pdurlej/platform

Fork 0

security: rotate secrets exposed during Kan analytics deploy transcript #711

New issue

Open

opened 2026-06-04 17:47:55 +02:00 by pdurlej · 12 comments

pdurlej commented

2026-06-04 17:47:55 +02:00

Owner

During the Kan-ductor Flow & Milestone Analytics v1 deploy, Codex accidentally ran compose-config diagnostics that printed secret-bearing environment output into the Codex session transcript.

No secret values are repeated here. This issue tracks rotation/cleanup work.

Known exposed categories:

initial Kan analytics runtime token derived from the old codex-pat;
Kan runtime env values present in compose output;
Forgejo/Postgres platform env values present in compose output.

Immediate mitigation already completed:

Kan analytics runtime token was switched away from the exposed old codex-pat to an existing Iskra Forgejo token that can read pdurlej/kan-ductor milestones/issues;
old Forgejo token codex-pat (id=7, user codex, last eight 21a4c1d0) was deleted directly from Forgejo DB after Forgejo API refused PAT-based token deletion;
the old p+codex@durlej.me value now returns HTTP 401 and needs regeneration before normal codex Forgejo writes resume;
production Kan-ductor smoke passed after the token switch.

Required follow-up:

regenerate/store a fresh p+codex@durlej.me Forgejo PAT;
decide whether to rotate the other stack secrets that appeared in the Codex transcript;
add a guard/runbook note: never run docker compose config or ./scripts/compose.sh config on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting.

Acceptance:

new codex PAT works as login=codex and old token remains invalid;
Kan analytics still works after any token change;
operator confirms which platform secrets require rotation.

During the Kan-ductor Flow & Milestone Analytics v1 deploy, Codex accidentally ran compose-config diagnostics that printed secret-bearing environment output into the Codex session transcript. No secret values are repeated here. This issue tracks rotation/cleanup work. Known exposed categories: - initial Kan analytics runtime token derived from the old `codex-pat`; - Kan runtime env values present in compose output; - Forgejo/Postgres platform env values present in compose output. Immediate mitigation already completed: - Kan analytics runtime token was switched away from the exposed old `codex-pat` to an existing Iskra Forgejo token that can read `pdurlej/kan-ductor` milestones/issues; - old Forgejo token `codex-pat` (`id=7`, user `codex`, last eight `21a4c1d0`) was deleted directly from Forgejo DB after Forgejo API refused PAT-based token deletion; - the old `p+codex@durlej.me` value now returns HTTP 401 and needs regeneration before normal codex Forgejo writes resume; - production Kan-ductor smoke passed after the token switch. Required follow-up: - regenerate/store a fresh `p+codex@durlej.me` Forgejo PAT; - decide whether to rotate the other stack secrets that appeared in the Codex transcript; - add a guard/runbook note: never run `docker compose config` or `./scripts/compose.sh config` on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting. Acceptance: - new codex PAT works as `login=codex` and old token remains invalid; - Kan analytics still works after any token change; - operator confirms which platform secrets require rotation.

codex referenced this issue

2026-06-04 22:16:39 +02:00

feat(security): add platform secret recovery verifier #715

codex commented

2026-06-04 22:16:55 +02:00

Collaborator

Role: executor
Intent: checkpoint
Needs owner: yes

Implemented the metadata-only verifier prep PR for this ledger: #715

Safe evidence:

actor: codex
PR user: codex
tests: tests/test_secret_recovery_verify.py passed; tests/test_kan_runtime_contract.py also passed
live verifier: Infisical + RS2000 metadata run completed without printing values
current priority: Wave A backup gate before any rotation

Observed without values:

Codex PAT identity is codex, non-admin.
Core platform DB secrets normalize correctly after runtime env aliasing.
Kan runtime-only drift remains visible but is lower priority than platform-wide continuity.

Next: owner gives explicit GO for Wave A backup gate when ready. No rotation is authorized by PR #715.

**Role:** executor **Intent:** checkpoint **Needs owner:** yes Implemented the metadata-only verifier prep PR for this ledger: https://git.pdurlej.com/pdurlej/platform/pulls/715 Safe evidence: - actor: `codex` - PR user: `codex` - tests: `tests/test_secret_recovery_verify.py` passed; `tests/test_kan_runtime_contract.py` also passed - live verifier: Infisical + RS2000 metadata run completed without printing values - current priority: Wave A backup gate before any rotation Observed without values: - Codex PAT identity is `codex`, non-admin. - Core platform DB secrets normalize correctly after runtime env aliasing. - Kan runtime-only drift remains visible but is lower priority than platform-wide continuity. **Next:** owner gives explicit GO for Wave A backup gate when ready. No rotation is authorized by PR #715.

codex commented

2026-06-04 22:28:26 +02:00

Collaborator

Role: executor
Intent: checkpoint
Needs owner: yes

Wave A backup gate status after PR #715 merge:

Critical backup ran on RS2000 runtime root: /opt/vps-home-platform-infra/backups/20260604-222319-critical
Backup size: 2.2G
Backup contents metadata: 5 DB dumps, 12 volume archives, 1 config archive
last_backup_critical_utc: 2026-06-04T20:25:08Z
Restore smoke passed using that backup
last_restore_test_critical_utc: 2026-06-04T20:26:32Z

Blocker:

./scripts/safety-gate.sh fails before rotation eligibility.
Root cause is legacy runtime scripts/agent-guard.sh seeing unknown changed paths in dirty /opt/vps-home-platform-infra:
- MOVED.md
- scripts/openclaw/MOVED.md
- scripts/openclaw/iskra-operator-pack-deploy.sh

Decision:

Do not start Wave C/D/E rotation yet.
Next safe step is a narrow cleanup/guard-resolution pass for the legacy runtime safety gate, without touching secrets or rotating anything.

No secret values were printed or changed.

