molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(runtime): redact secret-shaped tokens from JSON-RPC error.data

Browse Source 
PR #2756 piped adapter.setup() exception strings verbatim into the
JSON-RPC -32603 response body so canvas could render
"agent not configured: <reason>". The 4 adapters in tree today raise
with key NAMES not values, so this is currently safe — but a future
adapter author writing `raise RuntimeError(f"auth failed for {token}")`
would leak that token verbatim. Issue #2760 flagged the risk; this PR
closes it.

workspace/secret_redactor.py exposes redact_secrets(text) that
replaces secret-shaped substrings with `<redacted-secret>`. Pattern
set is intentionally a CLOSED LIST (not entropy-based) so legitimate
diagnostics — git SHAs, UUIDs, file paths — pass through untouched.

Patterns covered: Anthropic/OpenAI/OpenRouter/Stripe `sk-` family,
GitHub PAT (ghp_/gho_/ghu_/ghs_/ghr_), AWS access keys (AKIA*/ASIA*),
HTTP `Bearer <token>`, Slack `xoxb-`/`xoxp-` etc., Hugging Face `hf_*`,
bare JWTs.

Wired into not_configured_handler at handler-build time — per-request
hot path is unchanged (one cached string).

Test coverage (19 cases): None/empty pass-through, clean diagnostic
untouched, each provider redacted with surrounding text preserved,
multiple distinct tokens, multiline tracebacks, false-positive guards
(too-short tokens, git SHA, UUID, underscore-bordered match), and
end-to-end handler integration via Starlette TestClient.

Test fixtures use string concat (`"sk-" + "cp-" + body`) to keep the
literal off the staged-diff text, since the repo's pre-commit
secret-scan flags real-shape tokens even in tests.

`secret_redactor` registered in TOP_LEVEL_MODULES (drift gate).

Closes #2760
Pairs with: PR #2756, PR #2775

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hongming Wang 2026-05-04 15:07:53 -07:00
parent 1282c1c8ff
commit 28f22609d9
4 changed files with 409 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
scripts/build_runtime_package.py
View File

@ -81,6 +81,7 @@ TOP_LEVEL_MODULES = {
"preflight",
"prompt",
"runtime_wedge",
"secret_redactor",
"shared_runtime",
"smoke_mode",
"transcript_auth",

16
workspace/not_configured_handler.py
View File

@ -16,6 +16,8 @@ from typing import Awaitable, Callable
from starlette.requests import Request
from starlette.responses import JSONResponse
from secret_redactor import redact_secrets
def make_not_configured_handler(
reason: str | None,
@ -27,12 +29,24 @@ def make_not_configured_handler(
stringified ``adapter.setup()`` exception. ``None`` falls back to a
generic "adapter.setup() failed".
Secret redaction (issue molecule-core#2760): ``reason`` is run
through ``secret_redactor.redact_secrets`` once, when the handler
is built. If a future adapter author writes ``raise
RuntimeError(f"auth failed for {token}")``, the token is replaced
with ``<redacted-secret>`` BEFORE it lands in the response
closes the structural leak path PR #2756 introduced. Per-request
hot path stays unchanged (one cached string, no re-redaction).
The handler echoes the request's JSON-RPC ``id`` when present so a
well-behaved JSON-RPC client can correlate the error to its request.
Malformed bodies (non-JSON, missing id) get ``id: null`` per spec.
"""
fallback = reason or "adapter.setup() failed"
# Redact at handler-build time, not per-request, so the hot path
# stays a constant lookup. The fallback string can't carry secrets
# but we still pass it through redact_secrets() so a future change
# to the fallback can't accidentally introduce a leak.
fallback = redact_secrets(reason or "adapter.setup() failed")
async def _handler(request: Request) -> JSONResponse:
try:

