docs/content at a29db81b920fa9d3f712c004000416c6a6c258be - docs

History

rabbitblood 017f846ce2 security(incident-log): redact full token values from F1088 incident report The INCIDENT_LOG.md F1088 entry documented three production credentials that leaked via molecule-core PR #1098 (commit d513a0c) and were then INCLUDED IN PLAINTEXT in the documentation itself — the incident report became a secondary leak surface. Status of the three tokens (per the report's own Blast Radius table): - MiniMax (sk-cp-...KVw): revoked / endpoint inactive - GitHub PAT (github_pat_...hsIJLIL): revoked, confirmed 401 - Admin token (HlgeMb8...ShARE=): treated as active, rotation pending Even revoked tokens add noise to security audits and are findable via GitHub Code Search on the public docs repo. This PR replaces the full values with the short-suffix convention already in use in the same file's Blast Radius table, preserving the audit trail without the public-search surface. Side note: caught by Molecule-AI/molecule-core#2109's secret-scan workflow on PR #96 (the org-wide rollout that reused this same regex set caught its own first real find before the rollout PR even merged). The full values remain in molecule-core git history per F1088's explicit closure decision (no BFG scrub required); this PR doesn't change that. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 19:37:20 -07:00
..
blog	fix: restore build infrastructure deleted by bad PR #59 merge	2026-04-22 14:03:24 -07:00
docs	security(incident-log): redact full token values from F1088 incident report	2026-04-26 19:37:20 -07:00

rabbitblood 017f846ce2 security(incident-log): redact full token values from F1088 incident report

The INCIDENT_LOG.md F1088 entry documented three production credentials
that leaked via molecule-core PR #1098 (commit d513a0c) and were then
INCLUDED IN PLAINTEXT in the documentation itself — the incident report
became a secondary leak surface.

Status of the three tokens (per the report's own Blast Radius table):
- MiniMax (sk-cp-...KVw): revoked / endpoint inactive
- GitHub PAT (github_pat_...hsIJLIL): revoked, confirmed 401
- Admin token (HlgeMb8...ShARE=): treated as active, rotation pending

Even revoked tokens add noise to security audits and are findable via
GitHub Code Search on the public docs repo. This PR replaces the full
values with the short-suffix convention already in use in the same
file's Blast Radius table, preserving the audit trail without the
public-search surface.

Side note: caught by Molecule-AI/molecule-core#2109's secret-scan
workflow on PR #96 (the org-wide rollout that reused this same regex
set caught its own first real find before the rollout PR even merged).

The full values remain in molecule-core git history per F1088's
explicit closure decision (no BFG scrub required); this PR doesn't
change that.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-26 19:37:20 -07:00

blog

fix: restore build infrastructure deleted by bad PR #59 merge

2026-04-22 14:03:24 -07:00

docs

security(incident-log): redact full token values from F1088 incident report

2026-04-26 19:37:20 -07:00