pdurlej/platform

Fork 0

docs(security): guard against secret exposure via `docker compose config` (#711) #750

Merged

pdurlej merged 1 commit from claude/issues/711-compose-config-secret-guard into main

2026-06-08 22:00:40 +02:00

claude commented

2026-06-08 21:51:55 +02:00

Collaborator

What

Closes the last open acceptance-bit on #711: "add a guard/runbook note — never run docker compose config (or ./scripts/compose.sh config) on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting."

Bare docker compose config renders the fully variable-expanded compose document, printing every interpolated secret value to stdout — the root cause of the 2026-06-04 incident. The operational code paths already enforced --quiet (control-plane/platformctl/apply.py preflight, ops/rs2000/platform-host-agent-wrapper); the remaining gap was the teaching surface (master prompts + runbook had no prevention note).

Changes

File	Change
`runbooks/platform-secret-recovery.md`	New `## Prevention` section: validate with `--quiet`, list images with `--images`, `umask 077` + scrub if rendered config is genuinely needed, covers compose wrappers and `docker inspect` env.
`prompts/02-catalog.md`	Rendered-compose gate → `docker compose config --quiet`.
`prompts/03-control.md`	`plan` observed-state read → inline secret-safety warning + `--quiet`.
`prompts/06-prune.md`	Image-reference check → `docker compose config --images` (was bare `config \| yq`).
`docs/forgejo-agent-operations.md`	Canonical rule in Secrets And Infisical Rules.
`PLATFORM_CHARTER.md` §5	Canonical platform rule in Secrets stance.

Verification (metadata-only)

grep confirms no bare docker compose config remains in operational prompts/code — the only un---quiet occurrence left is state/L0/oracle-arch-5layer-review.md, an archived 2026-05-01 Oracle review record (deliberately not edited — it documents what was said, not a live instruction).
scripts/compose.sh is host-local (not in repo); the runbook note covers wrappers generically so the guard holds regardless.
No secret values, prefixes, suffixes, or hashes appear in this diff or PR.

Class

class/security-sensitive → smallest coherent PR, full canary (3+3), operator merge (not auto). Authored as actor claude, not pdurlej.

Closes the guard-note acceptance-bit of #711 (rotation/exposure decisions on that issue remain operator-owned).

🤖 Generated with Claude Code

## What Closes the last open acceptance-bit on #711: *"add a guard/runbook note — never run `docker compose config` (or `./scripts/compose.sh config`) on secret-bearing services unless output is redirected to a protected file and scrubbed before reporting."* Bare `docker compose config` renders the **fully variable-expanded** compose document, printing every interpolated secret value to stdout — the root cause of the 2026-06-04 incident. The **operational code paths already enforced `--quiet`** (`control-plane/platformctl/apply.py` preflight, `ops/rs2000/platform-host-agent-wrapper`); the remaining gap was the **teaching surface** (master prompts + runbook had no prevention note). ## Changes | File | Change | |---|---| | `runbooks/platform-secret-recovery.md` | New **`## Prevention`** section: validate with `--quiet`, list images with `--images`, `umask 077` + scrub if rendered config is genuinely needed, covers compose wrappers and `docker inspect` env. | | `prompts/02-catalog.md` | Rendered-compose gate → `docker compose config --quiet`. | | `prompts/03-control.md` | `plan` observed-state read → inline secret-safety warning + `--quiet`. | | `prompts/06-prune.md` | Image-reference check → `docker compose config --images` (was bare `config \| yq`). | | `docs/forgejo-agent-operations.md` | Canonical rule in *Secrets And Infisical Rules*. | | `PLATFORM_CHARTER.md` §5 | Canonical platform rule in *Secrets stance*. | ## Verification (metadata-only) - `grep` confirms no bare `docker compose config` remains in operational prompts/code — the only un-`--quiet` occurrence left is `state/L0/oracle-arch-5layer-review.md`, an **archived 2026-05-01 Oracle review record** (deliberately not edited — it documents what was said, not a live instruction). - `scripts/compose.sh` is host-local (not in repo); the runbook note covers wrappers generically so the guard holds regardless. - **No secret values, prefixes, suffixes, or hashes appear in this diff or PR.** ## Class `class/security-sensitive` → smallest coherent PR, full canary (3+3), **operator merge** (not auto). Authored as actor `claude`, not `pdurlej`. Closes the guard-note acceptance-bit of #711 (rotation/exposure decisions on that issue remain operator-owned). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

claude added the

class/security-sensitive

size/small

agent/claude-code

merge/manual-security-sensitive

safety:secret-touch

type:docs

labels

2026-06-08 21:51:55 +02:00

claude added 1 commit

2026-06-08 21:51:55 +02:00

docs(security): guard against secret exposure via docker compose config (#711 )

canary-required / collect-diff (pull_request) Successful in 5s

Details

base-is-main / guard (pull_request) Successful in 1s

Details

patchwarden-pr-sanity / collect-diff (pull_request) Successful in 4s

Details

canary-required / canary (pull_request) Successful in 13s

Details

patchwarden-client-dry-run / dry-run (pull_request) Successful in 21s

Details

patchwarden-client-dry-run / collect-diff (pull_request) Successful in 3s

Details

patchwarden-pr-sanity / sanity (pull_request) Successful in 3m4s

Details

417de09be7

Closes the last open acceptance-bit on #711: "add a guard/runbook note —
never run `docker compose config` on secret-bearing services unless output is
redirected to a protected file and scrubbed."

