d-bis/proxmox
4
0
Fork 0
Code Issues 2 Pull Requests 13 Actions Packages Projects Releases Wiki Activity

Security: leaked secrets cleanup + rotation (tracking) #1

New Issue
Open
opened 2026-04-18 19:42:36 +00:00 by nsatoshi · 0 comments
nsatoshi commented 2026-04-18 19:42:36 +00:00
Owner
Copy Link

Security: leaked secrets cleanup + rotation (tracking)

Classification: security — secret VALUES are intentionally NOT in this issue body because d-bis/proxmox is a public Gitea repo. The authoritative inventory (with categorized values and per-file remediation plan) lives out-of-repo under operator control — see "Artefacts" below.

Owner: @nsatoshi2007
Coordinating agent: Devin session 8d9743d4

Summary

A Phase-0 read-only scan of master at d63efcb3 and of the pinned smom-dbis-138 submodule identified tracked files that contain:

  • Phoenix Vault cluster secrets (root token, 3/5-threshold unseal keys, 2 AppRole Role/Secret ID pairs)
  • A second Vault cluster root token (dbis_core admin)
  • The Chain 138 deployer EOA private key (also used for ETH mainnet + CCIP, Cronos, Wemix, Polygon, Base, Optimism, BSC, Avalanche, Arbitrum per repo evidence)

Proxmox repo

  • Tracked files with leaks: 32
  • Total occurrences: 63
  • Introducing commits: cb47cce0 (2026-01-06), fbda1b4b (2026-02-12), bea1903a (2026-02-21) — all on master

smom-dbis-138 submodule (pinned at 07d9ce4876)

  • Tracked files with leaks: 3 additional files
    • scripts/set-private-key.sh
    • terraform/phases/phase1/.env.chain138
    • terraform/phases/phase1/.env.mainnet
  • All three contain the Chain 138 deployer private key in plaintext

Phased remediation (tracking checklist)

  • Phase 0 — inventory (scan script + LEAKED_SECRETS_INVENTORY.md produced out-of-repo)
  • Phase 0b — scan smom-dbis-138, phoenix-deploy-api, mission-control
  • Phase 1a — Phoenix Vault rotation (revoke root, rekey unseal, regenerate AppRoles); update consumers in phoenix-deploy-api, mission-control, and proxmox/scripts/deployment/
  • Phase 1b — Chain 138 deployer rotation (transfer-then-revoke per contract; in-scope chains: Chain 138, ETH + CCIP, Cronos, Wemix, Polygon, Base, Optimism, BSC, Avalanche, Arbitrum; Celo excluded unless evidence surfaces)
  • Phase 1c — dbis_core admin Vault token rotation
  • Phase 2 — git history rewrite in proxmox (git filter-repo), coordinated force-push + Gitea admin branch-protection update
  • Phase 2b — parallel history rewrite in smom-dbis-138 for the 3 files above
  • Phase 3 — submodule remotes PR (Gitea vs GitHub drift, git@ vs HTTPS)
  • Phase 4 — drop tracked local-machine junk + root-doc hygiene
  • Phase 5 — CI reconciliation (.github/workflows/ vs .gitea/workflows/) with runner-readiness check
  • Phase 6 — sprawl audit (reports/, output/, scripts/archive/)

Artefacts (operator-only, out-of-repo)

Held by @nsatoshi2007:

  • LEAKED_SECRETS_INVENTORY.md — per-file per-category remediation map
  • secrets.tsv — line-level snippets (contains plaintext; do not paste into this issue)
  • scan-secrets.sh — reproducible scan tool
  • proxmox-cleanup-plan.md — 6-phase plan with approval gates