**Role:** executor **Intent:** checkpoint **Needs owner:** yes Wave A backup gate status after PR #715 merge: - Critical backup ran on RS2000 runtime root: `/opt/vps-home-platform-infra/backups/20260604-222319-critical` - Backup size: `2.2G` - Backup contents metadata: `5` DB dumps, `12` volume archives, `1` config archive - `last_backup_critical_utc`: `2026-06-04T20:25:08Z` - Restore smoke passed using that backup - `last_restore_test_critical_utc`: `2026-06-04T20:26:32Z` Blocker: - `./scripts/safety-gate.sh` fails before rotation eligibility. - Root cause is legacy runtime `scripts/agent-guard.sh` seeing unknown changed paths in dirty `/opt/vps-home-platform-infra`: - `MOVED.md` - `scripts/openclaw/MOVED.md` - `scripts/openclaw/iskra-operator-pack-deploy.sh` Decision: - Do **not** start Wave C/D/E rotation yet. - Next safe step is a narrow cleanup/guard-resolution pass for the legacy runtime safety gate, without touching secrets or rotating anything. No secret values were printed or changed.

codex commented

2026-06-04 22:36:10 +02:00

Collaborator

Role: executor
Intent: checkpoint
Needs owner: yes

Guard Resolution added on RS2000 legacy runtime root:

File patched: /opt/vps-home-platform-infra/scripts/agent-guard.sh
Backup file: /opt/vps-home-platform-infra/scripts/agent-guard.sh.bak-secret-recovery-20260604T203509Z
Change: mapped these moved/delegation paths as meta:
- MOVED.md
- scripts/openclaw/MOVED.md
- scripts/openclaw/iskra-operator-pack-deploy.sh

Result:

AGENT_GUARD_PASS module=meta_only
Preflight checks passed.
Policy checks passed.
Infisical precheck passed.

Remaining blocker:

./scripts/safety-gate.sh still fails because safe-session precheck requires vault running.
Current safe-session status: safe-session-api healthy, safe-session-web healthy, vault not running.

Decision:

Do not start Wave C/D/E rotation yet.
Next owner gate is whether to start/repair Vault for the formal safety gate, or explicitly accept a one-off safety-gate exception for this secret recovery path.

No secret values were printed or changed.

**Role:** executor **Intent:** checkpoint **Needs owner:** yes Guard Resolution added on RS2000 legacy runtime root: - File patched: `/opt/vps-home-platform-infra/scripts/agent-guard.sh` - Backup file: `/opt/vps-home-platform-infra/scripts/agent-guard.sh.bak-secret-recovery-20260604T203509Z` - Change: mapped these moved/delegation paths as `meta`: - `MOVED.md` - `scripts/openclaw/MOVED.md` - `scripts/openclaw/iskra-operator-pack-deploy.sh` Result: - `AGENT_GUARD_PASS module=meta_only` - `Preflight checks passed.` - Policy checks passed. - Infisical precheck passed. Remaining blocker: - `./scripts/safety-gate.sh` still fails because safe-session precheck requires `vault` running. - Current safe-session status: `safe-session-api` healthy, `safe-session-web` healthy, `vault` not running. Decision: - Do **not** start Wave C/D/E rotation yet. - Next owner gate is whether to start/repair Vault for the formal safety gate, or explicitly accept a one-off safety-gate exception for this secret recovery path. No secret values were printed or changed.

codex commented

2026-06-04 23:04:29 +02:00

Collaborator

Wave A evidence update: backup gate green after Vault recovery

Status: Wave A backup gate green. No platform-wide secret rotation has been performed in this step.

Metadata-only evidence:

Runtime host: rs2000
Runtime checkout: /opt/vps-home-platform-infra
Runtime head observed: e80fa3abb769
Runtime dirty count observed before latest backup: 109
Fresh post-Vault critical backup: /opt/vps-home-platform-infra/backups/20260604-230023-critical
Fresh backup size: 2301792761 bytes
Backup mtime UTC: 2026-06-04T21:02:14Z
Vault backup artifact count in fresh backup: 1
Restore smoke: passed against /opt/vps-home-platform-infra/backups/20260604-230023-critical
Safety gate: passed
Vault status after recovery: initialized=true, sealed=false
Vault bootstrap files exist with restricted perms:
- env/vault.bootstrap.env bytes=108, perms=600
- env/vault.approle.env bytes=104, perms=600
- env/vault_ssh_ca.pub bytes=725, perms=600
Broken fresh Vault state archived before reset:
- backups/20260604-222319-critical/volumes/vault_data_broken_pre_reset.tgz bytes=55835
- backups/20260604-222319-critical/volumes/vault_logs_broken_pre_reset.tgz bytes=94
Guard Resolution backups:
- scripts/agent-guard.sh.bak-secret-recovery-20260604T203509Z bytes=7677
- scripts/vault/bootstrap.sh.bak-secret-recovery-20260604T204501Z bytes=7577

Recovery notes:

agent-guard.sh was updated only to classify the already-present MOVED.md / OpenClaw delegation files as meta, so safety-gate can evaluate the runtime tree.
scripts/vault/bootstrap.sh was patched for Vault CLI exit-code handling and multiline JSON parsing.
The first fresh Vault initialization was unrecoverable because bootstrap parsing failed before writing bootstrap env files; this was reset only after live owner Go.
Fresh Vault was then initialized, unsealed, configured, backed up, restore-tested, and passed safety-gate.

Next safe stage: Wave B read-only autoverifier run against current Infisical + runtime consumers before any rotation. Wave C/D/E still require separate explicit GO for mutation.

## Wave A evidence update: backup gate green after Vault recovery Status: **Wave A backup gate green**. No platform-wide secret rotation has been performed in this step. Metadata-only evidence: - Runtime host: `rs2000` - Runtime checkout: `/opt/vps-home-platform-infra` - Runtime head observed: `e80fa3abb769` - Runtime dirty count observed before latest backup: `109` - Fresh post-Vault critical backup: `/opt/vps-home-platform-infra/backups/20260604-230023-critical` - Fresh backup size: `2301792761` bytes - Backup mtime UTC: `2026-06-04T21:02:14Z` - Vault backup artifact count in fresh backup: `1` - Restore smoke: passed against `/opt/vps-home-platform-infra/backups/20260604-230023-critical` - Safety gate: passed - Vault status after recovery: `initialized=true`, `sealed=false` - Vault bootstrap files exist with restricted perms: - `env/vault.bootstrap.env` bytes=`108`, perms=`600` - `env/vault.approle.env` bytes=`104`, perms=`600` - `env/vault_ssh_ca.pub` bytes=`725`, perms=`600` - Broken fresh Vault state archived before reset: - `backups/20260604-222319-critical/volumes/vault_data_broken_pre_reset.tgz` bytes=`55835` - `backups/20260604-222319-critical/volumes/vault_logs_broken_pre_reset.tgz` bytes=`94` - Guard Resolution backups: - `scripts/agent-guard.sh.bak-secret-recovery-20260604T203509Z` bytes=`7677` - `scripts/vault/bootstrap.sh.bak-secret-recovery-20260604T204501Z` bytes=`7577` Recovery notes: - `agent-guard.sh` was updated only to classify the already-present `MOVED.md` / OpenClaw delegation files as `meta`, so safety-gate can evaluate the runtime tree. - `scripts/vault/bootstrap.sh` was patched for Vault CLI exit-code handling and multiline JSON parsing. - The first fresh Vault initialization was unrecoverable because bootstrap parsing failed before writing bootstrap env files; this was reset only after live owner `Go`. - Fresh Vault was then initialized, unsealed, configured, backed up, restore-tested, and passed safety-gate. Next safe stage: Wave B read-only autoverifier run against current Infisical + runtime consumers before any rotation. Wave C/D/E still require separate explicit GO for mutation.

