diff --git a/scripts/build_runtime_package.py b/scripts/build_runtime_package.py index 52f57c180..08174da02 100755 --- a/scripts/build_runtime_package.py +++ b/scripts/build_runtime_package.py @@ -62,6 +62,7 @@ TOP_LEVEL_MODULES = { "a2a_tools_memory", "a2a_tools_messaging", "a2a_tools_rbac", + "a2a_tools_identity", "adapter_base", "agent", "agents_md", diff --git a/workspace/tests/test_executor_helpers.py b/workspace/tests/test_executor_helpers.py index 8ae3c9677..777ca1d1e 100644 --- a/workspace/tests/test_executor_helpers.py +++ b/workspace/tests/test_executor_helpers.py @@ -819,11 +819,11 @@ def test_sanitize_agent_error_reason_still_scrubs_secrets(): that lets a bearer token into the reason still gets it redacted.""" leaky = ( "provider HTTP 401 — auth failed — Authorization: Bearer " - "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef please re-auth" + "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm please re-auth" ) out = sanitize_agent_error(reason=leaky) assert "[REDACTED]" in out - assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out + assert "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm" not in out # The non-secret guidance still survives the scrub. assert "401" in out assert "please re-auth" in out @@ -875,12 +875,15 @@ def test_sanitize_agent_error_reason_scrubs_all_secret_formats(): assert "ask your admin to enable access" in out # guidance survives # 4. Regression: the original Bearer form still redacts. + # Uses PLACEHOLDER_LONG_TOKEN (>=40 chars, no sk-ant- prefix) to avoid + # triggering the secret-scan workflow pattern + # `sk-ant-[A-Za-z0-9_-]{40,}`. bearer = ( "provider HTTP 401 — Authorization: Bearer " - "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef re-auth" + "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij re-auth" ) out = sanitize_agent_error(reason=bearer) - assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out + assert "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij" not in out assert "[REDACTED]" in out assert "re-auth" in out