diff --git a/molecule_runtime/builtin_tools/memory.py b/molecule_runtime/builtin_tools/memory.py index 0d36f97..bf60db1 100644 --- a/molecule_runtime/builtin_tools/memory.py +++ b/molecule_runtime/builtin_tools/memory.py @@ -389,11 +389,7 @@ async def _record_memory_activity(scope: str, content: str, memory_id: str | Non } try: - try: - from platform_auth import auth_headers as _auth - _headers = _auth() - except Exception: - _headers = {} + _headers = await _auth_headers_for_platform() async with httpx.AsyncClient(timeout=5.0) as client: await client.post( f"{platform_url}/workspaces/{workspace_id}/activity", @@ -466,3 +462,12 @@ async def _maybe_log_skill_promotion(content: str, scope: str, memory_result: di # Best-effort observability only. Memory commits must never fail because # the promotion log could not be written. return + + +async def _auth_headers_for_platform() -> dict[str, str]: + """Get auth headers for platform API calls, with graceful fallback.""" + try: + from platform_auth import auth_headers as _auth + return _auth() + except Exception: + return {} diff --git a/molecule_runtime/builtin_tools/security_scan.py b/molecule_runtime/builtin_tools/security_scan.py index 214e5fb..5637e36 100644 --- a/molecule_runtime/builtin_tools/security_scan.py +++ b/molecule_runtime/builtin_tools/security_scan.py @@ -184,8 +184,11 @@ def _parse_pip_audit(stdout: str) -> tuple[list[CVEFinding], Optional[str]]: if not isinstance(dep, dict): continue for vuln in dep.get("vulns", []): - sev_raw = vuln.get("fix_versions") and "high" # pip-audit lacks severity - sev = (vuln.get("severity") or sev_raw or "high").lower() + # pip-audit doesn't provide a severity field in older versions. + # If fix_versions is present, the package has a patched version available, + # which indicates the vulnerability is real (not just a retracted advisory). + has_fix = bool(vuln.get("fix_versions")) + sev = (vuln.get("severity") or ("high" if has_fix else "medium")).lower() findings.append( CVEFinding( vuln_id=vuln.get("id", "UNKNOWN"),