codex commented

2026-06-04 23:07:28 +02:00

Collaborator

Wave B evidence update: read-only autoverifier completed

Status: Wave B read-only mapping completed. No rotations, revocations, restarts, deploys, or secret writes were performed.

Autoverifier source:

Platform checkout: /private/tmp/platform-secret-recovery
Source branch: main
Source head: 9fab05070de4
Verifier: scripts/security/secret_recovery_verify.py
Unit check: tests/test_secret_recovery_verify.py passed (7 passed)

Live read-only run:

Infisical paths checked: /home-platform/infra, /home-platform/forgejo_accounts, /home-platform/apps
Runtime host checked: rs2000
Identity checks: enabled for Forgejo-shaped tokens
Report schema: platform_secret_recovery_report.v1
Path errors: 0
Records: 234
By recommended wave: B=200, C=8, D=20, E=6
By source of truth: infisical+runtime=18, infisical-only=130, repo-only=28, runtime-only=58
Runtime-only findings: 58
Declared-but-not-runtime findings: 8
Raw secret safety check: no record contains a secretValue field; report only has top-level secretValuePolicy.

High-signal findings for the next GO:

FORGEJO_ADMIN_PAT_TEMP: Forgejo identity resolves to operator pdurlej, admin=true, source=infisical-only, recommended wave=C.
FORGEJO_API_TOKEN: Forgejo identity resolves to operator pdurlej, admin=true, source=infisical-only, recommended wave=C.
FORGEJO_READ_TOKEN: Forgejo identity resolves to Iskra, admin=false, source=infisical+runtime, runtime consumer includes Kan web, recommended wave=C.
p+codex@durlej.me: Forgejo identity resolves to codex, admin=false.
p+glm@durlej.me and p+patchwarden@durlej.me: Forgejo identity check returned status 403; these should be verified or rotated later without blocking current platform continuity.

Recommended next stage:

Wave C should start with replacing/removing operator/admin Forgejo tokens from platform paths, using service/agent identities where possible.
DB passwords remain Wave D, one service at a time.
Crypto/bootstrap secrets remain Wave E with separate research and explicit GO.

## Wave B evidence update: read-only autoverifier completed Status: **Wave B read-only mapping completed**. No rotations, revocations, restarts, deploys, or secret writes were performed. Autoverifier source: - Platform checkout: `/private/tmp/platform-secret-recovery` - Source branch: `main` - Source head: `9fab05070de4` - Verifier: `scripts/security/secret_recovery_verify.py` - Unit check: `tests/test_secret_recovery_verify.py` passed (`7 passed`) Live read-only run: - Infisical paths checked: `/home-platform/infra`, `/home-platform/forgejo_accounts`, `/home-platform/apps` - Runtime host checked: `rs2000` - Identity checks: enabled for Forgejo-shaped tokens - Report schema: `platform_secret_recovery_report.v1` - Path errors: `0` - Records: `234` - By recommended wave: `B=200`, `C=8`, `D=20`, `E=6` - By source of truth: `infisical+runtime=18`, `infisical-only=130`, `repo-only=28`, `runtime-only=58` - Runtime-only findings: `58` - Declared-but-not-runtime findings: `8` - Raw secret safety check: no record contains a `secretValue` field; report only has top-level `secretValuePolicy`. High-signal findings for the next GO: - `FORGEJO_ADMIN_PAT_TEMP`: Forgejo identity resolves to operator `pdurlej`, admin=`true`, source=`infisical-only`, recommended wave=`C`. - `FORGEJO_API_TOKEN`: Forgejo identity resolves to operator `pdurlej`, admin=`true`, source=`infisical-only`, recommended wave=`C`. - `FORGEJO_READ_TOKEN`: Forgejo identity resolves to `Iskra`, admin=`false`, source=`infisical+runtime`, runtime consumer includes Kan web, recommended wave=`C`. - `p+codex@durlej.me`: Forgejo identity resolves to `codex`, admin=`false`. - `p+glm@durlej.me` and `p+patchwarden@durlej.me`: Forgejo identity check returned status `403`; these should be verified or rotated later without blocking current platform continuity. Recommended next stage: 1. Wave C should start with replacing/removing operator/admin Forgejo tokens from platform paths, using service/agent identities where possible. 2. DB passwords remain Wave D, one service at a time. 3. Crypto/bootstrap secrets remain Wave E with separate research and explicit GO.

codex referenced this issue

2026-06-04 23:28:59 +02:00

docs(infisical): record forgejo token recovery notes #718

codex commented

2026-06-04 23:29:28 +02:00

Collaborator

Wave C adjustment after owner clarification

Status update after owner correction:

FORGEJO_API_TOKEN and FORGEJO_ADMIN_PAT_TEMP are not revocation candidates in this incident wave.
- FORGEJO_API_TOKEN is assumed actively used until proven otherwise.
- FORGEJO_ADMIN_PAT_TEMP is an intentional operator/admin break-glass or high-trust-plan token.
p+glm@durlej.me was removed from Infisical path /home-platform/forgejo_accounts after owner stated GLM is no longer active.
- Pre-delete metadata: infisical-only, zero runtime consumers, zero repo consumers, Forgejo identity check returned 403.
- Post-delete metadata: glm_present=false.
p+patchwarden@durlej.me was not removed or rotated.
- Live Forgejo account exists: patchwarden, non-admin, public user metadata visible.
- Stored Infisical token currently fails identity check with status 403.
- Current platform code does not map p+patchwarden@durlej.me into the runner canary env defaults; Patchwarden workflows currently prefer FORGEJO_TOKEN_CODEX for comments and FORGEJO_TOKEN_ISKRA / automerge bot tokens for review/merge lanes.
- Fresh Patchwarden PAT generation should use Forgejo's user-token API POST /api/v1/users/patchwarden/tokens under an explicit operator/admin gate; no human login to the bot account is required.
Docs follow-up PR opened: #718

No DB passwords, crypto secrets, runtime services, or admin/operator tokens were rotated/revoked in this step.

