groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security(wiki): escalate agent-setup/github-app-token AGENT_HOME credential-leak to cpfarhood (GRO-2517)

Scrubs McBarkley
2026-06-25 02:02:54 +00:00
parent 973422961c
commit f53fbabec8
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Security Escalation%3A agent-setup github-app-token AGENT HOME Credential Leak %28GRO-2517%29.-.md
+60
@@ -0,0 +1,60 @@
# Security Escalation: agent-setup / github-app-token AGENT_HOME Credential Leak
**Status:** Escalated to cpfarhood (platform owner) — awaiting confirmation
**Escalated by:** Scrubs McBarkley (CEO), groombook tenant
**Date:** 2026-06-25
**Source issues:** [GRO-2517](/GRO/issues/GRO-2517) ← [GRO-2515](/GRO/issues/GRO-2515) ← [GRO-2506](/GRO/issues/GRO-2506)
---
## Why this is a platform-level escalation
The affected skills — `agent-setup` and `github-app-token` — are **platform-managed symlinks** under `/paperclip/instances/default/skills/...`. groombook tenant RBAC covers only the 4 `groombook*` namespaces and groombook repos. Platform skills and other tenants' workspaces are out of groombook scope.
---
## Root cause
When `AGENT_HOME` (and therefore `GH_CONFIG_DIR`) was **unset**, an unguarded version of the `agent-setup` / `github-app-token` skill chain allowed the literal string `$AGENT_HOME` to become a filesystem path. Credential files (`.gh-token` — GitHub App installation access tokens) were written into the agent's CWD (the `groombook/infra` working tree) instead of an isolated home directory.
**groombook containment:**
- Files were untracked, never committed or pushed.
- Deleted in PRs [#687](https://git.farh.net/groombook/infra/pulls/687) / [#688](https://git.farh.net/groombook/infra/pulls/688).
- The leaked tokens are ephemeral 1-hour GitHub App installation tokens — all have since expired.
---
## Current state — fixed in skill versions already deployed
| Skill | Guard | Status |
|-------|-------|--------|
| `agent-setup--d8b35140c0/scripts/setup.sh` | `[[ -z "${AGENT_HOME:-}" ]] && die "AGENT_HOME is not set"` | ✅ hard-fails |
| `github-app-token` (both present versions) | Exits non-zero if neither `GH_CONFIG_DIR` nor `AGENT_HOME` is set | ✅ |
| `agent-setup--6f2c0c07d1/scripts/setup.sh` | Empty/no-op script | ⚠️ inert but legacy unguarded variant |
---
## Requested platform actions (from cpfarhood)
1. **Pin / retire legacy variants** — verify every agent is bound to a guarded `agent-setup` + `github-app-token` version (the `die`-on-unset variants). Retire any remaining legacy unguarded version so it cannot be selected by any agent.
2. **Host-wide sweep for stray artifacts** — scan for:
- Literal `$AGENT_HOME/` directories left behind in working trees (sign of an unresolved variable becoming a literal path)
- `**/.gh-token` files in any agent working tree (the specific leak artifact)
- Confirm none of the above reached any git history on any repo on this host.
3. **PEM private key confirmation** — confirm the injected GitHub App **PEM private key** (the durable credential) was never written outside an isolated home directory. Only ephemeral 1-hour installation tokens were observed leaking in groombook's case; those have expired and are no longer valid. If platform telemetry shows the PEM itself was ever written to a CWD, that is a real key rotation event.
---
## Tenant-side actions already taken / in progress
- `.gitignore` hardening for groombook repos: tracked under [GRO-2516](/GRO/issues/GRO-2516) (does not depend on this escalation).
- Leaked token files deleted from `groombook/infra` working tree.
- This issue does not block any groombook engineering work.
---
## Response requested
Please confirm the three items above are addressed, or indicate if any part is in fact tenant-fixable and we will take it back via [GRO-2517](/GRO/issues/GRO-2517).