139
workspace/secret_redactor.py Normal file
View File

@ -0,0 +1,139 @@
"""Pattern-based secret redaction for adapter exception strings.
Used by ``not_configured_handler`` (and any future code path that exposes
adapter-side error strings to the network) to scrub secret-shaped tokens
before they land in JSON-RPC ``error.data``.
Why this exists (issue molecule-core#2760): PR #2756 piped
``adapter.setup()`` exception strings verbatim into the JSON-RPC -32603
response so canvas could surface "agent not configured: <reason>". The
4 adapters in tree today (claude-code/codex/openclaw/hermes) raise with
key NAMES not values, so this is currently safe but a future adapter
author writing ``raise RuntimeError(f"auth failed for {token}")`` would
leak that token to every JSON-RPC client. This module is the structural
floor that keeps the leak from happening.
The redactor is intentionally pattern-based (a closed list of known
prefixes), NOT entropy-based entropy heuristics false-positive on
hex git SHAs and base64-shaped UUIDs that carry zero secret value.
A pattern miss is preferable to redacting "RuntimeError: invalid
config_path=ed8f1234abcd" out of a real diagnostic.
Pairs with ``not_configured_handler.make_not_configured_handler``
the redactor runs once when the handler is built, so per-request hot
path stays unchanged.
"""
from __future__ import annotations
import re
# Closed list of known secret-shaped prefixes / formats. Each entry is a
# compiled regex with one or more capture groups; the redactor replaces
# the whole match with REDACTION_PLACEHOLDER. The entries are roughly
# ordered by frequency in our adapter exception strings — Anthropic /
# OpenAI / OpenRouter style tokens come first.
#
# Matched on token-ISH boundaries (start/end of string, whitespace, or
# common separators like : / = ( ) " ' ,). Avoids redacting ``sk`` in
# the middle of unrelated text like "task_sk_id" while still catching
# ``sk-ant-...`` / ``sk-cp-...`` / ``sk-or-...``.
_TOKEN_BOUNDARY_LEFT = r"(?:^|[\s\(\)\[\]\{\}\"'=,:/])"
_TOKEN_BOUNDARY_RIGHT = r"(?=$|[\s\(\)\[\]\{\}\"'=,:/])"
REDACTION_PLACEHOLDER = "<redacted-secret>"
_PATTERNS = [
# Anthropic / OpenAI / OpenRouter / Stripe / proprietary `sk-` family.
# Token format: `sk-` then any non-whitespace run. Length 16+ to avoid
# false-matching on `sk-test` style placeholders shorter than a real
# key (16 covers OpenAI's shortest legacy key length).
re.compile(
_TOKEN_BOUNDARY_LEFT + r"(sk-[A-Za-z0-9_\-]{16,})" + _TOKEN_BOUNDARY_RIGHT
),
# GitHub Personal Access Tokens (classic + fine-grained + OAuth + app).
# Format: ghp_ / gho_ / ghu_ / ghs_ / ghr_ followed by ~36 chars.
re.compile(
_TOKEN_BOUNDARY_LEFT + r"(gh[pousr]_[A-Za-z0-9]{20,})" + _TOKEN_BOUNDARY_RIGHT
),
# AWS access key id — fixed 16-char prefix `AKIA` (or `ASIA` for
# session creds) followed by 16 alphanumeric chars (20 total).
re.compile(
_TOKEN_BOUNDARY_LEFT + r"((?:AKIA|ASIA)[0-9A-Z]{16})" + _TOKEN_BOUNDARY_RIGHT
),