## Wave C adjustment after owner clarification Status update after owner correction: - `FORGEJO_API_TOKEN` and `FORGEJO_ADMIN_PAT_TEMP` are **not** revocation candidates in this incident wave. - `FORGEJO_API_TOKEN` is assumed actively used until proven otherwise. - `FORGEJO_ADMIN_PAT_TEMP` is an intentional operator/admin break-glass or high-trust-plan token. - `p+glm@durlej.me` was removed from Infisical path `/home-platform/forgejo_accounts` after owner stated GLM is no longer active. - Pre-delete metadata: `infisical-only`, zero runtime consumers, zero repo consumers, Forgejo identity check returned `403`. - Post-delete metadata: `glm_present=false`. - `p+patchwarden@durlej.me` was **not** removed or rotated. - Live Forgejo account exists: `patchwarden`, non-admin, public user metadata visible. - Stored Infisical token currently fails identity check with status `403`. - Current platform code does not map `p+patchwarden@durlej.me` into the runner canary env defaults; Patchwarden workflows currently prefer `FORGEJO_TOKEN_CODEX` for comments and `FORGEJO_TOKEN_ISKRA` / automerge bot tokens for review/merge lanes. - Fresh Patchwarden PAT generation should use Forgejo's user-token API `POST /api/v1/users/patchwarden/tokens` under an explicit operator/admin gate; no human login to the bot account is required. - Docs follow-up PR opened: https://git.pdurlej.com/pdurlej/platform/pulls/718 No DB passwords, crypto secrets, runtime services, or admin/operator tokens were rotated/revoked in this step.

codex referenced this issue

2026-06-05 01:39:26 +02:00

fix(ci): make patchwarden comment identity explicit #721

codex commented

2026-06-05 01:39:52 +02:00

Collaborator

Patchwarden guard-resolution PR opened: #721

Metadata-only evidence:

patchwarden is treated as bot/safety actor, not a human-login account.
PR sanity comment token order becomes explicit: FORGEJO_TOKEN_PATCHWARDEN -> FORGEJO_TOKEN_CODEX -> legacy generic token only with explicit actor.
Added patchwarden_bot_identity.v1 readiness report with no token values, lengths, prefixes, suffixes, hashes, or raw HTTP bodies.
Current readiness smoke: secret present; identity check returns HTTP 403; no Docker runtime consumers found.

No credential recovery, Infisical writes, runner env changes, token generation, revocation, or runtime mutation were performed in this PR.

Patchwarden guard-resolution PR opened: https://git.pdurlej.com/pdurlej/platform/pulls/721 Metadata-only evidence: - `patchwarden` is treated as bot/safety actor, not a human-login account. - PR sanity comment token order becomes explicit: `FORGEJO_TOKEN_PATCHWARDEN` -> `FORGEJO_TOKEN_CODEX` -> legacy generic token only with explicit actor. - Added `patchwarden_bot_identity.v1` readiness report with no token values, lengths, prefixes, suffixes, hashes, or raw HTTP bodies. - Current readiness smoke: secret present; identity check returns HTTP 403; no Docker runtime consumers found. No credential recovery, Infisical writes, runner env changes, token generation, revocation, or runtime mutation were performed in this PR.

codex commented

2026-06-05 01:52:16 +02:00

Collaborator

Guard Resolution evidence — 2026-06-05

Batch zamknięty po PR #721, bez drukowania wartości sekretów.

PR #721: merged (fix(ci): make patchwarden comment identity explicit).
Patchwarden user guard: prohibit_login zmienione true -> false; is_active=true, is_admin=false zachowane.
Patchwarden PAT: nowy token wygenerowany jako bot patchwarden; scopes: read:user, read:repository, write:issue; identity smoke: HTTP 200, login patchwarden, non-admin.
Infisical source of truth: /home-platform/forgejo_accounts, key for Patchwarden updated; readback identity smoke: HTTP 200, login patchwarden, non-admin.
Runner canary env regenerated from Infisical bridge via write_canary_env.py; file mode 0600, owner forgejo-canary:forgejo-canary.
Runner env keys present include FORGEJO_TOKEN_CODEX and FORGEJO_TOKEN_PATCHWARDEN; no raw values inspected or printed.
FORGEJO_TOKEN_PATCHWARDEN from runner env verifies as HTTP 200, login patchwarden, non-admin.
Canary readiness on RS2000: ready=true, mode infisical-machine, env file secure, required metadata valid, required commands present: claude, codex, forbidden direct env: none.

Residual debt:

Old/diagnostic Patchwarden tokens may still exist in Forgejo. They were not revoked in this batch to avoid broad credential cleanup during recovery.
A full live workflow-comment smoke is still optional evidence; current proof verifies identity, runner env, and readiness without creating extra PR noise.

## Guard Resolution evidence — 2026-06-05 Batch zamknięty po PR #721, bez drukowania wartości sekretów. - PR #721: merged (`fix(ci): make patchwarden comment identity explicit`). - Patchwarden user guard: `prohibit_login` zmienione `true -> false`; `is_active=true`, `is_admin=false` zachowane. - Patchwarden PAT: nowy token wygenerowany jako bot `patchwarden`; scopes: `read:user`, `read:repository`, `write:issue`; identity smoke: HTTP 200, login `patchwarden`, non-admin. - Infisical source of truth: `/home-platform/forgejo_accounts`, key for Patchwarden updated; readback identity smoke: HTTP 200, login `patchwarden`, non-admin. - Runner canary env regenerated from Infisical bridge via `write_canary_env.py`; file mode `0600`, owner `forgejo-canary:forgejo-canary`. - Runner env keys present include `FORGEJO_TOKEN_CODEX` and `FORGEJO_TOKEN_PATCHWARDEN`; no raw values inspected or printed. - `FORGEJO_TOKEN_PATCHWARDEN` from runner env verifies as HTTP 200, login `patchwarden`, non-admin. - Canary readiness on RS2000: `ready=true`, mode `infisical-machine`, env file secure, required metadata valid, required commands present: `claude`, `codex`, forbidden direct env: none. Residual debt: - Old/diagnostic Patchwarden tokens may still exist in Forgejo. They were not revoked in this batch to avoid broad credential cleanup during recovery. - A full live workflow-comment smoke is still optional evidence; current proof verifies identity, runner env, and readiness without creating extra PR noise.

codex commented

2026-06-05 02:46:42 +02:00

Collaborator

Secret recovery receipt — 2026-06-05 02:46 CEST

No secret values, prefixes, suffixes, hashes, raw env, or raw payloads are included here.

