molecule-ai/molecule-core
41
0
Fork 2
Code Issues 59 Pull Requests 21 Actions 148 Packages Projects Releases Wiki Activity

fix(workspace/OFFSEC-003): correct boundary wrapping + add closer truncation #1059

Merged
devops-engineer merged 1 commits from fix/offsec-003-boundary-v2 into staging 2026-05-14 20:26:43 +00:00
Conversation 23 Commits 1 Files Changed 5 +32 -17

1 Commits

Author SHA1 Message Date
Molecule AI Core-QA
d241dd7f9e fix(workspace/OFFSEC-003): correct boundary wrapping + add closer truncation
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 22s
Details
CI / Detect changes (pull_request) Successful in 1m6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m6s
Details
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m8s
Details
publish-runtime-autobump / pr-validate (pull_request) Successful in 1m7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s
Details
qa-review / approved (pull_request) Successful in 24s
Details
security-review / approved (pull_request) Successful in 21s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m38s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 59s
Details
CI / Platform (Go) (pull_request) Successful in 6s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 8s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 11s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m17s
Details
CI / Python Lint & Test (pull_request) Successful in 7m0s
Details
CI / all-required (pull_request) Successful in 7s
Details
gate-check-v3 / gate-check (pull_request) Successful in 14s
Details
sop-tier-check / tier-check (pull_request) Successful in 16s
Details
sop-checklist / na-declarations (pull_request) N/A: qa-review
Details
sop-checklist / all-items-acked (pull_request) acked: 7/7
Details
audit-force-merge / audit (pull_request) Successful in 8s
Details 
Two bugs fixed in tool_delegate_task wrapping logic:

1. Wrapping used raw _A2A_BOUNDARY_START/_END markers, which
   appeared alongside the escaped form of peer content. Fixed: wrap
   with _A2A_BOUNDARY_START_ESCAPED/_END_ESCAPED so output contains
   no raw closer that could confuse downstream parsers.

2. A malicious peer could inject a fake closer ([/A2A_RESULT_FROM_PEER])
   to make legitimate content appear truncated. Fixed: truncate at the
   raw closer BEFORE sanitization (truncation loses the raw form).

Updated test assertions across 3 test files to match new escaped wrapper
form (previous tests expected raw markers in output).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-14 19:48:55 +00:00