fix(executor): sanitize peer delegation content in read_delegation_results (OFFSEC-003) #13

infra-runtime-be · 2026-05-11T03:38:35Z

infra-runtime-be commented

2026-05-11 03:38:35 +00:00

Summary

OFFSEC-003 follow-up: read_delegation_results() in executor_helpers.py injected peer-supplied summary and response_preview fields into the agent prompt without sanitization — a direct prompt-injection pathway.

New _detect_injection_safe() helper wraps builtin_tools.compliance.detect_prompt_injection() with lazy import and fail-open. When injection patterns are detected in either field, the field is replaced with "" before formatting. Delegation metadata (status, task line) is preserved.

Rationale

Issue molecule-ai/molecule-core#361 describes the gap: PR #346 wired sanitize_a2a_result into tool_check_task_status and _delegate_sync_via_polling, but missed the read_delegation_results() path that the executor calls directly.

Test plan

pytest -v — 135/135 pass (6 new tests)
Gitea CI

🤖 Generated with Claude Code

## Summary OFFSEC-003 follow-up: `read_delegation_results()` in `executor_helpers.py` injected peer-supplied `summary` and `response_preview` fields into the agent prompt without sanitization — a direct prompt-injection pathway. New `_detect_injection_safe()` helper wraps `builtin_tools.compliance.detect_prompt_injection()` with lazy import and fail-open. When injection patterns are detected in either field, the field is replaced with `""` before formatting. Delegation metadata (status, task line) is preserved. ## Rationale Issue molecule-ai/molecule-core#361 describes the gap: PR #346 wired `sanitize_a2a_result` into `tool_check_task_status` and `_delegate_sync_via_polling`, but missed the `read_delegation_results()` path that the executor calls directly. ## Test plan - [x] `pytest -v` — 135/135 pass (6 new tests) - [ ] Gitea CI 🤖 Generated with [Claude Code](https://claude.ai/code)

infra-runtime-be added 1 commit 2026-05-11 03:38:41 +00:00

fix(executor): sanitize peer delegation content in read_delegation_results (OFFSEC-003)

ci / mirror-guard (pull_request) Failing after 9s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s

Details

ac8108a1a7

peer-supplied `summary` and `response_preview` fields written to
DELEGATION_RESULTS_FILE by the heartbeat loop were injected into the
agent prompt without sanitization — a direct OFFSEC-003 injection path.

New `_detect_injection_safe()` helper wraps
`builtin_tools.compliance.detect_prompt_injection()` with lazy import
and fail-open behaviour. When injection patterns are detected in either
`summary` or `response_preview`, the field is replaced with "" before
formatting. The delegation metadata (status, task line) is preserved so
the agent still knows a delegation completed; only the malicious content
is stripped.

Fail-open: if builtin_tools.compliance is unavailable (e.g. minimal
test environment), the function logs a warning and passes text through.
This is acceptable because builtin_tools is always present in production
containers; the fail-open only affects degenerate test environments.

6 new tests covering: clean pass-through, injection in summary,
injection in preview, truncation of clean preview, no-file path,
fail-open when compliance unavailable.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

infra-runtime-be merged commit 4d27501bba into main

2026-05-11 03:41:19 +00:00

infra-runtime-be referenced this issue from a commit

2026-05-11 03:41:22 +00:00

Merge pull request 'fix(executor): sanitize peer delegation content in read_delegation_results (OFFSEC-003)' (#13) from runtime/offsec-003-delegation-only into main

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-runtime#13