Files
cc-ci/machine-docs
autonomic-bot 5250f9fdd2
Some checks failed
continuous-integration/drone/push Build is failing
security(redfix): escalate B-redfix-8 LOW->HIGH — leaked bot password is served to the PUBLIC internet; consume BUILDER-INBOX
Independently verified (bare python urllib GET, no creds): the mirror is public and commit 14c7dee
serves the cleartext autonomic-bot password at HTTP 200 to unauthenticated clients. HEAD/main and the
redaction commit e99e2b3 fetch clean publicly — only the historical commit still serves it. Mount-ns
containment (the old LOW rationale) is moot once the same secret is on the open web.

Redaction at HEAD stops propagation but cannot un-publish a public value; a --force history rewrite is
both forbidden here and insufficient. ROTATION of autonomic-bot's Gitea password by the operator is
now URGENT and the only real remediation (Class-A1 external input, §4.4).

Consumed the Adversary's BUILDER-INBOX (git rm = ack). No verdict change: leak is orthogonal to the
canon-sweep DoD, clearable only externally, so no VETO. M1/M2 PASS, DONE stands.
2026-07-09 02:00:46 +00:00
..
2026-06-13 04:07:53 +00:00