Adversary confirmed all three claims and failed to refute "strip userinfo is safe" three ways:
no push through /etc/cc-ci origin; secrets submodule anonymously fetchable so submodule update
survives; nothing auto-pulls the checkout (/root/.git-credentials inert, no helper wired).
Folded those three into STATUS step 3 so the operator sees why the command is safe. The submodule
angle was an inference on my part, not a probe -- the Adversary actually tested it. Recorded in
JOURNAL.
Incidental (not a finding): cc-ci-secrets.git is public but SOPS-encrypted ciphertext.
STATUS/JOURNAL text only. No code. ## DONE stands; M1+M2 PASS stand; no gate reopens.
Adversary wake #45 established A-redfix-1 and B-redfix-8 are the same credential. Re-derived
every claim first-hand before writing it (the A-redfix-2 lesson), incl. value identity:
.git/config userinfo and .testenv GITEA_PASSWORD both hash to 3fcea78925015fc9; control
sha256("")=e3b0c44298fc1c14 rules out the empty-input probe artifact.
Rotation does NOT scrub /etc/cc-ci/.git/config (644 root:root, manual clone per
configuration.nix:7, not nix-generated). Remedy is now a 3-step operator procedure that
strips the userinfo rather than re-embedding the rotated password (re-embedding would
recreate the exposure). Verified the strip is safe: anonymous ls-remote succeeds rc=0.
Blast radius recorded: GITEA_PASSWORD is consumed only by bootstrap-drone-oauth.sh;
recipe-mirror-sync.sh uses an OAuth token. No reason to delay rotation.
STATUS text only. No code. ## DONE stands; M1+M2 PASS stand; no gate reopens.
Independently re-verified every leg against the node before editing (I adopted
A-redfix-2's probes wholesale at 8276ecd and inherited its error; not repeating that).
- Delete both 'no re-trigger' probes: they grep the app name, but the timer is
named nightly-sweep, so they return empty while a timer drives it weekly.
Sound probe greps the callee: git grep warm_reconcile -- runner/ nix/
- Replace 'recovery is manual' / 'heals on reboot' with the weekly DOWN/UP
oscillation, and record that it is SILENT (roll_warm_infra discards the rc;
the raise is upstream of every write_alert).
- Re-anchor the merge precondition: 'slot clean at merge time' -> 'never deploy
07fc6d4'. A git merge executes nothing; b5f2b10 ships enrollment + fix together,
so the precondition is self-maintaining.
- Line refs pinned to b5f2b10 coordinates (were main's, two lines off).
- BACKLOG B-redfix-5: severity corrected, remedy sketch extended to rc propagation.
Not armed and not self-arming: origin/main (the tree the sweep runs) has
WARM_CANONICAL = False. Nothing reopens; DONE stands, no VETO, b5f2b10 unchanged.
Inbox consumed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TkHo7RixQswYvvNnEcNaqW
The DONE block listed F-redfix-1/2/3/4 as CLOSED but never mentioned the three
A-redfix-* findings, leaving them dangling for an operator reading only DONE.
All three are non-VETO and outside the DoD (Adversary wake #43, 1057657).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TkHo7RixQswYvvNnEcNaqW
Both claims re-derived independently before editing; both of mine were wrong.
A-redfix-2: "no code path redeploys it" is FALSE. abra.undeploy() leaves the app
.env, so the next reconcile() takes the fresh-deploy branch (:471-479), which
redeploys and never calls warmsnap. Self-healing is blocked by the absence of a
re-trigger (warm-keycloak.service: Type=oneshot, RemainAfterExit=true, no timer,
no Restart=), so it heals on reboot/nixos-rebuild and RE-WEDGES on the next due
upgrade while the foreign snapshot/meta.json remains. Operator remediation is to
DELETE the foreign snapshot/, not to redeploy keycloak. Failure presents as an
intermittent flake, not a permanent outage.
A-redfix-3: /srv/cc-ci is a symlink to /srv/cc-ci-orch, so the two main.go paths
are the same inode (3254604, links=1). The "present in both clones" premise is
void and proves nothing about the file's origin (still unexplained; inert).
Docs-only. No DoD item, gate, or verdict affected: ## DONE stands, M1 + M2 PASS
stand, merge target b5f2b10 unchanged, no VETO. The B-redfix-5 merge precondition
is unchanged and still correct.
Not created by this phase; in no commit on any ref; present in both clones with
identical mtime, so written outside git. Left in place per the "don't delete or
commit what you didn't create" guardrail. Affects no gate, DoD item, or verdict.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TXsyKUod2KPmNyBXNf5GPq
Adversary (75f6655) independently re-derived the upgrade-path site and CONFIRMED the widening of B-redfix-5:
"my wake-#41 framing was too narrow; do not revert". Nothing reverted.
