fix: add auth headers to skill promotion logs and improve pip-audit severity parsing

- Extract _auth_headers_for_platform() helper so _maybe_log_skill_promotion() includes auth headers when calling /workspaces/:id/activity (was missing) - Improve pip-audit severity parsing: if fix_versions is present, severity is 'high' (patch available); otherwise 'medium' (no known fix yet)
2026-04-20 05:03:22 +00:00 · 2026-04-20 05:03:22 +00:00 · fa64a04cba
commit fa64a04cba
parent 2da6f2d1cd
2 changed files with 15 additions and 7 deletions
--- a/molecule_runtime/builtin_tools/memory.py
+++ b/molecule_runtime/builtin_tools/memory.py
@ -389,11 +389,7 @@ async def _record_memory_activity(scope: str, content: str, memory_id: str | Non
    }

    try:
-        try:
-            from platform_auth import auth_headers as _auth
-            _headers = _auth()
-        except Exception:
-            _headers = {}
+        _headers = await _auth_headers_for_platform()
        async with httpx.AsyncClient(timeout=5.0) as client:
            await client.post(
                f"{platform_url}/workspaces/{workspace_id}/activity",
@ -466,3 +462,12 @@ async def _maybe_log_skill_promotion(content: str, scope: str, memory_result: di
        # Best-effort observability only. Memory commits must never fail because
        # the promotion log could not be written.
        return
+
+
+async def _auth_headers_for_platform() -> dict[str, str]:
+    """Get auth headers for platform API calls, with graceful fallback."""
+    try:
+        from platform_auth import auth_headers as _auth
+        return _auth()
+    except Exception:
+        return {}
--- a/molecule_runtime/builtin_tools/security_scan.py
+++ b/molecule_runtime/builtin_tools/security_scan.py
@ -184,8 +184,11 @@ def _parse_pip_audit(stdout: str) -> tuple[list[CVEFinding], Optional[str]]:
        if not isinstance(dep, dict):
            continue
        for vuln in dep.get("vulns", []):
-            sev_raw = vuln.get("fix_versions") and "high"  # pip-audit lacks severity
-            sev = (vuln.get("severity") or sev_raw or "high").lower()
+            # pip-audit doesn't provide a severity field in older versions.
+            # If fix_versions is present, the package has a patched version available,
+            # which indicates the vulnerability is real (not just a retracted advisory).
+            has_fix = bool(vuln.get("fix_versions"))
+            sev = (vuln.get("severity") or ("high" if has_fix else "medium")).lower()
            findings.append(
                CVEFinding(
                    vuln_id=vuln.get("id", "UNKNOWN"),