Backup gate

Critical backup already fresh before mutation: hp-backup-critical.service success, backup root 20260605-000007-critical.
Restore smoke rerun before rotations: hp-restore-smoke.service success, restore smoke passed against 20260605-000007-critical.
No DB/crypto rotations were performed in this batch.

Rotated / removed / repaired

Patchwarden Forgejo token sprawl repaired: 7 tokens collapsed to 1 token; remaining scope is write:issue,read:repository,read:user; user is active and non-admin.
GLM offboarded: glm user inactive, login prohibited, token count 0; Infisical key p+glm@durlej.me absent from /home-platform/forgejo_accounts.
FORGEJO_READ_TOKEN rotated: source /home-platform/infra; runtime consumer home-platform-kan-web-1; verified identity Iskra, non-admin; old token revoked after smoke.
KAN_AGENT_TOKEN rotated: source /home-platform/infra; runtime consumer home-platform-kan-mcp-1; Kan DB check shows runtime token matches exactly 1 active agent token, with exactly 1 inactive predecessor.
KAN_API_TOKEN removed from Infisical after verifier showed no runtime consumers, no repo consumers, and no matching Kan DB token.
Kan MCP health bug fixed and deployed: PR pdurlej/kan-ductor#164, image git.pdurlej.com/pdurlej/kan-mcp:sha-e38fefe70e53. This stops MCP from sending agent bearer auth to public /api/v1/health.

Held intentionally

CODEX-TY-UPARTA-PAUKO-FOREGJO-PAT: held as Codex/operator recovery credential per live owner direction; no runtime consumers in verifier.
FORGEJO_API_TOKEN: held per live owner direction; verifier identity is operator admin and no runtime consumers were detected by the autoverifier.
FORGEJO_ADMIN_PAT_TEMP: held per live owner direction for approved high-trust threads; verifier identity is operator admin and no runtime consumers were detected by the autoverifier.
KAN_FORGEJO_REGISTRY_TOKEN / KAN_FORGEJO_REGISTRY_USERNAME: held; no runtime consumers detected, package/registry token path is separate from normal Forgejo API identity checks.
Cousin PATs p+codex, p+claude, p+gemini, p+iskra, p+ollama, p+patchwarden: held; verified as non-admin identities where API identity check applies; no runtime consumers detected.
KAN_MCP_BEARER_TOKEN: runtime variable exists but is empty; no active bearer secret to rotate. Future hardening should either remove the empty var or set a real bearer and configure clients.

Deferred by risk class

Wave D database passwords deferred to per-service maintenance: FORGEJO_DB_PASSWORD, INFISICAL_DB_PASSWORD, N8N_DB_PASSWORD, UMAMI_DB_PASSWORD, KAN_POSTGRES_PASSWORD, HONCHO_DB_PASSWORD, HONCHO_REDIS_PASSWORD, POSTGRES_SUPERPASS, REDIS_PASSWORD.
Wave E crypto/session secrets deferred to dedicated research/maintenance: FORGEJO_SECRET_KEY, N8N_ENCRYPTION_KEY, UMAMI_APP_SECRET, KAN_BETTER_AUTH_SECRET.
Autoverifier still flags KAN_POSTGRES_PASSWORD and KAN_BETTER_AUTH_SECRET as runtime-only; this is residual config hygiene, not touched in this token recovery batch.

Post-change evidence

Kan MCP /live, /ready, /health: OK after deploy.
https://kan.pdurlej.com/analytics: HTTP 200 text/html after deploy.
home-platform-forgejo-1, home-platform-kan-web-1, home-platform-kan-mcp-1: running/healthy.
kan-web Invalid API key log count after MCP fix: 0 in the post-deploy observation windows.
kan-mcp auth/error signal count: 0 in the post-deploy observation window.
Final read-only autoverifier written locally on the operator machine as /private/tmp/platform-secret-recovery-report-postdeploy.json; do not paste raw report because it contains secret metadata.

Rollback notes

Kan MCP previous image before #164 deploy: git.pdurlej.com/pdurlej/kan-mcp:sha-7c160dd0485d.
Runtime env backups created during recovery: env/stack.env.bak-secret-recovery-20260605T000755Z, env/stack.env.bak-kan-mcp-healthfix-20260605T003506Z, env/stack.env.bak-kan-mcp-image-20260605T003852Z.
Rollback for MCP fix: restore previous KAN_MCP_IMAGE or previous env backup and recreate only kan-mcp; no DB migration involved.

