Newer
Older
openstack-caracal-dc-dc / docs / security-ledger.md

Security exposure / obligation ledger (DOCFIX-078)

Commercial posture: every credential exposure, rotation obligation, and security TODO gets a ROW here with an owner and status -- never only a comment in a script header (where the libvirt item below lived for a week). Review this ledger at every phase-00 (teardown) and before any handoff. Locations of key material are deliberately NOT recorded here -- custody detail lives off-repo per D-069.

id date item source / evidence owner status
SEC-001 2026-06-26 libvirt SSH credential printed in plaintext by maas machine power-parameters during reenroll work scripts/reenroll-hosts.sh header note operator OPEN -- rotate at v1 close (operator ruling 2026-07-06; was "after rebuild")
SEC-002 2026-06-17 juju action params persist in the operation log -- charm authorization must use short-lived child tokens DOCFIX-011 operator STANDING RULE (verify each vault authorize)
SEC-003 2026-07-03 Vault unseal-key custody is single-operator (bus factor) D-069 operator OPEN -- assign custodians + rehearse second-person unseal (DEFERRED 2026-07-06 by operator; note: keeps d011-06 MANUAL, gates D-011 full close)
SEC-004 2026-05-27 repo temporarily PUBLIC for v1 web_fetch workflow project completion list operator OPEN -- flip to private at v1 close (deferral reaffirmed 2026-07-06)
SEC-005 2026-07-13 long-lived GitBucket PAT stored in PLAINTEXT on the jumphost (credential.helper store, mode 600) so the agent can push unattended; GitBucket PATs are account-wide -- no per-repo scoping exists docs/changelog-20260713-git-credential-store.md operator OPEN -- dedicated token (not a reused personal one); revoke + rotate at v1 close, or immediately if the jumphost is shared/rebuilt. Revoke: GitBucket -> Account Settings -> Applications
SEC-006 2026-07-12 NetBox API token PASTED INTO AGENT CHAT CONTEXT during D-111 IPv6 reconciliation -- the token is BURNED (it exists in a transcript that is not under our control) and must be revoked + reissued, not merely rotated on schedule docs/changelog-20260712-office1-opnsense-edge-build.md; flagged again at 2026-07-12 session close operator OPEN -- DEFERRED by operator ruling 2026-07-13: revoke at completion of this deployment. Until then the token is live and exposed. Revoke: NetBox -> Admin -> API Tokens
SEC-007 2026-07-12 ~/vr1-office1-creds/ on the jumphost holds the Office1 edge root password + its bcrypt hash + the office1_svc SSH PRIVATE key + (added 2026-07-13) the OPNsense API key/secret (opnsense-api.txt, 0600), all in plaintext (dir 0700, files 0600) 2026-07-12 edge build; custody detail deliberately not recorded here per D-069 operator OPEN -- required for edge management (D-112(c) makes SSH the only management path), so this is a ROTATION obligation, not a delete-me. Rotate at v1 close / if the jumphost is rebuilt or shared
SEC-008 2026-07-13 ~/vr1-office1-creds/tailscale-authkey.txt (vcloud, 0600) -- the operator's 48-char Tailscale auth key for the SELF-HOSTED control plane tailscale.baldurkeep.com. Used to enrol office1-tailscale. Consumed BY PATH and never printed into a session; the copy shipped to the node was SHREDDED after tailscale up (tailscaled holds its own node key now). 2026-07-13 Office1 Tailscale enrolment; docs/vr1-office1-as-built.md operator OPEN -- ROTATION obligation, not a delete-me: the key is still on vcloud for re-enrolment. Revoke/reissue on the control server at v1 close, or immediately if vcloud is rebuilt or shared.