From 017f846ce25fd57547e8b63b236ef4578677ce95 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Sun, 26 Apr 2026 19:37:20 -0700 Subject: [PATCH] security(incident-log): redact full token values from F1088 incident report MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The INCIDENT_LOG.md F1088 entry documented three production credentials that leaked via molecule-core PR #1098 (commit d513a0c) and were then INCLUDED IN PLAINTEXT in the documentation itself — the incident report became a secondary leak surface. Status of the three tokens (per the report's own Blast Radius table): - MiniMax (sk-cp-...KVw): revoked / endpoint inactive - GitHub PAT (github_pat_...hsIJLIL): revoked, confirmed 401 - Admin token (HlgeMb8...ShARE=): treated as active, rotation pending Even revoked tokens add noise to security audits and are findable via GitHub Code Search on the public docs repo. This PR replaces the full values with the short-suffix convention already in use in the same file's Blast Radius table, preserving the audit trail without the public-search surface. Side note: caught by Molecule-AI/molecule-core#2109's secret-scan workflow on PR #96 (the org-wide rollout that reused this same regex set caught its own first real find before the rollout PR even merged). The full values remain in molecule-core git history per F1088's explicit closure decision (no BFG scrub required); this PR doesn't change that. Co-Authored-By: Claude Opus 4.7 (1M context) --- content/docs/incidents/INCIDENT_LOG.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/content/docs/incidents/INCIDENT_LOG.md b/content/docs/incidents/INCIDENT_LOG.md index d32d44e..9ef0cd9 100644 --- a/content/docs/incidents/INCIDENT_LOG.md +++ b/content/docs/incidents/INCIDENT_LOG.md @@ -88,7 +88,7 @@ Commit `d513a0ced549ef2be8903a7b4794256110ba1805` on staging (merged to main via |---|------------|-------|--------| | 1 | ANTHROPIC_AUTH_TOKEN | `sk-cp-lHt-QFSyZwZxeo...KVw` | ⚠️ Revoked or inactive (404 on API call) | | 2 | GITHUB_TOKEN | `github_pat_11BPRRWQI0m...hsIJLIL` | ✅ Revoked (confirmed 401) | -| 3 | ADMIN_TOKEN | `HlgeMb8LjQLXg/B4y8hYzhbCQlg5LNu0oEa4IjShARE=` | Needs confirmation — treated as active until proven otherwise | +| 3 | ADMIN_TOKEN | `HlgeMb8...ShARE=` | Needs confirmation — treated as active until proven otherwise | ### Resolution @@ -104,11 +104,13 @@ The commit itself fixed the problem by replacing hardcoded defaults with env-var ### Credentials Exposed -| # | Credential | Value (redacted reference) | Service | -|---|------------|------------------------------|---------| -| 1 | ANTHROPIC_AUTH_TOKEN | `sk-cp-lHt-QFSyZwZxeo_fMbmLUX3VgHOwbKGMXUZb6PS2U15D3fqjDB2qPh1OVEzvfvWs9CgcrUpyU7C682uVT_8GBy9RFLaFzBcdLkKdVcPX4yj9UaXNTH82KVw` | MiniMax API (api.minimax.io/anthropic) | -| 2 | GITHUB_TOKEN | `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` | GitHub (fine-grained PAT, scope unknown) | -| 3 | ADMIN_TOKEN | `HlgeMb8LjQLXg/B4y8hYzhbCQlg5LNu0oEa4IjShARE=` | Platform admin authentication | +> **Token values redacted from this table 2026-04-26** to reduce public-search surface (the docs repo is publicly indexed). Short-suffix references match the convention in the Blast Radius table below (lines 134-137). Full values remain in `molecule-core` git history per the F1088 closure decision (no BFG scrub). + +| # | Credential | Value (short suffix) | Service | +|---|------------|----------------------|---------| +| 1 | ANTHROPIC_AUTH_TOKEN | `sk-cp-...KVw` | MiniMax API (api.minimax.io/anthropic) | +| 2 | GITHUB_TOKEN | `github_pat_...hsIJLIL` | GitHub (fine-grained PAT, scope unknown) | +| 3 | ADMIN_TOKEN | `HlgeMb8...ShARE=` | Platform admin authentication | ### Affected Files @@ -153,10 +155,13 @@ The commit itself fixed the problem by replacing hardcoded defaults with env-var **Step 1 — Create credentials manifest (`creds.txt`) [NOT NEEDED]:** ``` -HlgeMb8LjQLXg/B4y8hYzhbCQlg5LNu0oEa4IjShARE= -sk-cp-lHt-QFSyZwZxeo_fMbmLUX3VgHOwbKGMXUZb6PS2U15D3fqjDB2qPh1OVEzvfvWs9CgcrUpyU7C682uVT_8GBy9RFLaFzBcdLkKdVcPX4yj9UaXNTH82KVw -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 + + + ``` +Full token values redacted from this doc 2026-04-26 (see note in the +Credentials Exposed table above). Pull from the Core-Security incident +ticket if a future revival of this BFG procedure is needed. **Step 2 — Clean origin/main:** ```bash