Bare `docker compose config` renders the fully variable-expanded compose
document with every interpolated secret value on stdout (root cause of the
2026-06-04 incident). The operational code paths already enforced `--quiet`
(apply.py preflight, host-agent wrapper); the gap was in the teaching surface.

- runbooks/platform-secret-recovery.md: new "## Prevention" section — validate
  with `--quiet`, list images with `--images`, and if rendered config is
  genuinely needed, `umask 077` to a protected file + scrub before reporting;
  never paste raw config/inspect env into session/PR/issue/log.
- prompts/02-catalog.md, 03-control.md, 06-prune.md: replace bare
  `docker compose config` with `--quiet` / `--images` or an inline
  secret-safety warning linking the runbook §Prevention.
- docs/forgejo-agent-operations.md (Secrets And Infisical Rules) and
  PLATFORM_CHARTER.md §5 (Secrets stance): canonical platform rule.

Metadata-only: no secret values, prefixes, suffixes, or hashes are printed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

claude referenced this pull request

2026-06-08 21:52:19 +02:00

security: rotate secrets exposed during Kan analytics deploy transcript #711

patchwarden commented

2026-06-08 21:55:40 +02:00

First-time contributor

Patchwarden PR sanity

Status: advisory_findings
PR: 750
Commit: 417de09be7aafc7bce9de4ffa8e3b1649bd3be4a
Security-sensitive label: present
Authority: advisory model review plus deterministic blockers only
3+3 canary: still alive; this does not replace it

Deterministic findings

info sensitive-path-touched Sensitive path touched — PLATFORM_CHARTER.md
- Evidence: PLATFORM_CHARTER.md
- Next: Route through the existing 3+3/risk-tier process; model review remains advisory.

Model reviewers

`global-glm` / `glm-5.1:cloud`

Status: ok
Verdict: OK
Findings: none

`global-deepseek` / `deepseek-v4-pro:cloud`

Status: ok
Verdict: OK
Findings: none

`redteam` / `kimi-k2.6:cloud`

Status: ok
Verdict: NOT_OK
high Runbook teaches predictable /tmp path for secret material
- Evidence: runbooks/platform-secret-recovery.md: ( umask 077; docker compose config > /tmp/rendered.yaml ) — writes fully-expanded secrets to a hardcoded path in a shared world-writable directory, enabling symlink races and leaving recoverable files
- Next: Replace the example with tmpfile=$(mktemp -m 600 -t rendered.XXXXXX.yaml) and use that variable for both redirection and secure removal; never hardcode paths under /tmp for secret material.

Policy notes

GLM 5.1 + DeepSeek V4 Pro are the operator-required model mix for this bot.
Optional red-team model is enabled only when PLATFORMCTL_PR_SANITY_REDTEAM_MODEL is configured.
Auto-merge is not enabled here.

# Patchwarden PR sanity - Status: `advisory_findings` - PR: `750` - Commit: `417de09be7aafc7bce9de4ffa8e3b1649bd3be4a` - Security-sensitive label: `present` - Authority: advisory model review plus deterministic blockers only - 3+3 canary: still alive; this does not replace it ## Deterministic findings - **`info` `sensitive-path-touched`** Sensitive path touched — `PLATFORM_CHARTER.md` - Evidence: `PLATFORM_CHARTER.md` - Next: Route through the existing 3+3/risk-tier process; model review remains advisory. ## Model reviewers ### `global-glm` / `glm-5.1:cloud` - Status: `ok` - Verdict: `OK` - Findings: none ### `global-deepseek` / `deepseek-v4-pro:cloud` - Status: `ok` - Verdict: `OK` - Findings: none ### `redteam` / `kimi-k2.6:cloud` - Status: `ok` - Verdict: `NOT_OK` - **`high`** Runbook teaches predictable /tmp path for secret material - Evidence: `runbooks/platform-secret-recovery.md: `( umask 077; docker compose config > /tmp/rendered.yaml )` — writes fully-expanded secrets to a hardcoded path in a shared world-writable directory, enabling symlink races and leaving recoverable files` - Next: Replace the example with `tmpfile=$(mktemp -m 600 -t rendered.XXXXXX.yaml)` and use that variable for both redirection and secure removal; never hardcode paths under /tmp for secret material. ## Policy notes - GLM 5.1 + DeepSeek V4 Pro are the operator-required model mix for this bot. - Optional red-team model is enabled only when `PLATFORMCTL_PR_SANITY_REDTEAM_MODEL` is configured. - Auto-merge is not enabled here.