pdurlej/platform

Fork 0

docs(secrets): record Honcho Redis argv leak closure #441

Closed

codex wants to merge 1 commit from codex/w4c/honcho-redis-argv-leak-prep into main

codex commented

2026-05-24 19:50:32 +02:00

Collaborator

Canary status: missing — metadata-only report PR; rely on required Forgejo checks before merge

Canary Context Pack

Product story

#124 blocks safe Honcho Redis cataloging because agents should not need to print or inspect command argv that contains a raw Redis password. Fork C verified the current runtime no longer has that raw argv leak and records the evidence without exposing the secret.

What changed

Added state/reports/w4c-honcho-redis-argv-leak-2026-05-24.md with metadata-only runtime evidence.
Updated state/cycle/W4-secrets-access-hardening-output.md to record Fork C's finding.

Why it changed

The current desired state already uses $$REDIS_PASSWORD rather than embedding the value in compose command text, and RS2000 runtime now confirms Config.Cmd does not contain the password value. This PR closes the evidence gap instead of making an unnecessary runtime change.

Files touched

state/reports/w4c-honcho-redis-argv-leak-2026-05-24.md
state/cycle/W4-secrets-access-hardening-output.md

Relevant context

#124 Honcho Redis password argv leak
#100 Honcho Redis cataloging blocked by secret-safe inspection
ADR-0024 Infisical-primary secrets pipeline
modules/honcho-redis/module.yaml residual risk redis-password-env-var-interim

Runtime evidence

Read-only RS2000 metadata checks only:

cmd_contains_redis_password_value=false
cmd_has_literal_env_ref=true
unauth_ping_rejected=true
authenticated_ping_ok=true using REDISCLI_AUTH, not redis-cli -a
home-platform-honcho-redis-1, home-platform-honcho-api-1, and home-platform-honcho-deriver-1 are running and healthy with restartCount 0

Known constraints

The Redis password still exists in the container environment. That is tracked as redis-password-env-var-interim and should be handled as a separate Infisical-rendered config-file delivery task if the operator wants to remove container-env exposure later.

Explicit out-of-scope

No runtime mutation.
No service restart.
No secret rotation.
No migration to config-file secret delivery.
No dumping docker inspect env or rendered compose output.

Requested decision

Merge this evidence PR and close #124. #100 can now verify Honcho Redis persistence mode without exposing the credential through Config.Cmd.

Merge blockers

Any concern that the metadata-only evidence is insufficient, or any accidental secret disclosure.

Spec sources read

Forgejo issue #124 — acceptance criteria and constraints
compose/apps/compose.yaml — current Honcho Redis command shape
modules/honcho-redis/module.yaml — existing residual risk statement
modules/honcho-redis/runbook.md — recovery/smoke context
state/cycle/W4-secrets-access-hardening-output.md — W4 sequencing after ADR-0024

Closes #124

Canary status: missing — metadata-only report PR; rely on required Forgejo checks before merge ## Canary Context Pack ### Product story #124 blocks safe Honcho Redis cataloging because agents should not need to print or inspect command argv that contains a raw Redis password. Fork C verified the current runtime no longer has that raw argv leak and records the evidence without exposing the secret. ### What changed - Added `state/reports/w4c-honcho-redis-argv-leak-2026-05-24.md` with metadata-only runtime evidence. - Updated `state/cycle/W4-secrets-access-hardening-output.md` to record Fork C's finding. ### Why it changed The current desired state already uses `$$REDIS_PASSWORD` rather than embedding the value in compose command text, and RS2000 runtime now confirms `Config.Cmd` does not contain the password value. This PR closes the evidence gap instead of making an unnecessary runtime change. ### Files touched - `state/reports/w4c-honcho-redis-argv-leak-2026-05-24.md` - `state/cycle/W4-secrets-access-hardening-output.md` ### Relevant context - #124 Honcho Redis password argv leak - #100 Honcho Redis cataloging blocked by secret-safe inspection - ADR-0024 Infisical-primary secrets pipeline - `modules/honcho-redis/module.yaml` residual risk `redis-password-env-var-interim` ### Runtime evidence Read-only RS2000 metadata checks only: - `cmd_contains_redis_password_value=false` - `cmd_has_literal_env_ref=true` - `unauth_ping_rejected=true` - `authenticated_ping_ok=true` using `REDISCLI_AUTH`, not `redis-cli -a` - `home-platform-honcho-redis-1`, `home-platform-honcho-api-1`, and `home-platform-honcho-deriver-1` are running and healthy with restartCount `0` ### Known constraints The Redis password still exists in the container environment. That is tracked as `redis-password-env-var-interim` and should be handled as a separate Infisical-rendered config-file delivery task if the operator wants to remove container-env exposure later. ### Explicit out-of-scope - No runtime mutation. - No service restart. - No secret rotation. - No migration to config-file secret delivery. - No dumping `docker inspect` env or rendered compose output. ### Requested decision Merge this evidence PR and close #124. #100 can now verify Honcho Redis persistence mode without exposing the credential through `Config.Cmd`. ### Merge blockers Any concern that the metadata-only evidence is insufficient, or any accidental secret disclosure. ## Spec sources read - Forgejo issue #124 — acceptance criteria and constraints - `compose/apps/compose.yaml` — current Honcho Redis command shape - `modules/honcho-redis/module.yaml` — existing residual risk statement - `modules/honcho-redis/runbook.md` — recovery/smoke context - `state/cycle/W4-secrets-access-hardening-output.md` — W4 sequencing after ADR-0024 Closes #124

codex added 1 commit

2026-05-24 19:50:32 +02:00

docs(secrets): record honcho redis argv leak closure

base-is-main / guard (pull_request) Successful in 1s

Details

canary-required / collect-diff (pull_request) Successful in 5s

Details

patchwarden-pr-sanity / collect-diff (pull_request) Successful in 4s

Details

canary-required / canary (pull_request) Has been skipped

Details

patchwarden-pr-sanity / sanity (pull_request) Successful in 23s

Details

d12de91bdb

codex referenced this pull request

2026-05-24 19:50:47 +02:00

fix(secrets): remove Honcho Redis password from container argv #124

codex referenced this pull request

2026-05-24 19:56:23 +02:00

docs(secrets): prepare W4 handoff closeout #442

codex referenced this pull request

2026-05-24 20:19:05 +02:00

docs(secrets): integrate W4 closeout forks #443

codex commented

2026-05-24 20:19:25 +02:00

Author

Collaborator

Integrator note: this fork output has been consolidated into #443.

Please merge #443 instead of this PR. Keeping this PR open temporarily as fallback/source evidence until #443 lands.

Integrator note: this fork output has been consolidated into #443. Please merge #443 instead of this PR. Keeping this PR open temporarily as fallback/source evidence until #443 lands.

codex closed this pull request

2026-05-24 20:25:50 +02:00