Clarify public-org audit rule: component names are acceptable, identity material is not #12
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
User story: So that I can review public-source audits consistently, the guidance must distinguish acceptable component names from credentials, identity material, and private addressing that must stay out of public repos.
Part of the "Agent isolation & security boundary" arc.
allod.mdstates the audit rule for migrating a repo to the public org as: "no plaintext secrets, no personal identifiers, and no host-specific private addressing.""No personal identifiers" is ambiguous. A dev-plan review pass derived the stricter form "no real inventory values, IPs, usernames, or identity material may leak into committed source or fixtures" from it and flagged real VM names and usernames in nexus test fixtures (the nostr privacy-VM name/username pairing and the allod-dev agent row) as a finding. Owner ruling: name-level metadata of components slated for public release — VM names, VM usernames, agent account names — is acceptable in public source, fixtures, and history. The rule's intent is to block plaintext secrets, identity and key material, credentials, and host-specific private addressing.
Proposed clarified wording for the audit rule in
allod.md(starting point; final wording is the implementer's call):Decision criterion for future reviews: flag a source or fixture value only when it exposes key material, credentials, or private addressing, or when the named component is not slated for public release.
Refs vnprc/notes#44 (rotation-script-consolidation plan review, pass 4, where the over-strict derivation was applied and overruled).