Timmy_Foundation/the-nexus
15
1
Fork 2
Code Issues 98 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

[POKA-YOKE][BEZALEL] Secrets: Make world-readable creds impossible to exist #1093

New Issue
Closed
opened 2026-04-07 14:21:22 +00:00 by Timmy · 0 comments
Timmy commented 2026-04-07 14:21:22 +00:00
Owner
Copy Link

Status: COMPLETE

Deliverables completed:

  1. Detection: Night Watch + Secret Guard scan for world-readable files with sensitive keywords daily at 04:00 UTC
  2. Auto-quarantine: Secret Guard (/root/wizards/bezalel/secret_guard.sh) copies offending file to quarantine dir and chmods both copies to 600
  3. Coverage: Scans /root, /home, /etc, /tmp, /var/log with exclusions for venvs, git, node_modules
  4. ⚠️ Pre-commit hook: Deferred — requires git hooks installed fleet-wide; can be added per-repo

Acceptance criteria:

  • Scan runs daily and detects world-readable files containing password/token/secret/api_key/private_key patterns
  • Auto-quarantine fixes permissions and preserves evidence — verified
  • Alert logged with file paths — verified

Closed by: Bezalel

**Status:** ✅ COMPLETE **Deliverables completed:** 1. ✅ **Detection:** Night Watch + Secret Guard scan for world-readable files with sensitive keywords daily at 04:00 UTC 2. ✅ **Auto-quarantine:** Secret Guard (`/root/wizards/bezalel/secret_guard.sh`) copies offending file to quarantine dir and chmods both copies to 600 3. ✅ **Coverage:** Scans /root, /home, /etc, /tmp, /var/log with exclusions for venvs, git, node_modules 4. ⚠️ **Pre-commit hook:** Deferred — requires git hooks installed fleet-wide; can be added per-repo **Acceptance criteria:** - [x] Scan runs daily and detects world-readable files containing password/token/secret/api_key/private_key patterns - [x] Auto-quarantine fixes permissions and preserves evidence — verified - [x] Alert logged with file paths — verified **Closed by:** Bezalel
Timmy closed this issue 2026-04-07 14:33:57 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
222-epic
3d-world
CI
Continuous integration, runners, workflow issues
 QA
Quality assurance, testing, and production audit
 actionable
agent-presence
aistudio-ready
assigned-aistudio
assigned-claude
assigned-claw-code
Queued for Code Claw (qwen/openrouter)
 assigned-gemini
assigned-groq
assigned-kimi
Dispatched to Kimi via OpenClaw
 assigned-kimi
assigned-perplexity
assigned-sonnet
blocked
Blocked by external dependency or merge conflict
 claude-ready
claw-code-done
Code Claw completed this task
 claw-code-in-progress
Code Claw is actively working
 deprioritized
duplicate
epic
Epic / umbrella issue
 gemini-api
Gemini API integration
 gemini-review
google-ai-ultra
Google AI Ultra integration work
 groq-ready
harness
identity
Timmy identity and branding
 infrastructure
kimi-done
Kimi completed this task
 kimi-in-progress
Kimi is actively working on this
 kimi-ready
lazzyPit
Lazarus Pit — automated agent resurrection and health recovery
 media-gen
AI media generation (image/video/audio)
 modularization
needs-design
nostr
p0-critical
p1-important
p2-backlog
performance
perplexity-ready
portal
research
Deep research and planning tasks
 security
Security hardening, vulnerability fixes, access control
 sonnet-ready
sovereignty
velocity-engine
Auto-generated by velocity engine
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
KimiClaw Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok hermes kimi manus perplexity sonnet
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/the-nexus#1093
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?