viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/scripts/workstation
History
Viktor Barzin 06f5c12476
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details
workstation: setup-devvm.sh hardens the admin's unlocked tree (o-rx, not world-readable) 
Codifies the leak fix found during the emo cutover: /home/wizard/code is git-crypt-DECRYPTED in the admin's working tree, but was mode 0775 (o+rx) — so any devvm user (even outside code-shared) could read decrypted secrets by path (verified: emo read certificate.pfx as plaintext DER). setup-devvm.sh now chmod o-rx the admin tree so a rebuild keeps it. Live fix already applied (now drwxrws---).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 18:08:52 +00:00
..
skel workstation: machine-wide config inheritance (managed claudeMd + setup-devvm.sh + skel) 2026-06-08 14:07:04 +00:00
.gitignore workstation: machine-wide config inheritance (managed claudeMd + setup-devvm.sh + skel) 2026-06-08 14:07:04 +00:00
managed-settings.json workstation: machine-wide config inheritance (managed claudeMd + setup-devvm.sh + skel) 2026-06-08 14:07:04 +00:00
packages.txt workstation: roster source-of-truth + host package manifest [ci skip] 2026-06-08 13:38:20 +00:00
roster.yaml workstation: roster source-of-truth + host package manifest [ci skip] 2026-06-08 13:38:20 +00:00
roster_engine.py workstation: roster-driven provisioner (SSoT reconcile, additive-only) 2026-06-08 14:18:12 +00:00
setup-devvm.sh workstation: setup-devvm.sh hardens the admin's unlocked tree (o-rx, not world-readable) 2026-06-08 18:08:52 +00:00
test_roster_engine.py workstation: roster-driven provisioner (SSoT reconcile, additive-only) 2026-06-08 14:18:12 +00:00