Appearance
Security Incident Log
Append-only register. One row per incident. Credential values never appear here — codenames and references only. Created per full-stack-diagnostic-2026-06-10 finding H13.
| ID | Date (occurred / discovered) | Incident | Class | Status | Reference |
|---|---|---|---|---|---|
| INC-001 | 2026-06-03 / 2026-06-05 | Studio access password changed by Session 22 without authorisation (deploy work crossed the credential-governance boundary; no external actor) | Internal process violation | Open — rotation pending (Michael: new value, _middleware.js, CF Pages deploy, Vaultwarden hinata_studio_access) | ../audits/09-06-26_studio-credential |
| INC-002 | 2026-06-08 / 2026-06-10 | Telegram bot token logged 41,615× (httpx INFO) + 3× in git-tracked settings | Credential exposure | Closed 2026-06-10 — rotated via BotFather, CT106 env canonical, httpx silenced, settings purged. Residual: git-history purge of dead token | audit-reports/full-stack-diagnostic-2026-06-10 B1 |
| INC-003 | ≤2026-06-10 / 2026-06-10 | rm -rf auto-approval patterns in settings.local.json allow-list (vault-wipe class, pre-approved under acceptEdits) | Configuration hazard | Closed — patterns inverted to explicit deny (root/home/vault/Sandpit), sudo denied, bare rm demoted to ask | audit-reports/full-stack-diagnostic-2026-06-10 B3 |
Rules
- Every security event that flows through any surface (Telegram, CLI, Z2, Studio) gets a row at discovery — no exceptions, no retro-only logging.
/chat-auditextraction includes incident capture: any chat mention of unauthorised change, exposure, or anomaly emits a row here.- Closure requires a named remediation, not the passage of time.