style(no-slop): remove every em-dash + banned words across all modules + capstone

Apply the no-ai-slop standard (now binding in AGENTS.md): the em-dash character is
banned outright (restructured, not blind-replaced), plus the banned word/phrase
list (delve, leverage, robust, seamless, truly, unlock, etc.). 0 em-dashes remain
in modules + capstone; the only "robust" left is the planted M10 ai-change.patch
trap. Module H1 titles use a colon separator.

All deliberate teaching devices preserved; labs compile/parse (py/sh/yaml/json);
no junk. AGENTS.md updated with the hard no-slop rules.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
This commit is contained in:
2026-06-22 23:21:09 -04:00
parent 513d7e7ac8
commit 389ac2e460
99 changed files with 1324 additions and 1315 deletions
@@ -1,8 +1,8 @@
#!/usr/bin/env bash
# Module 19 lab what a CI job could see if it ran on THIS machine.
# Module 19 lab: what a CI job could see if it ran on THIS machine.
#
# Run this on any machine you'd consider turning into a self-hosted runner (your laptop is fine for
# the exercise). It does NOT change anything it only LOOKS. The point is to make concrete what is
# the exercise). It does NOT change anything; it only LOOKS. The point is to make concrete what is
# otherwise abstract: a "workflow step" is just a shell command, so whatever this read-only script
# can see, a malicious workflow step (e.g. from a pull request) running on this runner can see too.
#
@@ -42,7 +42,7 @@ echo "os : $(uname -srm 2>/dev/null)"
echo " >> A runner should run as a dedicated low-privilege user, never root, never your login."
line "SECRETS SITTING IN THE ENVIRONMENT"
# Don't print values just the names. Seeing the NAMES is enough to make the point.
# Don't print values, just the names. Seeing the NAMES is enough to make the point.
env | grep -iE 'token|secret|key|password|passwd|credential|aws|gcp|azure|api' | cut -d= -f1 | sort -u \
| sed 's/^/ exposed env var: /' || true
echo " >> Any of these is readable by every job step. Scope runner secrets to the absolute minimum."
@@ -76,7 +76,7 @@ else
echo " no reachable docker socket"
fi
line "PRIVATE NETWORK REACH (the reason you self-host and the reason it's dangerous)"
line "PRIVATE NETWORK REACH (the reason you self-host, and the reason it's dangerous)"
# Probe a few common private ranges' gateways and any hosts you care about.
# Edit these to match your network for a sharper result.
PROBES=( "192.168.0.1:80" "192.168.1.1:80" "10.0.0.1:80" )
@@ -86,7 +86,7 @@ for hp in "${PROBES[@]}"; do
echo " REACHABLE: ${host}:${port}"
fi
done
echo " (edit the PROBES list above to test your real internal hosts databases, deploy targets)"
echo " (edit the PROBES list above to test your real internal hosts: databases, deploy targets)"
echo " >> Every reachable internal host is something a compromised runner can attack or exfiltrate."
line "BOTTOM LINE"
@@ -1,4 +1,4 @@
# Module 19 lab "Where did this actually run?"
# Module 19 lab: "Where did this actually run?"
#
# This is the Module 14 CI pipeline (lint + test the tasks-app) with one extra step bolted on the
# end: it makes the runner tell you who and where it is. Run it once on a hosted runner, then again
@@ -6,7 +6,7 @@
#
# Where this file goes: the same workflow directory as your Module 14 ci.yml. On Actions-style forges
# (GitHub, and Forgejo/Gitea with Actions-compatible YAML) that's <forge-dir>/workflows/ at the repo
# root e.g. .github/workflows/whoami-runner.yml. The filename is yours; the directory is not.
# root, e.g. .github/workflows/whoami-runner.yml. The filename is yours; the directory is not.
#
# For GitLab CI, the same idea is a one-job .gitlab-ci.yml: run the same script lines under `script:`
# with `tags:` selecting your runner. The shape rhymes; only the YAML dialect changes.
@@ -36,7 +36,7 @@ jobs:
- name: Install tools
run: pip install pytest ruff
# The real Module 14 checks still run a self-hosted runner has to actually do the work.
# The real Module 14 checks still run; a self-hosted runner has to actually do the work.
- name: Lint
run: ruff check .
@@ -44,7 +44,7 @@ jobs:
run: pytest -q
# The point of THIS workflow: make the runner identify itself.
# if: always() so the receipt prints even when Lint/Test fail above a diagnostic step
# if: always() so the receipt prints even when Lint/Test fail above; a diagnostic step
# shouldn't vanish on a red build. The job still reports red; only this step is unconditional.
# (On GitLab CI the same idea is `when: always` on the job/step.)
- name: Where did this run?
@@ -69,9 +69,9 @@ jobs:
echo
echo "=== can this runner reach the public internet? ==="
if curl -fsS -m 5 https://example.com >/dev/null 2>&1; then
echo "YES outbound internet works from here."
echo "YES: outbound internet works from here."
else
echo "NO no outbound internet (could be an air-gapped / isolated runner)."
echo "NO: no outbound internet (could be an air-gapped / isolated runner)."
fi
echo
echo "Now ask: is this machine MINE, and what else can it reach? (see inspect-runner.sh)"