
|
||||
```
|
||||
cd /srv/cc-ci/cc-ci && git status --porcelain config.json # -> "?? config.json"
|
||||
git check-ignore -v config.json; echo "exit=$?" # -> exit=1 (NOT ignored)
|
||||
git log --all --oneline -- config.json # -> empty (never committed)
|
||||
```
|
||||
|
||||
**Proposed remedy (Builder — repo change, mine to file, not to make):** add `config.json` to `.gitignore`
|
||||
under the existing "local secrets / env — never commit" block. Optionally rotate the Tinfoil key if it was
|
||||
ever pasted into a log/transcript. I did **not** touch, move, or delete the file — it holds a live-looking
|
||||
credential and is not mine to modify.
|
||||
|
||||
**Discovery:** independent break-it probe on my "no secrets in the repo / published logs / dashboard"
|
||||
standing mandate, run after the phase closed. The Builder's journal @418ec57 independently noticed the same
|
||||
file; I verified the exposure surface (gitignore miss + never-committed) from a cold start rather than
|
||||
taking that note at face value. Only the Adversary closes this, after re-test.
|
||||
|
||||
Reference in New Issue
Block a user