From 012f64e488c766cc09b887ed828fb545b9cb581a Mon Sep 17 00:00:00 2001
From: "molecule-ai[bot]" <276602405+molecule-ai[bot]@users.noreply.github.com>
Date: Tue, 21 Apr 2026 07:52:11 +0000
Subject: [PATCH] fix: guard HMAC slice truncation in audit chain verification
 (fixes #1332) (#1339)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ev.HMAC[:12] panics when HMAC is shorter than 12 bytes.
Add len guards before truncation so the log line never panics —
the mismatch is still reported, just with whatever prefix is available.

Co-authored-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 workspace-server/internal/handlers/audit.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/workspace-server/internal/handlers/audit.go b/workspace-server/internal/handlers/audit.go
index 81bba931..16f4392b 100644
--- a/workspace-server/internal/handlers/audit.go
+++ b/workspace-server/internal/handlers/audit.go
@@ -283,9 +283,18 @@ func verifyAuditChain(events []auditEventRow) *bool {
 		// Recompute the expected HMAC.
 		expected := computeAuditHMAC(key, ev)
 		if !hmac.Equal([]byte(ev.HMAC), []byte(expected)) {
+			// Truncate for logging only after confirming the slice is safe.
+			storedPrefix := ev.HMAC
+			computedPrefix := expected
+			if len(storedPrefix) > 12 {
+				storedPrefix = storedPrefix[:12]
+			}
+			if len(computedPrefix) > 12 {
+				computedPrefix = computedPrefix[:12]
+			}
 			log.Printf(
 				"audit: HMAC mismatch at event %s (agent=%s): stored=%q computed=%q",
-				ev.ID, ev.AgentID, ev.HMAC[:12], expected[:12],
+				ev.ID, ev.AgentID, storedPrefix, computedPrefix,
 			)
 			f := false
 			return &f