From fa410ea4c691c8a2108e84eb0a9e03135d751ba1 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 04:04:51 +0100 Subject: [PATCH] =?UTF-8?q?review:=20D6=20leak=20scan=20extended=20to=20re?= =?UTF-8?q?cipe-CI=20build=20logs=20=E2=80=94=20clean=20(no=20app-secret?= =?UTF-8?q?=20leak)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/REVIEW.md b/REVIEW.md index f4c2487..0e65786 100644 --- a/REVIEW.md +++ b/REVIEW.md @@ -226,3 +226,13 @@ running bridge + Drone: Verdict: **M3 PASS.** (Polling is outbound read+comment only — no repo-admin; webhook optional.) Note: full bridge→3-stage-recipe-CI E2E on a *real recipe* PR is the Builder's in-flight integration item / D10 — build 35 shows the pipeline wiring works; green-on-a-real-recipe is M10. + +## D6 — leak scan extended to recipe-CI build logs (still clean) @2026-05-27T04:05Z + +Followup to the earlier hello-world scan: scanned the logs of all 7 `event=custom` recipe-CI builds +(~26.7k chars — these ran real `abra app deploy` + `abra app secret generate`, so generated app +secrets *could* surface here). Result: **0** `password|secret = ` patterns, **0** "secret +generated/inserted" value lines (abra doesn't echo secret values), and every long hex/base64 hit is +benign — Nix store paths, git SHAs, Drone workspace dir names (`/drone/src`), pytest +tracebacks. No app-secret leak in published recipe-run logs. (Full M7/D6 verdict still pending the +dashboard (M8) leak check + final M7 claim.)