Rules of engagement

  1. No secret values are committed, quoted, or pasted in comments on this issue.
  2. No history rewrite on proxmox or smom-dbis-138 until Phase 1 (rotation) is verified complete on the live systems.
  3. On-chain ownership-transfer transactions for Phase 1b require per-tx operator approval; no broadcasts are authorized in this automation.
  4. A Gitea admin is the coordinator for Phase 2 force-push window and branch-protection changes.
# Security: leaked secrets cleanup + rotation (tracking) **Classification:** security — secret VALUES are intentionally NOT in this issue body because `d-bis/proxmox` is a public Gitea repo. The authoritative inventory (with categorized values and per-file remediation plan) lives out-of-repo under operator control — see "Artefacts" below. **Owner:** @nsatoshi2007 **Coordinating agent:** Devin session [8d9743d4](https://app.devin.ai/sessions/8d9743d488bf406a888f5695753b2e92) ## Summary A Phase-0 read-only scan of `master` at `d63efcb3` and of the pinned `smom-dbis-138` submodule identified tracked files that contain: - Phoenix Vault cluster secrets (root token, 3/5-threshold unseal keys, 2 AppRole Role/Secret ID pairs) - A second Vault cluster root token (dbis_core admin) - The Chain 138 deployer EOA private key (also used for ETH mainnet + CCIP, Cronos, Wemix, Polygon, Base, Optimism, BSC, Avalanche, Arbitrum per repo evidence) ### Proxmox repo - **Tracked files with leaks:** 32 - **Total occurrences:** 63 - **Introducing commits:** `cb47cce0` (2026-01-06), `fbda1b4b` (2026-02-12), `bea1903a` (2026-02-21) — all on `master` ### smom-dbis-138 submodule (pinned at `07d9ce4876`) - **Tracked files with leaks:** 3 additional files - `scripts/set-private-key.sh` - `terraform/phases/phase1/.env.chain138` - `terraform/phases/phase1/.env.mainnet` - All three contain the Chain 138 deployer private key in plaintext ## Phased remediation (tracking checklist) - [x] **Phase 0** — inventory (scan script + LEAKED_SECRETS_INVENTORY.md produced out-of-repo) - [x] **Phase 0b** — scan `smom-dbis-138`, `phoenix-deploy-api`, `mission-control` - [ ] **Phase 1a** — Phoenix Vault rotation (revoke root, rekey unseal, regenerate AppRoles); update consumers in `phoenix-deploy-api`, `mission-control`, and `proxmox/scripts/deployment/` - [ ] **Phase 1b** — Chain 138 deployer rotation (transfer-then-revoke per contract; in-scope chains: Chain 138, ETH + CCIP, Cronos, Wemix, Polygon, Base, Optimism, BSC, Avalanche, Arbitrum; Celo excluded unless evidence surfaces) - [ ] **Phase 1c** — dbis_core admin Vault token rotation - [ ] **Phase 2** — git history rewrite in `proxmox` (`git filter-repo`), coordinated force-push + Gitea admin branch-protection update - [ ] **Phase 2b** — parallel history rewrite in `smom-dbis-138` for the 3 files above - [ ] **Phase 3** — submodule remotes PR (Gitea vs GitHub drift, `git@` vs HTTPS) - [ ] **Phase 4** — drop tracked local-machine junk + root-doc hygiene - [ ] **Phase 5** — CI reconciliation (`.github/workflows/` vs `.gitea/workflows/`) with runner-readiness check - [ ] **Phase 6** — sprawl audit (`reports/`, `output/`, `scripts/archive/`) ## Artefacts (operator-only, out-of-repo) Held by @nsatoshi2007: - `LEAKED_SECRETS_INVENTORY.md` — per-file per-category remediation map - `secrets.tsv` — line-level snippets (contains plaintext; do not paste into this issue) - `scan-secrets.sh` — reproducible scan tool - `proxmox-cleanup-plan.md` — 6-phase plan with approval gates ## Rules of engagement 1. No secret values are committed, quoted, or pasted in comments on this issue. 2. No history rewrite on `proxmox` or `smom-dbis-138` until Phase 1 (rotation) is verified complete on the live systems. 3. On-chain ownership-transfer transactions for Phase 1b require per-tx operator approval; no broadcasts are authorized in this automation. 4. A Gitea admin is the coordinator for Phase 2 force-push window and branch-protection changes.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
70rn4710n A.r.yavari SEG nsatoshi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: d-bis/proxmox#1
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?