## Secret recovery receipt — 2026-06-05 02:46 CEST No secret values, prefixes, suffixes, hashes, raw env, or raw payloads are included here. ### Backup gate - Critical backup already fresh before mutation: `hp-backup-critical.service` success, backup root `20260605-000007-critical`. - Restore smoke rerun before rotations: `hp-restore-smoke.service` success, restore smoke passed against `20260605-000007-critical`. - No DB/crypto rotations were performed in this batch. ### Rotated / removed / repaired - Patchwarden Forgejo token sprawl repaired: 7 tokens collapsed to 1 token; remaining scope is `write:issue,read:repository,read:user`; user is active and non-admin. - GLM offboarded: `glm` user inactive, login prohibited, token count 0; Infisical key `p+glm@durlej.me` absent from `/home-platform/forgejo_accounts`. - `FORGEJO_READ_TOKEN` rotated: source `/home-platform/infra`; runtime consumer `home-platform-kan-web-1`; verified identity `Iskra`, non-admin; old token revoked after smoke. - `KAN_AGENT_TOKEN` rotated: source `/home-platform/infra`; runtime consumer `home-platform-kan-mcp-1`; Kan DB check shows runtime token matches exactly 1 active agent token, with exactly 1 inactive predecessor. - `KAN_API_TOKEN` removed from Infisical after verifier showed no runtime consumers, no repo consumers, and no matching Kan DB token. - Kan MCP health bug fixed and deployed: PR pdurlej/kan-ductor#164, image `git.pdurlej.com/pdurlej/kan-mcp:sha-e38fefe70e53`. This stops MCP from sending agent bearer auth to public `/api/v1/health`. ### Held intentionally - `CODEX-TY-UPARTA-PAUKO-FOREGJO-PAT`: held as Codex/operator recovery credential per live owner direction; no runtime consumers in verifier. - `FORGEJO_API_TOKEN`: held per live owner direction; verifier identity is operator admin and no runtime consumers were detected by the autoverifier. - `FORGEJO_ADMIN_PAT_TEMP`: held per live owner direction for approved high-trust threads; verifier identity is operator admin and no runtime consumers were detected by the autoverifier. - `KAN_FORGEJO_REGISTRY_TOKEN` / `KAN_FORGEJO_REGISTRY_USERNAME`: held; no runtime consumers detected, package/registry token path is separate from normal Forgejo API identity checks. - Cousin PATs `p+codex`, `p+claude`, `p+gemini`, `p+iskra`, `p+ollama`, `p+patchwarden`: held; verified as non-admin identities where API identity check applies; no runtime consumers detected. - `KAN_MCP_BEARER_TOKEN`: runtime variable exists but is empty; no active bearer secret to rotate. Future hardening should either remove the empty var or set a real bearer and configure clients. ### Deferred by risk class - Wave D database passwords deferred to per-service maintenance: `FORGEJO_DB_PASSWORD`, `INFISICAL_DB_PASSWORD`, `N8N_DB_PASSWORD`, `UMAMI_DB_PASSWORD`, `KAN_POSTGRES_PASSWORD`, `HONCHO_DB_PASSWORD`, `HONCHO_REDIS_PASSWORD`, `POSTGRES_SUPERPASS`, `REDIS_PASSWORD`. - Wave E crypto/session secrets deferred to dedicated research/maintenance: `FORGEJO_SECRET_KEY`, `N8N_ENCRYPTION_KEY`, `UMAMI_APP_SECRET`, `KAN_BETTER_AUTH_SECRET`. - Autoverifier still flags `KAN_POSTGRES_PASSWORD` and `KAN_BETTER_AUTH_SECRET` as runtime-only; this is residual config hygiene, not touched in this token recovery batch. ### Post-change evidence - Kan MCP `/live`, `/ready`, `/health`: OK after deploy. - `https://kan.pdurlej.com/analytics`: HTTP 200 text/html after deploy. - `home-platform-forgejo-1`, `home-platform-kan-web-1`, `home-platform-kan-mcp-1`: running/healthy. - `kan-web` `Invalid API key` log count after MCP fix: 0 in the post-deploy observation windows. - `kan-mcp` auth/error signal count: 0 in the post-deploy observation window. - Final read-only autoverifier written locally on the operator machine as `/private/tmp/platform-secret-recovery-report-postdeploy.json`; do not paste raw report because it contains secret metadata. ### Rollback notes - Kan MCP previous image before #164 deploy: `git.pdurlej.com/pdurlej/kan-mcp:sha-7c160dd0485d`. - Runtime env backups created during recovery: `env/stack.env.bak-secret-recovery-20260605T000755Z`, `env/stack.env.bak-kan-mcp-healthfix-20260605T003506Z`, `env/stack.env.bak-kan-mcp-image-20260605T003852Z`. - Rollback for MCP fix: restore previous `KAN_MCP_IMAGE` or previous env backup and recreate only `kan-mcp`; no DB migration involved.

codex commented

2026-06-05 07:34:46 +02:00

Collaborator

Live DJ + hygiene receipt — 2026-06-05 07:28 CEST

No secret values, prefixes, suffixes, hashes, raw env, or raw logs are included.

Live check

home-platform-forgejo-1, home-platform-infisical-1, home-platform-n8n-main-1, home-platform-kan-web-1, home-platform-kan-mcp-1: running/healthy.
kan-web Invalid API key count, last 10m: 0.
kan-mcp auth/error signal count, last 10m: 0.
https://kan.pdurlej.com/analytics: HTTP 200 text/html.
kan-mcp runtime image: git.pdurlej.com/pdurlej/kan-mcp:sha-e38fefe70e53.

Owner decision recorded

Keep FORGEJO_API_TOKEN and FORGEJO_ADMIN_PAT_TEMP for the next few days as recovery/admin lane credentials.
Do not revoke them during the immediate post-recovery cooldown.
Follow-up issue: #722.

Hygiene follow-ups

#722 — review held Forgejo admin/temp PATs after cooldown.
#723 — decide empty KAN_MCP_BEARER_TOKEN runtime hygiene.
#724/#725 — fixed Kan image override guard.

Fix applied

PR #725 merged: adds scripts/kan/effective-images.py and tests for shadowed KAN_IMAGE_TAG.
Local tests: python3 -m py_compile scripts/kan/effective-images.py; python3 -m pytest tests/test_kan_runtime_contract.py -q => 6 passed.
CI for #725 was green before merge.
Runtime cleanup: removed misleading KAN_IMAGE_TAG from RS2000 env/stack.env because all three Kan images are explicitly pinned by KAN_WEB_IMAGE, KAN_MIGRATE_IMAGE, and KAN_MCP_IMAGE.
No service restart was performed for this cleanup; kan-mcp stayed running/healthy.
Runtime backup: env/stack.env.bak-remove-shadowed-kan-image-tag-20260605T052446Z.

