From e8a0037d8571cb4ca62bf5c1818763ec407bd732 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 01:49:56 +0000 Subject: [PATCH] defer(prevb): file F-prevb-C (mint_admin ApiKey in access-controlled RAW log; pre-existing, low-sev, out of scope) --- machine-docs/DEFERRED.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machine-docs/DEFERRED.md b/machine-docs/DEFERRED.md index 08bafcd..1bb9bef 100644 --- a/machine-docs/DEFERRED.md +++ b/machine-docs/DEFERRED.md @@ -412,3 +412,18 @@ reachable via the operator/dev STAGES escape — production drone runs always ru ### 2026-06-13 — deploy-proxy health-gate circular dependency (D8 risk) - [x] **CLOSED @2026-06-13 (Builder, phase pxgate).** Fixed in `runner/warm_reconcile.py` — traefik health probe changed from `ci.commoninternet.net/` (dashboard, ordered After=deploy-proxy) to `traefik.ci.commoninternet.net/api/version` (Traefik's own API, no backend dependency). Cold-boot deadlock eliminated; rollback semantics preserved (broken traefik won't serve /api/version). Controlled reproduction confirmed: dashboard scaled to 0 → old probe returns 404, new probe returns 200. M1 claimed. Adversary PASS pending for DONE. See DECISIONS.md 2026-06-13 pxgate entry. - **Filed by:** Adversary, phase pvfix (cross-filed by Builder) + +### 2026-06-17 — discourse mint_admin prints minted ApiKey to the Drone RAW build log (low-sev) +- **What:** `tests/discourse/custom/_discourse.py::mint_admin` mints a run-scoped Discourse admin ApiKey + via `rails runner` which prints `CCCI_API_KEY=` to the container stdout; this can reach the + **access-controlled Drone RAW build log** (401 without a token). NOT on the public dashboard/results UI + (Adversary independently scanned the public surface — clean), and the key is class-B run-scoped + (destroyed at teardown). Flagged by the Adversary as **[F-prevb-C, INFO]** during M2 cold acceptance. +- **Why deferred (not fixed in prevb):** PRE-EXISTING — the `.key` print predates prevb; prevb only made + the container PATH image-agnostic (b66abc4). D6's hard requirement (no secrets on the public results UI) + is met. Out of prevb scope (dynamic base + previous/); fixing it is a discourse-custom-test hardening, + not a prevb deliverable. Adversary did not VETO / did not block M2 on it. +- **Needed from operator:** decide whether to harden — e.g. have `mint_admin` avoid emitting the plaintext + key on stdout (write to a run-scoped sidecar the test reads), or register the minted key in the harness + redaction set so even the RAW log is scrubbed. Low priority (RAW log is access-controlled; key is ephemeral). +- **Filed by:** Builder, phase prevb (acknowledging Adversary [F-prevb-C]).