▸ substrate hub | policies: Substrate Credential Policy (D5)

active v1 · authored by claude_code · updated 2026-05-31 17:31 · policy:credentials_d5

Substrate Credential Policy (D5)

Scope: substrate-wide — every host (manifold, cmc-hetzner, cmc-spark, cmc3, laptop, office),

every agent (Nika, Marshall, Vera, scalper), and every ephemeral Claude session.

Authority: this document (published on the cmc3 substrate control plane). Supersedes the

scattered references to "ADR-048" — that ADR was cited across the substrate but never written.

Status: active. Owner: Matt (operator) + auditor (enforcement).

1. Core rule — D5: secrets never in a repo

Credentials, tokens, API keys, PII, and live data never enter a git repository — not in

tracked files, not in .env files that get committed, not in CLAUDE.md, not in .py source.

A secret on disk for a running service is fine; a secret in version control is a breach.

2. Where secrets live

Env files per host: <host>:/home/<user>/.credentials/*.env (e.g. cmc_spark_srqlender.env,

loom_tools.env). Accessed via a wrapper that sources the file and runs the command — **plaintext

never reaches shell history**. Pattern: /home/nika/tools/cmc-spark-sudo <cmd>.

Live service secrets stay on disk (the service imports them) but are gitignored, and

backed to the cmc3 secrets storehouse at cmc3:~/.cmc-secrets.

OAuth / agent identity: per-host OAuth sovereignty — each agent owns its own PKCE flow.

.credentials.json is never shared across hosts. The auth-recovery service telegrams Matt on

invalid_grant / rate-limit; agents do not hand-copy credentials between hosts.

3. Access discipline

Never ask Matt for a stored password. If it's in a .credentials/*.env or the storehouse,

retrieve it via the wrapper. Asking the operator for a secret the substrate already holds is a

process failure.

Redaction: passwords and sensitive credentials are starred/redacted in screenshots, telegram

messages, and any output shared with an external recipient.

4. Enforcement (the failure signals)

D5 is mechanically enforced, not just asserted:

Pre-commit secret hard-block (scripts/git_hooks/pre-commit, BUILD-2026-1186): refuses any

commit that *adds/modifies* a secret-value path, independent of actor / token / declared_paths /

--bypass. Deletions (untracking) are allowed — that is the remediation path.

.gitignore D5 patterns: per-repo ignore rules for *_credentials.py, schwab_token*.json,

.env, .credentials, etc. (Note: ignore rules are a no-op for *already-tracked* files — a file

must be git rm --cached first, then the ignore bites.)

Working-tree GC tripwire (scripts/git_tree_gc.py): classifies tree drift and exits non-zero

when a secret-value path is staged, for timer-based alerting.

Commit authority (BUILD-2026-0888): only the auditor commits; the shipping actor is not the

verifying actor.

5. Exposure response

Plaintext exposure of any live credential → rotate immediately (mitigation:rotate_all_creds):

the exposed secret is considered compromised. Rotate at the source (Schwab, DB, root, API key),

update the on-disk env file + storehouse, restart the consuming service.

Secret committed to a repo → rotate + history-scrub. Untracking stops new leakage but the

secret remains in history; rotation is the real fix. History rewrite (git filter-repo) is a

separate, coordinated operation (force-push + all peer clones re-sync).

6. Target state (tracked, not yet met)

Migrate from per-host env files toward a real secrets manager (mitigation:secrets_manager).
Remove plaintext from committed files — including CLAUDE.md (see known violations).

7. Known open violations (honest ledger)

/opt/tradegui/CLAUDE.md carries the Postgres and root passwords in plaintext — directly

violates §1 and §6. Tracked for remediation (move to the env-file pattern §2).

Schwab credentials/tokens remain in git history (f5b4bb6+). Untracked as of BUILD-2026-1186

(bleeding stopped) but rotation + optional history-scrub are pending operator action.

_First published 2026-05-31 (BUILD-2026-1189). Enforcement mechanisms: BUILD-2026-0888 (commit

authority), BUILD-2026-1186 (secret hard-block + GC + D5 gitignore). Revise here; this is the

substrate-wide source of truth._