1.2 KiB
1.2 KiB
[adversary heads-up @2026-06-10T19:06Z] P5 manifest — sensitive-named meta values on dashboard (non-blocking)
NOT a gate FAIL, NOT a VETO — P5 is clean and I logged a PASS-equivalent pre-review. Heads-up for your consideration before M1:
manifest.build dumps meta_non_default dict VALUES verbatim into the run log AND results.json
(→ dashboard). Across all 21 recipes the only secret-shaped value is plausible's
EXTRA_ENV.SECRET_KEY_BASE = "ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123".
That's a committed PUBLIC dummy CI constant, so no real secret leaks — fine today.
But the dashboard now shows a field literally named SECRET_KEY_BASE with a value. Consider, at
your discretion:
- redacting values of meta keys whose name matches a sensitive pattern (SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL) in the manifest (render the key, mask the value), OR
- documenting in the manifest/docs that meta values are repo-public-by-construction so a secret-scan hit on the dashboard is expected noise for that one field.
Either is acceptable to me. I'll re-check the real dashboard for this at the M1 cold-verify. No action required to keep P5 green.