It supplied three facts I had not established. Re-derived each from source rather than accepting them:
- reconcile()'s only try is :520-525; sole caller main():556 does not catch -> a raise at :514/:536 escapes
to SystemExit with keycloak already undeployed. Nothing redeploys it; recovery is MANUAL.
- WARM_CANONICAL = True at 07fc6d4 -> the pre-fix canonical seed is a real arming action, not hypothetical.
- WARM_DOMAINS == {keycloak}; keycloak is the only stateful:True SPECS entry (traefik is False) -> blast
radius is exactly one warm unit.
Folded the two operator-actionable ones into STATUS (does-not-self-heal; bounded to keycloak) and tightened
the pre-fix-seed line from hypothetical to fact. The bound also stops the precondition reading as a
fleet-wide hazard.
No DoD item touched. M1+M2 PASS stand, ## DONE stands, no VETO. Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YZmH4rVNue3irZ6EsZzavb
Acting on the Adversary's wake-#41 verdict (3131e39), which CONFIRMED the merge guidance but left a merge
precondition only in REVIEW-redfix.md — Adversary-owned, and not what an operator reads before merging.
Moved it into STATUS (operator-facing, mine), re-deriving every leg from source at b5f2b10 rather than
trusting the verdict.
- STATUS: MERGE PRECONDITION for b5f2b10, with the exact ssh check + expected output, and the corrected
reason it is unreachable today (live slot has no meta.json — NOT "F-redfix-4 is closed").
- Sharpening the Adversary missed: the new guard is reached from snapshot() at warm_reconcile.py:514 as
well as restore() at :536. Line :512-514 is undeploy -> wait_undeployed -> snapshot, also outside the
try/except, and it is on the NORMAL upgrade path — it fires on every stateful auto-upgrade, not only on
rollback. B-redfix-5 as filed named only the rollback site.
- BACKLOG + DEFERRED: widen B-redfix-5 to both sites (a) :512-514 and (b) :534-536; correct the claim that
F-redfix-4 "supplied the only reachable trigger and that is now closed" — b5f2b10 ADDS a raise path
(_assert_slot_not_foreign at warmsnap.py:158 and :209).
Verified: guard present in both callers at b5f2b10; reconciler structure at :512-514 / :520-525 / :534-537;
cc-ci live slot holds last_good only (no snapshot/, no meta.json, no canon-* slot). Probe with a seeded
foreign meta raises on both paths; absent meta and self-consistent meta both pass.
No DoD item touched. M1+M2 PASS stand, ## DONE stands, no VETO. Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01YZmH4rVNue3irZ6EsZzavb
Wake #39 (2a61c09) carried no VETO/finding/inbox and nothing to advance, but it did surface a
false-close hazard in STATUS's own operator instructions: "A different digest => rotated => close
B-redfix-8" licensed closing an open HIGH public-credential exposure on a broken probe.
/srv/cc-ci/.testenv lives on the ORCHESTRATOR, not cc-ci. Run over `ssh cc-ci` the sentinel command
hashes empty input and prints sha256("")[:16] = e3b0c44298fc1c14 — a different digest with no rotation.
STATUS now states where to run the probe, names e3b0c44298fc1c14 as the empty-input tell that must NOT
close the item, and disambiguates the three conflated digests: 3fcea78925015fc9 = sha256(credential
value) = the only rotation sentinel; 1994fd8d… = sha256(whole served blob), immutable; e3b0c44298fc1c14
= sha256(empty), a broken probe. Also records the exposure is now confirmed at VALUE level (the live
push-capable password appears verbatim in the public body), stronger than prior blob-equality.
Verified independently before writing: printf '' | sha256sum => e3b0c442…; ssh cc-ci ls .testenv =>
absent; orchestrator sentinel => 3fcea78925015fc9 (still UNROTATED).
Terminal condition unchanged: ## DONE, M1+M2 PASS, no VETO. B-redfix-8 stays OPEN/HIGH/operator-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01M7ZrNUJscccinFq5CM5VmP
The one item in this phase that needs a human was recorded only in BACKLOG/REVIEW/JOURNAL.
STATUS is the operator-facing artifact and carried '## DONE' with no mention of it. Adds
WHAT/WHERE/HOW/EXPECTED + remedy, both repro commands re-verified this wake (blob 33408;
digest 3fcea78925015fc9 = still unrotated). No DoD item touched, no gate claimed, no verdict
change: M1+M2 PASS stand, DONE stands, no VETO.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XChUi2CUccznbmzHZBSuXr