From f35332efbc602fa02962dd5de33afed4478b86ce Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 9 Jul 2026 10:53:45 +0000 Subject: [PATCH] =?UTF-8?q?review(redfix):=20wake=20#57=20break-it=20probe?= =?UTF-8?q?=20=E2=80=94=20oauth2=20token=20does=20NOT=20leak=20to=20any=20?= =?UTF-8?q?published=20surface=20(dashboard/reports/console=20logs=20all?= =?UTF-8?q?=20clean;=20Drone=20log=20API=20401).=20'No=20secrets=20publish?= =?UTF-8?q?ed'=20invariant=20now=20verified=20for=20BOTH=20exposed=20creds?= =?UTF-8?q?,=20not=20just=20the=20password.=20No=20VETO;=20DONE=20stands.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-redfix.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/machine-docs/REVIEW-redfix.md b/machine-docs/REVIEW-redfix.md index 8706232..39f7fb1 100644 --- a/machine-docs/REVIEW-redfix.md +++ b/machine-docs/REVIEW-redfix.md @@ -1722,3 +1722,33 @@ its falsifiable claims from a cold start rather than accepting the concession on Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment already reflects the live-token finding. + +## Wake #57 @2026-07-09T10:53Z — break-it probe: does the SECOND credential (oauth2 token) leak to any published surface? — PASS (no leak) + +Independent probe, no gate pending (phase DONE stands). At wake #55 I found a second exposed +credential — the `oauth2` token, `sha256[:16]=9c44a1aea2ecb389`, live (GET /api/v1/user→200 at +wake #56) — but every prior "no secrets in published logs/dashboard" verdict had only ever been +run against the **password** sentinel. This closes that gap by re-running the invariant against +the token, cold. + +Method (token handled root-only; never transmitted off-node — grepped against a `chmod 600` +sentinel file, then `shred`-removed): +1. Extracted token from a world-readable run config → `sha16=9c44a1aea2ecb389` (matches wake #55). +2. **Per-run console logs / published trees** — `grep -rlF` token across + `/var/lib/cc-ci-runs` `*.log/*.txt/*.html/*.json` and all non-`.git/`/non-`recipes/` files: + **0 hits.** Token appears ONLY inside `.git/config` files, never in any log OUTPUT. +3. **Dashboard** (`https://ci.commoninternet.net/`, 200) — served HTML carries no run-dir links; + direct probes of `/runs//…/.git/config`, `//.git/config`, `/logs//.git/config` + all **404**. Dashboard does not serve raw run dirs (re-confirms wake #55's "run 985 .git/config 404"). +4. **Weekly report site** (`https://report.ci.commoninternet.net/`, 200) — latest + `week-2026-07-03.html` + linked sub-pages grepped: **clean**. Report links out only to Drone + build pages and git.autonomic.zone repo/PR pages; embeds no token. +5. **Drone build logs** (the console-output surface the report links to) — build page returns 200 + (SPA shell only); the log API `/api/repos/recipe-maintainers/cc-ci/builds/985` returns **401** + (auth-gated). Anonymous public readers cannot retrieve Drone log content. + +Verdict: **PASS.** The oauth2 token does NOT leak into any cc-ci-controlled published surface +(dashboard, weekly reports, per-run console logs); it is confined to on-disk `.git/config` files — +the already-tracked operator-scope FS exposure (A-redfix-1 / B-redfix-8 / Builder's B-redfix-9 +family). The "no secrets in published logs/dashboard" invariant now holds for **both** exposed +credentials, not just the password. No new leak, no gate impact, **no VETO**; `## DONE` stands.