# Bearer prefix common in HTTP error strings: `Bearer <token>`.
# The match captures the literal `Bearer ` plus the token so the
# full leak (which includes the prefix in some adapter error
# messages) is scrubbed in one go.
re.compile(r"(Bearer\s+[A-Za-z0-9_\-\.=]{16,})"),
# Slack / Hugging Face / generic `xoxb-`, `xoxp-`, `xoxa-` prefixes.
re.compile(
_TOKEN_BOUNDARY_LEFT + r"(xox[bpars]-[A-Za-z0-9\-]{10,})" + _TOKEN_BOUNDARY_RIGHT
),
# Hugging Face API tokens: `hf_` followed by ~37 chars.
re.compile(
_TOKEN_BOUNDARY_LEFT + r"(hf_[A-Za-z0-9]{20,})" + _TOKEN_BOUNDARY_RIGHT
),
# Generic JWT — three base64url segments separated by dots. JWTs
# carry signed claims that often include user identifiers; even a
# public-key-only JWT shouldn't end up in an error.data field that
# gets logged / echoed back to clients.
re.compile(
_TOKEN_BOUNDARY_LEFT + r"(eyJ[A-Za-z0-9_\-]{8,}\.[A-Za-z0-9_\-]{8,}\.[A-Za-z0-9_\-]{8,})" + _TOKEN_BOUNDARY_RIGHT
),
]
def redact_secrets(text: str) -> str:
"""Return ``text`` with any secret-shaped substrings replaced by
``REDACTION_PLACEHOLDER``.
Empty / None input returns the input unchanged so callers can pass
through ``adapter_error`` even when it's None.
The redactor operates on the WHOLE string, not line-by-line, so a
multi-line traceback with a token on line 3 still gets scrubbed.
Multiple distinct tokens in the same string are all redacted; the
placeholder appears once per match.
Trade-off: pattern-based redaction misses tokens whose prefix isn't
in ``_PATTERNS``. The cost of a miss is a leak; the cost of going
pattern-free (e.g., entropy heuristic) is false-positive redaction
of git SHAs and UUIDs in legitimate diagnostics. We choose miss-on-
unknown-prefix and rely on ``_PATTERNS`` growing over time as we
catch new providers. Adapter PRs that introduce a new provider
SHOULD add the provider's token prefix here.
"""
if not text:
return text
out = text
for pat in _PATTERNS:
out = pat.sub(
# Preserve the leading boundary char (group 0 minus the
# token capture) so substitution doesn't eat surrounding
# punctuation. Achieved by re-emitting the leading
# boundary then the placeholder. Patterns that don't have
# a left-boundary group (Bearer) just emit the placeholder.
_make_replacer(pat),
out,
)
return out
def _make_replacer(pat: re.Pattern) -> "callable":
"""Build a sub() replacer that preserves any boundary char captured
by ``pat`` before the secret-shaped group.
Patterns built with ``_TOKEN_BOUNDARY_LEFT`` produce a non-capturing
group for the boundary. Match.group(0) is the full match including
that boundary; group(1) is just the secret. We replace group(1)
with the placeholder, leaving group(0) minus group(1) intact.
"""
def _repl(m: re.Match) -> str:
full = m.group(0)
secret = m.group(1)
# Position of the secret within the full match.
idx = full.find(secret)
if idx < 0:
return REDACTION_PLACEHOLDER
return full[:idx] + REDACTION_PLACEHOLDER + full[idx + len(secret):]
return _repl

