CVE-2026-42461 - Arcane Compose template secret disclosure

rg -n "getarcaneapp/arcane|arcane/backend|RegisterTemplates|ListTemplates|GetAllTemplates|GetTemplateContent|/api/templates|BearerAuth|ApiKeyAuth" .
go list -m all | rg 'github.com/getarcaneapp/arcane'
rg -n "envContent|ComposeTemplate|Save as Template|PROTECTED_PREFIXES|templates/\\{id\\}/content|parseSecurityRequirements" backend frontend charts deploy docker-compose*.yml Dockerfile* .

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42461 (Arcane unauthenticated disclosure of
custom Compose templates and `.env` secrets). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or patches Arcane, verifies
  template-read authorization, and documents operator secret cleanup, or
- TRIAGE.md if this repository does not own an affected Arcane deployment or
  safe patch path.

## Rules

- Scope only CVE-2026-42461.
- Treat Compose YAML, `.env` values, registry tokens, database passwords, OIDC
  secrets, API keys, internal hostnames, template names, and Arcane API keys as
  sensitive.
- Do not print, snapshot, commit, or copy real template content or secret values
  while testing.
- Do not prove exposure by fetching production template content.
- Do not preserve unauthenticated template reads for compatibility.
- Do not auto-merge.

## Steps

1. Inventory every Arcane reference controlled by this repository:
   `go.mod`, `go.sum`, vendor trees, Dockerfiles, compose files, Helm charts,
   Kubernetes manifests, Terraform, Ansible, GitOps overlays, SBOMs, generated
   dependency manifests, and deployment docs.
2. Determine every deployed or buildable Arcane version. A target is vulnerable
   if it resolves to `github.com/getarcaneapp/arcane/backend <1.18.0` or an
   Arcane container/image tag before `1.18.0`.
3. Determine whether the vulnerable template-read paths are reachable:
   - `GET /api/templates`;
   - `GET /api/templates/all`;
   - `GET /api/templates/{id}`;
   - `GET /api/templates/{id}/content`;
   - any reverse-proxy rewrite, generated API client, or UI path that maps to
     those handlers.
4. Determine whether custom templates can contain real deployment secrets:
   Compose `.env` files, swarm-stack variables, registry credentials, database
   DSNs, OAuth/OIDC settings, webhook tokens, cloud keys, or third-party API
   keys.
5. If this repository only contains an Arcane client or unrelated docs, stop
   with `TRIAGE.md` naming the owner, files checked, affected version evidence,
   and required fixed version `1.18.0+`.
6. Upgrade every controlled Arcane deployment to `1.18.0+`. Regenerate
   lockfiles, image digests, SBOMs, deployment render output, and dependency
   reports.
7. If this repository owns a fork or vendored patch instead of a pure upgrade,
   update template read route registration so each affected `GET` operation has
   the same security requirement used by template create/update/delete routes:
   `BearerAuth`, `ApiKeyAuth`, or the repository's equivalent authenticated
   principal requirement.
8. Add an explicit fail-closed route registration test or policy check:
   unauthenticated routes must be declared through an allow-list of public
   operations, and template operations must not appear in that allow-list.
9. Add safe tests using synthetic template fixtures only:
   - unauthenticated requests to every affected template read path return `401`
     or `403`;
   - authenticated callers can read allowed templates;
   - unauthorized callers cannot read another tenant, environment, or team
     template if the product has ownership boundaries;
   - response bodies for denied requests never include Compose YAML, parsed
     environment variables, or template metadata.
10. Add deployment containment where this repository controls it:
    block unauthenticated `GET /api/templates*` at the reverse proxy, API
    gateway, service mesh, or ingress during rollout, especially when the
    Arcane API is reachable from shared internal networks.
11. Add a PR body section named `CVE-2026-42461 operator actions` that states:
    - Arcane versions before and after the change;
    - whether custom templates were enabled;
    - whether unauthenticated network paths could reach `/api/templates*`;
    - which secret classes may have existed in stored template `.env` content;
    - which API keys, registry credentials, database passwords, OAuth/OIDC
      secrets, webhook tokens, or cloud credentials should be rotated;
    - which access logs should be reviewed for unauthenticated template reads.
12. Run relevant validation: Go tests, route/authz tests, frontend API contract
    tests if present, lint/typecheck, image build, deployment render diff, SBOM
    refresh, and dependency/security scans available in this repository.
13. Use PR title:
    `fix(sec): remediate CVE-2026-42461 in Arcane templates`.

## Stop conditions

- No affected Arcane deployment, package, image, fork, or template API path is
  controlled by this repository.
- The repository cannot consume Arcane `1.18.0+` without a larger platform
  migration.
- Template ownership or tenant boundaries are unclear and changing them could
  expose or hide customer data incorrectly; document the risk and require a
  product/security decision.
- Secret rotation requires production access or customer approval outside the
  repository; document the exact operator action instead of inventing a local
  migration.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.