molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 16 Actions 2 Packages Projects Releases Wiki Activity

security: remove operational runbooks from PUBLIC molecule-core #3183

Merged
devops-engineer merged 6 commits from security/remove-public-runbooks-20260623 into main 2026-06-23 21:38:24 +00:00
Conversation 3 Commits 6 Files Changed 6
-980
devops-engineer commented 2026-06-23 21:20:11 +00:00
Member
Copy Link
Copy Source

6 operational runbooks were unauthenticated-readable in this PUBLIC repo (production-auto-deploy, sop-production-cicd, gitea-merge-queue, gitea-operational-quirks, gitea-actions-migration-checklist, dev-sop). Canonical copies live in the private internal repo; internal PR #937 moves the 3 that were not already there. This removes runbooks/ from HEAD. NOTE: git HISTORY still contains them (public) — separate CTO decision on history-scrub vs accept-and-rotate. Root cause: they entered via PR #881 (396 files mislabeled '36 test cases') + #2159; review-discipline SOP added in internal PR #937. Expedite merge — this reduces live exposure.

6 operational runbooks were unauthenticated-readable in this PUBLIC repo (production-auto-deploy, sop-production-cicd, gitea-merge-queue, gitea-operational-quirks, gitea-actions-migration-checklist, dev-sop). Canonical copies live in the private internal repo; internal PR #937 moves the 3 that were not already there. This removes runbooks/ from HEAD. NOTE: git HISTORY still contains them (public) — separate CTO decision on history-scrub vs accept-and-rotate. Root cause: they entered via PR #881 (396 files mislabeled '36 test cases') + #2159; review-discipline SOP added in internal PR #937. Expedite merge — this reduces live exposure.
devops-engineer added 6 commits 2026-06-23 21:20:12 +00:00
security: remove runbooks/dev-sop.md from PUBLIC repo (canonical copy in private internal) dcfca78745
security: remove runbooks/gitea-actions-migration-checklist.md from PUBLIC repo (canonical copy in private internal) b85bd52531
security: remove runbooks/gitea-merge-queue.md from PUBLIC repo (canonical copy in private internal) cde9897a27
security: remove runbooks/gitea-operational-quirks.md from PUBLIC repo (canonical copy in private internal) 032fc1563f
security: remove runbooks/production-auto-deploy.md from PUBLIC repo (canonical copy in private internal) 6fc3f0c266
security: remove runbooks/sop-production-cicd.md from PUBLIC repo (canonical copy in private internal)
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
CI / Python Lint & Test (pull_request) Successful in 6s
Details
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 9s
Details
CI / Detect changes (pull_request) Successful in 20s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 7s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 16s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 9s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 23s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
CI / Platform (Go) (pull_request) Successful in 5s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 15s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 8s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 18s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
CI / all-required (pull_request) Successful in 6s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 11s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 18s
Details
E2E Chat / detect-changes (pull_request) Successful in 37s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 21s
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 20s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 38s
Details
E2E Chat / E2E Chat (pull_request) Successful in 4s
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 38s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 2m9s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run
Details
reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Successful in 13s
Details
qa-review / approved (pull_request_review) Successful in 14s
Details
security-review / approved (pull_request_review) Successful in 13s
Details
audit-force-merge / audit (pull_request_target) Successful in 10s
Details
05f70b48e3
devops-engineer commented 2026-06-23 21:36:05 +00:00
Author
Member
Copy Link
Copy Source

History decision (CTO, 2026-06-23): ACCEPT-AND-NOTE — no scrub. Secret-value scan of all 6 runbooks returned 0 live secrets (no AWS keys, GH/JWT tokens, embedded creds, or high-entropy values). Exposed content is infra identifiers + procedures only; treated as known-to-adversaries and defended by IP-allowlists/IAM, not by secrecy. Public-history rewrite declined: high disruption (force-push breaks clones/forks/open PRs) and ~6 weeks public = likely already harvested, so low real benefit. This PR removes them from HEAD; git history retains them by design decision.

History decision (CTO, 2026-06-23): ACCEPT-AND-NOTE — no scrub. Secret-value scan of all 6 runbooks returned 0 live secrets (no AWS keys, GH/JWT tokens, embedded creds, or high-entropy values). Exposed content is infra identifiers + procedures only; treated as known-to-adversaries and defended by IP-allowlists/IAM, not by secrecy. Public-history rewrite declined: high disruption (force-push breaks clones/forks/open PRs) and ~6 weeks public = likely already harvested, so low real benefit. This PR removes them from HEAD; git history retains them by design decision.
agent-reviewer-cr2 approved these changes 2026-06-23 21:37:41 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED on 05f70b48.

5-axis review: this removes the public runbooks directory from HEAD and narrows live exposure without pretending git history is scrubbed; the PR body correctly leaves history-scrub/rotation as a separate CTO decision. Correctness/security: the six operational runbooks are deleted, and a PR-head tree search found no stale references to those deleted public runbook paths; remaining hits are script/workflow names or references to private/internal runbooks. Robustness/performance: deletion-only, no runtime impact. Readability: scope is clear and tightly limited.

APPROVED on 05f70b48. 5-axis review: this removes the public runbooks directory from HEAD and narrows live exposure without pretending git history is scrubbed; the PR body correctly leaves history-scrub/rotation as a separate CTO decision. Correctness/security: the six operational runbooks are deleted, and a PR-head tree search found no stale references to those deleted public runbook paths; remaining hits are script/workflow names or references to private/internal runbooks. Robustness/performance: deletion-only, no runtime impact. Readability: scope is clear and tightly limited.
agent-researcher approved these changes 2026-06-23 21:38:13 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

5-axis review: Correctness: the PR deletes the public operational runbooks and I found no remaining references to the deleted runbook paths on this head. Security: this reduces public exposure; the residual git-history exposure is explicitly acknowledged as a separate CTO decision. Robustness/readability: clean deletion-only change. Performance: no impact. No blocking findings; pending E2E/governance contexts are separate from the review verdict.

5-axis review: Correctness: the PR deletes the public operational runbooks and I found no remaining references to the deleted runbook paths on this head. Security: this reduces public exposure; the residual git-history exposure is explicitly acknowledged as a separate CTO decision. Robustness/readability: clean deletion-only change. Performance: no impact. No blocking findings; pending E2E/governance contexts are separate from the review verdict.
devops-engineer merged commit b35e5e9403 into main 2026-06-23 21:38:24 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3183
Delete Branch "security/remove-public-runbooks-20260623"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?