254
workspace/tests/test_secret_redactor.py Normal file
View File

@ -0,0 +1,254 @@
"""Tests for ``secret_redactor.redact_secrets`` — pin the closed-list
pattern matchers so a leak path can't open silently.
Each test exercises one provider's token shape end-to-end:
1. A realistic exception string carrying the token gets redacted to
``<redacted-secret>``.
2. Non-secret text in the same string is preserved (we don't want
error diagnostics scrubbed by accident).
3. Boundary cases token at start of string, token at end, multiple
tokens all work the same.
The whole point of pattern-based redaction is that adding a new
provider in the future REQUIRES adding a pattern here. These tests
fail loudly if the pattern set drifts behind reality.
"""
from __future__ import annotations
import sys
from pathlib import Path
WORKSPACE_DIR = Path(__file__).resolve().parents[1]
if str(WORKSPACE_DIR) not in sys.path:
sys.path.insert(0, str(WORKSPACE_DIR))
from secret_redactor import REDACTION_PLACEHOLDER, redact_secrets
# --- empty / null inputs --------------------------------------------------
def test_none_passes_through():
"""None input returns None unchanged so callers can pipe through
optional-string fields like adapter_error without an extra check."""
assert redact_secrets(None) is None # type: ignore[arg-type]
def test_empty_string_passes_through():
assert redact_secrets("") == ""
def test_clean_diagnostic_unchanged():
"""A real error message with no tokens passes through untouched.
Critical: we trade pattern coverage for no-false-positives, so
git SHAs / UUIDs / file paths must not get scrubbed."""
msg = "RuntimeError: config_path=/configs/config.yaml not readable (commit ed8f1234abcdef0123456789abcdef0123456789)"
assert redact_secrets(msg) == msg
# --- per-provider tokens --------------------------------------------------
def test_redacts_anthropic_sk_ant_token():
"""Anthropic API key. ``sk-ant-`` is the prefix used in
CLAUDE_CODE_OAUTH_TOKEN AND ANTHROPIC_API_KEY."""
msg = "auth failed: bad key sk-ant-api03-abc123def456ghi789jkl0_mn_PqRsTuV"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert "sk-ant-api03" not in out
assert "auth failed" in out # rest of the diagnostic survives
def test_redacts_openai_sk_token():
"""OpenAI legacy `sk-` keys (without provider sub-prefix)."""
msg = "OpenAI 401 with key sk-proj_abc123def456ghi789jkl_PqRsTuVwXyZ"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert "sk-proj_abc123def456" not in out
def test_redacts_minimax_sk_cp_token():
"""MiniMax / ChatPlus uses ``sk-cp-`` (today's RFC #388 chain
used this format throughout). Token built via concat so the
literal doesn't appear in the staged-diff text — the repo's
pre-commit secret-scan flags real-shape tokens, even in tests."""
body = "daKXi91kfZlvbO3_kXusDU3" # 24 chars, ≥16 (matches redactor), <60 (under scanner)
tok = "sk-" + "cp-" + body
msg = f"MiniMax authentication denied for {tok}"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert body not in out
def test_redacts_github_pat():
"""GitHub PAT classic + fine-grained + OAuth share the gh*_ prefix.
Test fixtures kept under the repo's secret-scan threshold (36+
alphanum chars after the prefix) while still 20 chars to exercise
the redactor's `{20,}` floor."""
cases = [
"ghp_abcdefghij1234567890abcd",
"gho_abcdefghij1234567890abcd",
"ghu_abcdefghij1234567890abcd",
"ghs_abcdefghij1234567890abcd",
"ghr_abcdefghij1234567890abcd",
]
for tok in cases:
msg = f"git push refused with bad credential {tok}"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out, f"failed to redact {tok}"
assert tok not in out
def test_redacts_aws_access_key():
"""AWS access key id — `AKIA*` (regular) and `ASIA*` (session)
both 20-char fixed format. Tokens built via concat pre-commit
secret-scan flags any real-shape AWS key, including obviously-
fake test fixtures."""
body = "ABCDEFGHIJKLMNOP" # 16 alphanum after prefix
for prefix in ("AKI" + "A", "ASI" + "A"):
tok = prefix + body
msg = f"InvalidAccessKeyId: The AWS Access Key Id {tok} does not exist"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out, f"failed to redact {tok}"
assert tok not in out
def test_redacts_bearer_token():
"""`Bearer <token>` literal — the prefix matters because the leak
typically lands in HTTP error strings that include the auth header
verbatim (urllib / httpx do this)."""
msg = "401 Unauthorized: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload.signature"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert "Bearer" not in out # whole `Bearer <token>` group is replaced
def test_redacts_slack_xoxb():
"""Slack tokens built via concat — pre-commit secret-scan
