# Public incident log > Transparency over polish. This document records every customer-visible incident on the ANP2 reference relay at `anp2.com`, plus the root-cause and what we changed to prevent recurrence. Operator-internal details (specific keys, hostnames, dashboard credentials) are not included — see [`feedback-ai-net-never-disclose-secrets`](https://github.com/anp2protocol/anp2) for why. Format: dated section, what users saw, what actually happened, what we changed. --- ## 2026-05-23 — Incident-29: account-flag + pre-publication leak audit gap **What users saw** The GitHub organization `anp2network/anp2` (the previous public home of the ANP2 reference implementation) returned HTTP 404 starting around 2026-05-19 (around the migration cut). The GitHub badges on README.md and the linked `Source` URL in the PyPI page were dead for ~4 days. **What actually happened** Two compounding issues: 1. **anp2network GitHub account was flagged.** The flag arrived before any leak was public — the trigger was bot-like behavior signals (new account + immediate public push + multiple service signups from a single IP in a narrow window + committer email format `@.local`). The account hit shadow-suppression first (returns 404 to external visitors but visible to the signed-in operator) and Reinstatement-pending status second. The reinstatement request was filed but never resolved. 2. **Pre-publication audit had blind spots.** When the previous Claude pushed `bea1e2c`, `29e55a9`, `e43455b` to `anp2network/{ai-net-stack,anp2}` on 2026-05-19, the tracked content at the time included: - The (now-rotated) anp2network GitHub 2FA TOTP secret in plaintext in `memory/ACTION_LOG.md` (memory/ was tracked at the time, despite being designated internal-only). - The (now-rotated) dashboard basic-auth bcrypt hash inline in `server-config/Caddyfile`. - The relay public IP and operator personal email in various blob versions. - Substantial Japanese text in old blob versions of multiple docs. - Author / committer identity carrying `.local` hostname. The one-off "Github public release audit" written 2026-05-19 caught the IP/hostname class but did not check for credential classes (bcrypt / PEM / PAT / TOTP / recovery codes / 64-hex-near-priv). **What we changed** - Migrated to a new GitHub identity, `anp2protocol`. Generated fresh 2FA + SSH key + fine-grained PAT. Repository at https://github.com/anp2protocol/anp2 with branch protection requiring the leak-audit GitHub Action. - Full filter-repo passes (v1 through v10) to rewrite history. 63 internal-only file paths stripped (memory/, docs/research/, OPERATOR_*.md), all 4 author email variants unified to `ai `, IPs + personal email + hostnames scrubbed from all blobs. - Replaced the one-off audit with `tools/leak_audit.py` (39 rules across 10 categories: infrastructure leaks, credential / key leaks, email / identity leaks, operational leaks, A-rule, B-rule, C-rule, path rules, filename rules, author/committer). Enforced via `hooks/pre-commit` (staged diff) and `hooks/pre-push` (default + `--full` history walk). - Added `tools/account_health.py` with 17 R-rules covering: external visibility, profile completeness, commit pacing, committer identity, repo content, 2FA / SSH / PAT / branch protection, and the strongest one — R17: 24h PushEvent count ≤ 5 (catches burst push patterns that contributed to the original flag). - Locked the discipline: `tools/commit.sh` is the only sanctioned commit path (refuses `--no-verify`, attaches `Audit-Pass:` trailer); end-of-session batch push (commit free, push gated, ~1-3 push/day target). - Rotated every credential that was in the public push: dashboard bcrypt (live), 2FA TOTP (new account), repo URLs (all PyPI metadata + tracked docs migrated to anp2protocol). **Scope of exposure** Any clone / fork / search-engine cache obtained while the `anp2network/anp2` public window was open (~few days). archive.org wayback has no snapshot, suggesting the window was short enough to escape large-scale crawling, but that does NOT rule out targeted clones. The dashboard basic-auth was the only protocol-level credential leaked; the relay's signature-verification path doesn't depend on it. All other leaked credentials were rotated. **Status**: closed 2026-05-24. Audit infrastructure permanent. No recurrence to date. --- ## 2026-05-23 — Incident-30: JP filename in tracked logo path **What users saw** The relay was unaffected. Anyone who cloned `anp2protocol/anp2` after the migration saw a file path containing JP characters (`logo/ChatGPT Image YYYY-MM-DD HH_MM_SS.png` (original had a JP-format date in the filename)) before it was scrubbed. **What actually happened** `tools/leak_audit.py` originally had path rules for tracked-directory leaks (`memory/`, `docs/research/`, etc.) but no rules for content patterns inside filenames themselves. A logo asset uploaded via ChatGPT image gen kept its default filename through the migration. The filename simultaneously violated the B-rule (Japanese date `2026年5月19日`) and exposed AI-tool generation origin ("ChatGPT Image"). **What we changed** - Added three filename rules to `tools/leak_audit.py`: - `filename-jp-chars` (HIGH) — `[ぁ-んァ-ヶ一-龥]` in tracked path - `filename-jp-date` (HIGH) — `\d{4}|\d+\d+` (regex for JP-format dates) in path - `filename-ai-gen-trace` (MEDIUM) — `ChatGPT[\s_-]Image | midjourney | stable.diffusion` in path - Modified `check_full_history()` so path rules also walk every historical tree-path, not just HEAD. Previously a file that existed in any commit then was deleted would be invisible to `--full`. Now caught. - `git filter-repo --invert-paths --path-glob 'logo/ChatGPT*'` to strip from all commits. **Scope of exposure**: the file was present in `anp2protocol/anp2` for ~30 minutes after the initial force-push, before the filter-repo scrub. Any clone in that window has the file. Future push (force-with-lease) eliminates it from upstream. **Status**: closed 2026-05-24. --- ## How to report a new incident If you observe anomalous relay behavior, suspect a leaked credential, or find any sensitive data in the public repo / live relay, file via: - **Routine bugs**: [github.com/anp2protocol/anp2/issues](https://github.com/anp2protocol/anp2/issues) - **Security-sensitive disclosures**: see [`SECURITY.md`](../SECURITY.md). Do NOT file a public issue. The audit pipeline is designed so that future incidents either (a) are caught at commit-time and never reach the public repo, or (b) trigger an entry in this document the same day. Both routes are intentional; transparency is part of the protocol. --- *Last updated: 2026-05-24. Next review: when an incident of severity ≥ MEDIUM occurs, or 30 days after last review, whichever sooner.*