|
SEC-005: store a GitBucket credential on the jumphost so pushes stop failing
The jumphost clone could not push (could not read Username for https://git.baldurkeep.com), which left this branch 12 commits ahead of origin for two days -- all the D-112 / OPNsense edge work existed only on this box. Now fixed: credential.helper store + a dedicated PAT at ~/.git-credentials (mode 600), written by the operator via a hidden prompt. The token was never read into agent context; the credential is verified by USING it, never by printing it. Two GitBucket behaviours measured and recorded, because both cost a cycle: 1. The git username is NOT the web-UI login. The operator signs in with an email; that is rejected for git transport. Measured against info/refs?service=git-receive-pack: jesse.austin@neumatrix.com -> 401, JANeumatrix (the git user.name) -> 401, jesse.austin -> 200 CAN PUSH. Note GitBucket 401s PAT basic-auth on /api/v3/ across the board while accepting it for git -- so validating a credential against the API gives a FALSE NEGATIVE. Validate against the receive-pack endpoint. 2. credential.helper store DELETES the stored credential when the server rejects it (git calls credential reject on a 401). The first bad-username push therefore emptied ~/.git-credentials to 0 bytes, and the follow-up diagnostics were authenticating with an empty string -- which read as a corrupt file and misdirected the investigation. If the file mysteriously empties: the credential was rejected, it did not fail to write. Tooling consequence: validate BEFORE writing. SEC-005 is OPEN by operator ruling: a long-lived, account-wide PAT now sits in plaintext on the jumphost (GitBucket has no per-repo token scoping, so the control is rotation, not scope). Revoke/rotate at v1 close, or immediately if the jumphost is shared or rebuilt. Revert: git config --global --unset credential.helper && rm -f ~/.git-credentials, then revoke the token in GitBucket -> Account Settings -> Applications. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01B6Fzre1CxCY8tzwFCudu57 |
|---|
|
|
| docs/changelog-20260713-git-credential-store.md 0 → 100644 |
|---|
| docs/security-ledger.md |
|---|
| docs/session-ledger.md |
|---|