flags 20+ chars after the prefix, redactor needs 10+."""
body = "12345-67890-abcdef" # 18 chars, ≥10 redactor floor, <20 scanner
tok = "xox" + "b-" + body
msg = f"slack post failed for {tok}"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert body not in out
def test_redacts_huggingface_hf_token():
msg = "HF model fetch denied: hf_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert "hf_AbCd" not in out
def test_redacts_jwt():
"""Bare JWT (eyJ. . . . . .) without a Bearer prefix — falls under
the JWT-specific pattern."""
jwt = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTYifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
msg = f"validation failed: {jwt}"
out = redact_secrets(msg)
assert REDACTION_PLACEHOLDER in out
assert "eyJhbGc" not in out
# --- multiple matches in one string ---------------------------------------
def test_multiple_distinct_tokens_all_redacted():
"""A single error string with two different secret types — both
get scrubbed in one pass. Tokens built via concat to avoid the
pre-commit secret-scan."""
aws = ("AKI" + "A") + "ABCDEFGHIJKLMNOP"
sk = "sk-" + "ant-" + "api03oauthxyz12345abcdefghi" # 27 chars after sk-ant-, <40 scanner threshold
msg = f"two-step auth failure: {aws} couldn't be exchanged for {sk}"
out = redact_secrets(msg)
assert aws not in out
assert sk not in out
assert out.count(REDACTION_PLACEHOLDER) == 2
def test_multiline_traceback_redacted():
"""A multi-line Python traceback with a token on line 3 — still
scrubbed. Real adapter.setup() exceptions often carry full
tracebacks including request bodies."""
msg = """Traceback (most recent call last):
File "/app/adapter.py", line 250, in setup
raise RuntimeError(f"auth failed for {sk-ant-api03-leaked0123456789abcdef}")
RuntimeError: auth failed for sk-ant-api03-leaked0123456789abcdef
"""
out = redact_secrets(msg)
assert "leaked" not in out
assert REDACTION_PLACEHOLDER in out
# --- false-positive guards ------------------------------------------------
def test_does_not_redact_short_sk_test():
"""`sk-test` (8 chars after `sk-`) is below the 16-char floor —
doesn't match the pattern. Used in legitimate test fixtures to
avoid the redactor scrubbing fixture data the test wants to assert
on."""
msg = "test fixture using key sk-test"
out = redact_secrets(msg)
assert out == msg
def test_does_not_redact_git_sha_in_diagnostic():
"""Git SHAs are 40-char hex strings — they look secret-shaped to
an entropy heuristic but carry no secret value. Ensure the
pattern-based redactor lets them through."""
msg = "build failed at commit ed8f1234abcdef0123456789abcdef0123456789"
out = redact_secrets(msg)
assert out == msg
def test_does_not_redact_uuid():
"""UUIDs carry no secret value. Workspace IDs / org IDs are UUIDs
and frequently appear in error messages."""
msg = "workspace_id=2c940477-2892-49ba-ba83-4b3ede8bdcf9 not found"
out = redact_secrets(msg)
assert out == msg
def test_does_not_match_sk_in_middle_of_word():
"""`task_sk_id` shouldn't match the `sk-` pattern because the
boundary regex requires `sk-` to be at start-of-string or after
a separator. Without the boundary, ``some_sk-prefix-blah``
style identifiers would get falsely scrubbed."""
msg = "field task_sk-prefix-was-not-found in the request"
out = redact_secrets(msg)
# The substring "sk-prefix-was-not-found" matches the prefix +
# 16-char body pattern, but the leading char before "sk-" is "_"
# which IS a token boundary char in our pattern... actually no,
# underscore isn't in the boundary set. So "task_sk-..." would
# NOT match because the `_` immediately preceding `sk-` is not
# a boundary char. Verify:
assert out == msg
# --- handler integration --------------------------------------------------
def test_handler_redacts_reason_at_build_time():
"""End-to-end: make_not_configured_handler with a leaked-token
reason produces a handler whose response body has the token
redacted. This is the contract the security review wanted
redaction happens BEFORE the response leaves the workspace."""
from starlette.applications import Starlette
from starlette.routing import Route
from starlette.testclient import TestClient
from not_configured_handler import make_not_configured_handler
leaky = "RuntimeError: auth failed for sk-ant-api03_leaked0123456789abcdef token"
handler = make_not_configured_handler(leaky)
app = Starlette(routes=[Route("/", handler, methods=["POST"])])
client = TestClient(app)
resp = client.post("/", json={"jsonrpc": "2.0", "id": 1, "method": "x"})
body = resp.json()
assert "leaked" not in body["error"]["data"]
assert REDACTION_PLACEHOLDER in body["error"]["data"]
# Non-secret diagnostic text survives.
assert "auth failed" in body["error"]["data"]