## Live DJ + hygiene receipt — 2026-06-05 07:28 CEST No secret values, prefixes, suffixes, hashes, raw env, or raw logs are included. ### Live check - `home-platform-forgejo-1`, `home-platform-infisical-1`, `home-platform-n8n-main-1`, `home-platform-kan-web-1`, `home-platform-kan-mcp-1`: running/healthy. - `kan-web` Invalid API key count, last 10m: 0. - `kan-mcp` auth/error signal count, last 10m: 0. - `https://kan.pdurlej.com/analytics`: HTTP 200 text/html. - `kan-mcp` runtime image: `git.pdurlej.com/pdurlej/kan-mcp:sha-e38fefe70e53`. ### Owner decision recorded - Keep `FORGEJO_API_TOKEN` and `FORGEJO_ADMIN_PAT_TEMP` for the next few days as recovery/admin lane credentials. - Do not revoke them during the immediate post-recovery cooldown. - Follow-up issue: #722. ### Hygiene follow-ups - #722 — review held Forgejo admin/temp PATs after cooldown. - #723 — decide empty `KAN_MCP_BEARER_TOKEN` runtime hygiene. - #724/#725 — fixed Kan image override guard. ### Fix applied - PR #725 merged: adds `scripts/kan/effective-images.py` and tests for shadowed `KAN_IMAGE_TAG`. - Local tests: `python3 -m py_compile scripts/kan/effective-images.py`; `python3 -m pytest tests/test_kan_runtime_contract.py -q` => 6 passed. - CI for #725 was green before merge. - Runtime cleanup: removed misleading `KAN_IMAGE_TAG` from RS2000 `env/stack.env` because all three Kan images are explicitly pinned by `KAN_WEB_IMAGE`, `KAN_MIGRATE_IMAGE`, and `KAN_MCP_IMAGE`. - No service restart was performed for this cleanup; `kan-mcp` stayed running/healthy. - Runtime backup: `env/stack.env.bak-remove-shadowed-kan-image-tag-20260605T052446Z`.

claude referenced this issue from a commit

2026-06-08 21:50:28 +02:00

docs(security): guard against secret exposure via `docker compose config` (#711)

claude referenced this issue from a commit

2026-06-08 21:51:39 +02:00

docs(security): guard against secret exposure via `docker compose config` (#711)

claude referenced this issue

2026-06-08 21:51:55 +02:00

docs(security): guard against secret exposure via docker compose config (#711) #750

claude commented

2026-06-08 21:52:19 +02:00

Collaborator

Guard-note acceptance-bit — addressed in PR #750

The required follow-up "add a guard/runbook note: never run docker compose config or ./scripts/compose.sh config on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting" is implemented in #750 (class/security-sensitive, awaiting operator merge).

Root-cause framing: bare docker compose config renders the fully variable-expanded compose document, printing interpolated secret values to stdout. The operational code paths already enforced --quiet (control-plane/platformctl/apply.py preflight; ops/rs2000/platform-host-agent-wrapper) — the remaining gap was the teaching surface (master prompts + runbook had no prevention note).

Files changed (metadata-only — no secret values printed):

runbooks/platform-secret-recovery.md — new ## Prevention section: validate with --quiet, list images with --images, umask 077/chmod 600 + scrub if rendered config is genuinely needed; explicitly covers compose wrappers (./scripts/compose.sh config, host-agent wrapper) and docker inspect env; never paste raw output into session/PR/issue/log.
prompts/02-catalog.md — rendered-compose gate → docker compose config --quiet.
prompts/03-control.md — plan observed-state read → inline secret-safety warning + --quiet.
prompts/06-prune.md — image-reference check → docker compose config --images (was bare config | yq).
docs/forgejo-agent-operations.md (Secrets And Infisical Rules) and PLATFORM_CHARTER.md §5 (Secrets stance) — canonical platform rule.

Coverage note: a repo-wide grep for docker compose config shows every operational prompt/code path now uses --quiet/--images. The only remaining un---quiet occurrence is state/L0/oracle-arch-5layer-review.md — an archived 2026-05-01 Oracle review record, deliberately left unedited (it documents what was said, not a live instruction). scripts/compose.sh is host-local (not in the repo); the runbook note covers wrappers generically.

Out of scope for this PR (remain open / operator-owned on this issue):

regenerate/store a fresh p+codex@durlej.me Forgejo PAT;
operator decision on which other stack secrets that appeared in the transcript require rotation.

Authored as actor claude (not pdurlej). No secret values, prefixes, suffixes, or hashes appear in #750 or in this comment.

## Guard-note acceptance-bit — addressed in PR #750 The required follow-up *"add a guard/runbook note: never run `docker compose config` or `./scripts/compose.sh config` on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting"* is implemented in **#750** (`class/security-sensitive`, awaiting operator merge). **Root-cause framing:** bare `docker compose config` renders the fully variable-expanded compose document, printing interpolated secret values to stdout. The operational code paths already enforced `--quiet` (`control-plane/platformctl/apply.py` preflight; `ops/rs2000/platform-host-agent-wrapper`) — the remaining gap was the **teaching surface** (master prompts + runbook had no prevention note). **Files changed (metadata-only — no secret values printed):** - `runbooks/platform-secret-recovery.md` — new `## Prevention` section: validate with `--quiet`, list images with `--images`, `umask 077`/`chmod 600` + scrub if rendered config is genuinely needed; explicitly covers compose **wrappers** (`./scripts/compose.sh config`, host-agent wrapper) and `docker inspect` env; never paste raw output into session/PR/issue/log. - `prompts/02-catalog.md` — rendered-compose gate → `docker compose config --quiet`. - `prompts/03-control.md` — `plan` observed-state read → inline secret-safety warning + `--quiet`. - `prompts/06-prune.md` — image-reference check → `docker compose config --images` (was bare `config | yq`). - `docs/forgejo-agent-operations.md` (*Secrets And Infisical Rules*) and `PLATFORM_CHARTER.md` §5 (*Secrets stance*) — canonical platform rule. **Coverage note:** a repo-wide `grep` for `docker compose config` shows every operational prompt/code path now uses `--quiet`/`--images`. The only remaining un-`--quiet` occurrence is `state/L0/oracle-arch-5layer-review.md` — an archived 2026-05-01 Oracle review record, deliberately left unedited (it documents what was said, not a live instruction). `scripts/compose.sh` is host-local (not in the repo); the runbook note covers wrappers generically. **Out of scope for this PR (remain open / operator-owned on this issue):** - regenerate/store a fresh `p+codex@durlej.me` Forgejo PAT; - operator decision on which other stack secrets that appeared in the transcript require rotation. Authored as actor `claude` (not `pdurlej`). No secret values, prefixes, suffixes, or hashes appear in #750 or in this comment.

pdurlej referenced this issue from a commit

2026-06-08 22:00:41 +02:00

Merge pull request 'docs(security): guard against secret exposure via `docker compose config` (#711)' (#750) from claude/issues/711-compose-config-secret-guard into main

Iskra commented

2026-06-12 03:14:24 +02:00

Collaborator

Iskra judgment

Field	Value
Target	`pdurlej/platform#issue#711`
Priority	p0
Action	operator_needed
Scores	reach 5 / impact 5 / confidence 5
Piotr fit	high
Effort	medium
Labels	`judge/p0`, `judge/operator-needed`
Judge	`iskra` via `openclaw`

Rationale: This is P0 operator-needed security work because exposed deploy transcript secrets require complete rotation, verification, and cleanup before normal trust can resume.

