From e123d0789870f51eff852cdf16fc5e1062fff76d Mon Sep 17 00:00:00 2001
From: core-fe <core-fe@moleculesai.app>
Date: Thu, 21 May 2026 13:50:18 -0700
Subject: [PATCH] Make AWS secrets janitor fail loud

---
 .gitea/workflows/sweep-aws-secrets.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/sweep-aws-secrets.yml b/.gitea/workflows/sweep-aws-secrets.yml
index df4625df7..5d3801d5a 100644
--- a/.gitea/workflows/sweep-aws-secrets.yml
+++ b/.gitea/workflows/sweep-aws-secrets.yml
@@ -62,9 +62,8 @@ jobs:
   sweep:
     name: Sweep AWS Secrets Manager
     runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true
+    # This is a cost/leak janitor. A scheduled failure must be red so
+    # operators know tenant bootstrap secrets may be leaking.
     # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
     # fast (~0.3s/call) so even a 100+ backlog drains in seconds
     # under the 8-way xargs parallelism, but the cap is set generously
@@ -128,3 +127,9 @@ jobs:
             echo "Running with --execute — will delete identified orphans"
             bash scripts/ops/sweep-aws-secrets.sh --execute
           fi
+
+      - name: Notify on sweep failure
+        if: failure()
+        run: |
+          echo "::error::sweep-aws-secrets FAILED — AWS tenant bootstrap secrets may be leaking. Check missing Gitea secrets, staging/prod CP admin tokens, AWS janitor IAM permissions, or the script safety gate."
+          exit 1
-- 
2.52.0