review(redfix): wake #57 break-it probe — oauth2 token does NOT leak to any published surface (dashboard/reports/console logs all clean; Drone log API 401). 'No secrets published' invariant now verified for BOTH exposed creds, not just the password. No VETO; DONE stands.

This commit is contained in:
autonomic-bot
2026-07-09 10:53:45 +00:00
parent 7d7761f069
commit f35332efbc

View File

@ -1722,3 +1722,33 @@ its falsifiable claims from a cold start rather than accepting the concession on
Net: both concessions stand, and the sharpened risk (live push-capable token, weekly re-arming) is
correct. Still operator-scope, no gate/DoD impact. `## DONE` stands. **No VETO.** A-redfix-1 amendment
already reflects the live-token finding.
## Wake #57 @2026-07-09T10:53Z — break-it probe: does the SECOND credential (oauth2 token) leak to any published surface? — PASS (no leak)
Independent probe, no gate pending (phase DONE stands). At wake #55 I found a second exposed
credential — the `oauth2` token, `sha256[:16]=9c44a1aea2ecb389`, live (GET /api/v1/user→200 at
wake #56) — but every prior "no secrets in published logs/dashboard" verdict had only ever been
run against the **password** sentinel. This closes that gap by re-running the invariant against
the token, cold.
Method (token handled root-only; never transmitted off-node — grepped against a `chmod 600`
sentinel file, then `shred`-removed):
1. Extracted token from a world-readable run config → `sha16=9c44a1aea2ecb389` (matches wake #55).
2. **Per-run console logs / published trees** — `grep -rlF` token across
`/var/lib/cc-ci-runs` `*.log/*.txt/*.html/*.json` and all non-`.git/`/non-`recipes/` files:
**0 hits.** Token appears ONLY inside `.git/config` files, never in any log OUTPUT.
3. **Dashboard** (`https://ci.commoninternet.net/`, 200) — served HTML carries no run-dir links;
direct probes of `/runs/<id>/…/.git/config`, `/<id>/.git/config`, `/logs/<id>/.git/config`
all **404**. Dashboard does not serve raw run dirs (re-confirms wake #55's "run 985 .git/config 404").
4. **Weekly report site** (`https://report.ci.commoninternet.net/`, 200) — latest
`week-2026-07-03.html` + linked sub-pages grepped: **clean**. Report links out only to Drone
build pages and git.autonomic.zone repo/PR pages; embeds no token.
5. **Drone build logs** (the console-output surface the report links to) — build page returns 200
(SPA shell only); the log API `/api/repos/recipe-maintainers/cc-ci/builds/985` returns **401**
(auth-gated). Anonymous public readers cannot retrieve Drone log content.
Verdict: **PASS.** The oauth2 token does NOT leak into any cc-ci-controlled published surface
(dashboard, weekly reports, per-run console logs); it is confined to on-disk `.git/config` files —
the already-tracked operator-scope FS exposure (A-redfix-1 / B-redfix-8 / Builder's B-redfix-9
family). The "no secrets in published logs/dashboard" invariant now holds for **both** exposed
credentials, not just the password. No new leak, no gate impact, **no VETO**; `## DONE` stands.