Caveat: Do not repeat secret values in comments or logs; track only categories, rotation receipts, and post-rotation smoke evidence.

Structured openclaw.judge.v0 payload

<!-- openclaw.judge.v0 -->
{
  "confidence": 5,
  "effort_hint": "medium",
  "escalation": {
    "kind": "operator",
    "reason": "Secret exposure and credential rotation require owner-approved sequencing, verification, and cleanup without leaking values."
  },
  "evidence_refs": [
    {
      "note": "Issue tracks rotation and cleanup after secret-bearing compose diagnostics were printed during Kan analytics deploy work.",
      "type": "forgejo",
      "value": "issue-title-body-labels-and-target-snapshot"
    },
    {
      "note": "Body lists exposed categories as runtime token material and platform environment values without repeating secret values.",
      "type": "forgejo",
      "value": "issue-body-exposed-categories"
    },
    {
      "note": "Body says immediate mitigation deleted the old Forgejo token and switched the analytics runtime token away from the exposed identity.",
      "type": "forgejo",
      "value": "issue-body-immediate-mitigation"
    }
  ],
  "impact": 5,
  "judge_actor": {
    "name": "iskra",
    "runtime": "openclaw"
  },
  "judged_at": "2026-06-12T01:12:00Z",
  "labels_to_apply": [
    "judge/p0",
    "judge/operator-needed"
  ],
  "piotr_fit": "high",
  "priority": "p0",
  "rationale_summary": "This is P0 operator-needed security work because exposed deploy transcript secrets require complete rotation, verification, and cleanup before normal trust can resume.",
  "reach": 5,
  "recommended_next_action": "operator_needed",
  "rerun_reason": "no_prior_judgment",
  "schema": "openclaw.judge.v0",
  "target": {
    "kind": "issue",
    "number": 711,
    "repo": "pdurlej/platform"
  },
  "target_snapshot": {
    "body_hash": "sha256:1aef03501e79d0ccdc1bc73f8b9fa5cf6fe004f15e638b8ca8dd5e41ada1ea2d",
    "commit_count": null,
    "evidence_hash": "sha256:0cde82be9ff3ba2e7ae9ce74875ee79c212fa6443894722639f993dc9f8a9a9f",
    "head_sha": null,
    "labels": [],
    "labels_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "state": "open",
    "title_hash": "sha256:0a8eacc13dd366a85448e1568fdf3384f56bef94ca4f014bb26d08b84024df70",
    "updated_at": "2026-06-08T22:00:41+02:00"
  },
  "top_caveat": "Do not repeat secret values in comments or logs; track only categories, rotation receipts, and post-rotation smoke evidence."
}
<!-- /openclaw.judge.v0 -->

### Iskra judgment | Field | Value | | --- | --- | | Target | `pdurlej/platform#issue#711` | | Priority | p0 | | Action | operator_needed | | Scores | reach 5 / impact 5 / confidence 5 | | Piotr fit | high | | Effort | medium | | Labels | `judge/p0`, `judge/operator-needed` | | Judge | `iskra` via `openclaw` | **Rationale:** This is P0 operator-needed security work because exposed deploy transcript secrets require complete rotation, verification, and cleanup before normal trust can resume. **Caveat:** Do not repeat secret values in comments or logs; track only categories, rotation receipts, and post-rotation smoke evidence. <details> <summary>Structured openclaw.judge.v0 payload</summary> ```json  { "confidence": 5, "effort_hint": "medium", "escalation": { "kind": "operator", "reason": "Secret exposure and credential rotation require owner-approved sequencing, verification, and cleanup without leaking values." }, "evidence_refs": [ { "note": "Issue tracks rotation and cleanup after secret-bearing compose diagnostics were printed during Kan analytics deploy work.", "type": "forgejo", "value": "issue-title-body-labels-and-target-snapshot" }, { "note": "Body lists exposed categories as runtime token material and platform environment values without repeating secret values.", "type": "forgejo", "value": "issue-body-exposed-categories" }, { "note": "Body says immediate mitigation deleted the old Forgejo token and switched the analytics runtime token away from the exposed identity.", "type": "forgejo", "value": "issue-body-immediate-mitigation" } ], "impact": 5, "judge_actor": { "name": "iskra", "runtime": "openclaw" }, "judged_at": "2026-06-12T01:12:00Z", "labels_to_apply": [ "judge/p0", "judge/operator-needed" ], "piotr_fit": "high", "priority": "p0", "rationale_summary": "This is P0 operator-needed security work because exposed deploy transcript secrets require complete rotation, verification, and cleanup before normal trust can resume.", "reach": 5, "recommended_next_action": "operator_needed", "rerun_reason": "no_prior_judgment", "schema": "openclaw.judge.v0", "target": { "kind": "issue", "number": 711, "repo": "pdurlej/platform" }, "target_snapshot": { "body_hash": "sha256:1aef03501e79d0ccdc1bc73f8b9fa5cf6fe004f15e638b8ca8dd5e41ada1ea2d", "commit_count": null, "evidence_hash": "sha256:0cde82be9ff3ba2e7ae9ce74875ee79c212fa6443894722639f993dc9f8a9a9f", "head_sha": null, "labels": [], "labels_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "state": "open", "title_hash": "sha256:0a8eacc13dd366a85448e1568fdf3384f56bef94ca4f014bb26d08b84024df70", "updated_at": "2026-06-08T22:00:41+02:00" }, "top_caveat": "Do not repeat secret values in comments or logs; track only categories, rotation receipts, and post-rotation smoke evidence." }  ``` </details>

Iskra added the

judge/operator-needed

judge/p0

labels

2026-06-12 03:14:25 +02:00