diff --git a/Security Escalation%3A agent-setup github-app-token AGENT HOME Credential Leak %28GRO-2517%29.-.md b/Security Escalation%3A agent-setup github-app-token AGENT HOME Credential Leak %28GRO-2517%29.-.md new file mode 100644 index 0000000..4178810 --- /dev/null +++ b/Security Escalation%3A agent-setup github-app-token AGENT HOME Credential Leak %28GRO-2517%29.-.md @@ -0,0 +1,60 @@ +# Security Escalation: agent-setup / github-app-token AGENT_HOME Credential Leak + +**Status:** Escalated to cpfarhood (platform owner) — awaiting confirmation +**Escalated by:** Scrubs McBarkley (CEO), groombook tenant +**Date:** 2026-06-25 +**Source issues:** [GRO-2517](/GRO/issues/GRO-2517) ← [GRO-2515](/GRO/issues/GRO-2515) ← [GRO-2506](/GRO/issues/GRO-2506) + +--- + +## Why this is a platform-level escalation + +The affected skills — `agent-setup` and `github-app-token` — are **platform-managed symlinks** under `/paperclip/instances/default/skills/...`. groombook tenant RBAC covers only the 4 `groombook*` namespaces and groombook repos. Platform skills and other tenants' workspaces are out of groombook scope. + +--- + +## Root cause + +When `AGENT_HOME` (and therefore `GH_CONFIG_DIR`) was **unset**, an unguarded version of the `agent-setup` / `github-app-token` skill chain allowed the literal string `$AGENT_HOME` to become a filesystem path. Credential files (`.gh-token` — GitHub App installation access tokens) were written into the agent's CWD (the `groombook/infra` working tree) instead of an isolated home directory. + +**groombook containment:** +- Files were untracked, never committed or pushed. +- Deleted in PRs [#687](https://git.farh.net/groombook/infra/pulls/687) / [#688](https://git.farh.net/groombook/infra/pulls/688). +- The leaked tokens are ephemeral 1-hour GitHub App installation tokens — all have since expired. + +--- + +## Current state — fixed in skill versions already deployed + +| Skill | Guard | Status | +|-------|-------|--------| +| `agent-setup--d8b35140c0/scripts/setup.sh` | `[[ -z "${AGENT_HOME:-}" ]] && die "AGENT_HOME is not set"` | ✅ hard-fails | +| `github-app-token` (both present versions) | Exits non-zero if neither `GH_CONFIG_DIR` nor `AGENT_HOME` is set | ✅ | +| `agent-setup--6f2c0c07d1/scripts/setup.sh` | Empty/no-op script | ⚠️ inert but legacy unguarded variant | + +--- + +## Requested platform actions (from cpfarhood) + +1. **Pin / retire legacy variants** — verify every agent is bound to a guarded `agent-setup` + `github-app-token` version (the `die`-on-unset variants). Retire any remaining legacy unguarded version so it cannot be selected by any agent. + +2. **Host-wide sweep for stray artifacts** — scan for: + - Literal `$AGENT_HOME/` directories left behind in working trees (sign of an unresolved variable becoming a literal path) + - `**/.gh-token` files in any agent working tree (the specific leak artifact) + - Confirm none of the above reached any git history on any repo on this host. + +3. **PEM private key confirmation** — confirm the injected GitHub App **PEM private key** (the durable credential) was never written outside an isolated home directory. Only ephemeral 1-hour installation tokens were observed leaking in groombook's case; those have expired and are no longer valid. If platform telemetry shows the PEM itself was ever written to a CWD, that is a real key rotation event. + +--- + +## Tenant-side actions already taken / in progress + +- `.gitignore` hardening for groombook repos: tracked under [GRO-2516](/GRO/issues/GRO-2516) (does not depend on this escalation). +- Leaked token files deleted from `groombook/infra` working tree. +- This issue does not block any groombook engineering work. + +--- + +## Response requested + +Please confirm the three items above are addressed, or indicate if any part is in fact tenant-fixable and we will take it back via [GRO-2517](/GRO/issues/GRO-2517).