Skip to content

chore: open-source readiness — PII and credential sanitization #92

Open
Open
chore: open-source readiness — PII and credential sanitization#92
Labels
enhancementNew feature or request
@rdemeritt

Description

@rdemeritt
rdemeritt
opened on May 6, 2026

Summary

Security review blocks public release. Findings: 3 CRITICAL, 6 HIGH, 3 MEDIUM, 6 LOW. All critical and high findings must be remediated before public push.

Spec: See clients/self/projects/hermithost/specs/pm-summary-oss-readiness-2026-05-05.md in harness for full findings and remediation details.

Pre-Work (BEFORE Any Commits or History Rewrite)

⚠️ CRITICAL: This must happen first on the live stack:

  • Rotate HERMITHOST_PASSWORD to a new secure value
  • Rotate COOKIE_SECRET to a new secure value
  • Verify live stack is operational with new credentials
  • Update .env.example with new placeholder structure

Approval Conditions (Release Gate)

Release to public only when all conditions are met:

  • C1 All 6 test files env-var-driven; no literal password in working tree; live password rotated
  • C2 cookies.txt deleted; properly gitignored
  • C3 + History filter-repo email rewrite OR orphan-squash completed; verified with git log --all --pretty='%ae' | sort -u
  • H1, H2, H6 Removed from working tree; templated (H1); gitignore patterns added
  • H3 All scripts use $HOME instead of /Users/rdemeritt
  • H4 CI runs-on label changed to ubuntu-latest or generic runner
  • H5 README has real OSS license text; no operator name; LICENSE file present
  • M1, M2, M3 Generic placeholders or public fixture repo used in all test files
  • LICENSE file Present in repo root, matches README license declaration
  • Final audit git ls-files | xargs grep -E 'rdemeritt|shallowfordroad|938xDTvc|hammer|/Users/rdemeritt' returns zero results

History Remediation Strategy

Recommended: Orphan-Squash (Default Path)

  1. Create clean branch: git checkout --orphan clean-history
  2. Commit current state: git commit -m "Initial commit"
  3. Force push: git push origin clean-history -f
  4. Retarget main; delete old branches
  • Pro: Simple, preserves message structure
  • Con: Loses full historical context

Alternative: filter-repo

If preserving selective history is required:

  • Use git filter-repo --mailmap .mailmap for email rewrite
  • See git-filter-repo docs
  • Pro: Granular control
  • Con: More fragile; requires careful planning

Finding Summary

Severity Count Details
CRITICAL 3 Password hardcoded (C1), cookies untracked (C2), email in commits (C3)
HIGH 6 Domain hardcoded (H1, H2), absolute paths (H3), server hostname in CI (H4), license/name (H5), site config checked in (H6)
MEDIUM 3 Real LAN IP in example (M1), internal refs in tests (M2, M3)
LOW 6 No private keys; clean config templates; intentional ACLs

Next Steps

  1. PM → Confirm this blocks public release timeline
  2. Tech Lead + Security → Execute credential rotation + history strategy
  3. Backend → Implement remediation in feature branch
  4. QA → Verify final audit grep returns zero
  5. Security → Sign off before merge

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions