fix(redfix): B-redfix-8 exposure UNDERSTATED — password is served by TWO published commits (2ad38f5 + e64d8e7), not one; oauth2 token is NOT in git history (0/3099 blobs)

Closes the gap in Adversary wake #57's break-it probe, which covered dashboard/reports/Drone
logs but not the public git mirror -- the surface B-redfix-8 is about.

- password sha16 3fcea78925015fc9 -> 2 blobs, 2 commits, both ancestors of origin/main.
  Scrubbing 2ad38f5 alone would leave e64d8e7 serving the live credential. STATUS corrected.
- oauth2 token sha16 9c44a1aea2ecb389 -> 0/3099 blobs. Filesystem-only exposure.
- Probe hygiene: awk is absent here; awk-based blob lists give a vacuous 0. Positive
  control (password must return 2) is now mandatory and documented.

Operator-scope, no gate impact, no VETO; DONE stands.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018XE43k4DaeMXHMK51wBUu2
This commit is contained in:
2026-07-09 10:58:13 +00:00
parent f35332efbc
commit fb92c7b992
2 changed files with 75 additions and 6 deletions

View File

@ -848,3 +848,37 @@ Still **OPEN**, still **operator-scope**, **no gate / no DoD impact, no VETO**.
proposed remedy (strip userinfo from canonical origins + scrub + `chmod 0750 /var/lib/cc-ci-runs`)
with the two amendments above (both credentials; canonical-origin fix is required because a one-time
scrub is re-armed by the next sweep). Full reasoning + reproductions in REVIEW-redfix.md wake #55.
### B-redfix-8 — ADDENDUM (wake #58, 2026-07-09): exposure is **two published commits**, not one; and the `oauth2` token is **not** in git history
Triggered by the Adversary's wake-#57 break-it probe (`5431252`), which verified the token does not leak to
the dashboard / weekly reports / Drone log API — but did **not** probe the **public git mirror**, which is the
surface B-redfix-8 is actually about. Closing that gap surfaced a defect in my own STATUS.
**Method.** Exhaustive scan of the whole object db (`git cat-file --batch-all-objects` → **3099 blobs**),
literal-value match, `awk`-free (no `awk` on the orchestrator; an `awk`-based pipeline silently yields an
empty blob list and a **vacuous** `0 hits`). Token pulled root-only from a world-readable run-dir
`.git/config` into a `chmod 600` file, verified `sha256[:16]=9c44a1aea2ecb389` (matches the Adversary's
wake-#55 sentinel), `shred`-removed after. Positive control: the known-leaked password **must** be found.
**Results.**
- **password** (`sha16 3fcea78925015fc9`) → **2** blobs / **2** published commits:
`14c7dee`(blob `fd21fcb8`, 33408 B) and `223cc16`(blob `bcc31b55`, 34353 B). Both are ancestors of
`origin/main` ⇒ both mirror-served. Neither reachable from HEAD. `e99e2b3` and HEAD are clean.
⇒ STATUS's "**only** the historical commit `14c7dee` serves it" was **wrong and understated the exposure**.
A history scrub targeting `14c7dee` alone would leave `223cc16` serving the live credential. STATUS corrected.
- **oauth2 token** (`sha16 9c44a1aea2ecb389`) → **0** of 3099 blobs. The 271 blobs matching the *string*
`oauth2:` are `recipe-mirror-sync.sh:39` `https://oauth2:${TOKEN}@…` variable interpolation and machine-docs
prose citing the sha16 sentinel — no literal value.
**Consequence for the operator remedy.** The two credentials are **not symmetric**:
- **password** — exposed on the **public mirror** (permanent, unauthenticated, in every clone) **and** on the
filesystem. Rotation is urgent; scrubbing must cover **both** commits, and cannot recall existing clones.
- **oauth2 token** — exposed on the **filesystem only** (world-readable `.git/config` copies, A-redfix-1),
regenerated weekly by the sweep. Rotation + `chmod`/userinfo-strip suffices; no history rewrite needed.
**Guard for future probes.** Any scan of this repo reporting **0** password-bearing blobs is a **broken probe**
(missing `awk`, empty sentinel `e3b0c44298fc1c14`, or names-only grep of tracked paths). The correct answer
is **2**. Always run the positive control.
Still **operator-scope, outside DoD, no gate impact.** `## DONE` stands; no VETO.