Commercial posture: every credential exposure, rotation obligation, and security TODO gets a ROW here with an owner and status -- never only a comment in a script header (where the libvirt item below lived for a week). Review this ledger at every phase-00 (teardown) and before any handoff. Locations of key material are deliberately NOT recorded here -- custody detail lives off-repo per D-069.
| id | date | item | source / evidence | owner | status |
|---|---|---|---|---|---|
| SEC-001 | 2026-06-26 | libvirt SSH credential printed in plaintext by maas machine power-parameters during reenroll work |
scripts/reenroll-hosts.sh header note | operator | OPEN -- rotate at v1 close (operator ruling 2026-07-06; was "after rebuild") |
| SEC-002 | 2026-06-17 | juju action params persist in the operation log -- charm authorization must use short-lived child tokens | DOCFIX-011 | operator | STANDING RULE (verify each vault authorize) |
| SEC-003 | 2026-07-03 | Vault unseal-key custody is single-operator (bus factor) | D-069 | operator | OPEN -- assign custodians + rehearse second-person unseal (DEFERRED 2026-07-06 by operator; note: keeps d011-06 MANUAL, gates D-011 full close) |
| SEC-004 | 2026-05-27 | repo temporarily PUBLIC for v1 web_fetch workflow | project completion list | operator | OPEN -- flip to private at v1 close (deferral reaffirmed 2026-07-06) |
| SEC-005 | 2026-07-13 | long-lived GitBucket PAT stored in PLAINTEXT on the jumphost (credential.helper store, mode 600) so the agent can push unattended; GitBucket PATs are account-wide -- no per-repo scoping exists |
docs/changelog-20260713-git-credential-store.md | operator | OPEN -- dedicated token (not a reused personal one); revoke + rotate at v1 close, or immediately if the jumphost is shared/rebuilt. Revoke: GitBucket -> Account Settings -> Applications |
| SEC-006 | 2026-07-12 | NetBox API token PASTED INTO AGENT CHAT CONTEXT during D-111 IPv6 reconciliation -- the token is BURNED (it exists in a transcript that is not under our control) and must be revoked + reissued, not merely rotated on schedule | docs/changelog-20260712-office1-opnsense-edge-build.md; flagged again at 2026-07-12 session close | operator | OPEN -- DEFERRED by operator ruling 2026-07-13: revoke at completion of this deployment. Until then the token is live and exposed. Revoke: NetBox -> Admin -> API Tokens |
| SEC-007 | 2026-07-12 | ~/vr1-office1-creds/ on the jumphost holds the Office1 edge root password + its bcrypt hash + the office1_svc SSH PRIVATE key + (added 2026-07-13) the OPNsense API key/secret (opnsense-api.txt, 0600), all in plaintext (dir 0700, files 0600) |
2026-07-12 edge build; custody detail deliberately not recorded here per D-069 | operator | OPEN -- required for edge management (D-112(c) makes SSH the only management path), so this is a ROTATION obligation, not a delete-me. Rotate at v1 close / if the jumphost is rebuilt or shared |
| SEC-008 | 2026-07-13 | ~/vr1-office1-creds/tailscale-authkey.txt (vcloud, 0600) -- the operator's 48-char Tailscale auth key for the SELF-HOSTED control plane tailscale.baldurkeep.com. Used to enrol office1-tailscale. Consumed BY PATH and never printed into a session; the copy shipped to the node was SHREDDED after tailscale up (tailscaled holds its own node key now). |
2026-07-13 Office1 Tailscale enrolment; docs/vr1-office1-as-built.md | operator | OPEN -- ROTATION obligation, not a delete-me: the key is still on vcloud for re-enrolment. Revoke/reissue on the control server at v1 close, or immediately if vcloud is rebuilt or shared. |
| SEC-009 | 2026-07-15 | Credential/env SPRAWL + world-readable exposure on vcloud: three env files sat loose in ~ outside the consolidated ~/vr1-office1-creds/ -- .vr1-netbox.env (upstream NetBox token), vr1-office1.env (edge root-password hash + SSH key path), and vr1-stage1.env which held TF_VAR_maas_api_key (a MAAS API secret) at mode 0664 (group/world-readable); tailscale-authkey.txt in the creds dir was also 0664. |
docs/changelog-20260715-creds-consolidation.md | operator | REMEDIATED 2026-07-15 -- all three moved into ~/vr1-office1-creds/, every sensitive file chmod 600. STANDING CONVENTION established (below). Note: this is a CLOSED in-house test; the rotation obligations of SEC-005/006/007 still apply at v1 close, this row only closes the SPRAWL + PERMS exposure. |
STANDING CONVENTION (SEC-009, 2026-07-15): per-site credential/env consolidation. ALL sensitive files AND environment/config files for a site live in a single ~/<site>-creds/ folder on vcloud, mode 0700, files 0600 (public keys 0644). No loose env files in ~. Sites: ~/vr1-office1-creds/ (exists); when DC deployment starts, ~/vr1-dc0-creds/ and ~/vr1-dc1-creds/ follow the SAME pattern from day one -- do not accumulate loose vr1-dc0*.env in ~ and consolidate later. This is a DATA-LOSS / continuity control as much as a security one: scattered creds get lost between sessions and after compaction. Rationale is looser-security-but-strict-hygiene: this is a closed in-house test, so real credential hardening (rotation, revocation, non-shared tokens) is deferred to post-teardown redeploy cycles (test2/3/4+), but consolidation happens NOW so nothing is lost.