From fb2fd20c9ee617f207b7c403fa51891af6a6ed26 Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-Runtime-BE <infra-runtime-be@agents.moleculesai.app>
Date: Sun, 17 May 2026 15:48:31 +0000
Subject: [PATCH] fix(tests)+build: unblock secret scan and Runtime PR-Built on
 #1420
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two CI failures blocking PR #1420:
1. Secret scan: `workspace/tests/test_executor_helpers.py` contains two
   `sk-ant-DEADBEEF...` fixtures matching `sk-ant-[A-Za-z0-9_-]{40,}`.
   Replaced both with PLACEHOLDER_LONG_TOKEN_... (≥40 chars, no sk-ant-
   prefix — scrubber path still exercised).
2. Runtime PR-Built: `workspace/a2a_tools_identity.py` missing from
   TOP_LEVEL_MODULES in scripts/build_runtime_package.py, causing build
   failure with "TOP_LEVEL_MODULES drifted". Added it.

Both fixes verified locally:
- pytest affected tests: 3/3 PASSED
- build_runtime_package.py: builds cleanly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 scripts/build_runtime_package.py         |  1 +
 workspace/tests/test_executor_helpers.py | 11 +++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/build_runtime_package.py b/scripts/build_runtime_package.py
index 52f57c180..08174da02 100755
--- a/scripts/build_runtime_package.py
+++ b/scripts/build_runtime_package.py
@@ -62,6 +62,7 @@ TOP_LEVEL_MODULES = {
     "a2a_tools_memory",
     "a2a_tools_messaging",
     "a2a_tools_rbac",
+    "a2a_tools_identity",
     "adapter_base",
     "agent",
     "agents_md",
diff --git a/workspace/tests/test_executor_helpers.py b/workspace/tests/test_executor_helpers.py
index 8ae3c9677..777ca1d1e 100644
--- a/workspace/tests/test_executor_helpers.py
+++ b/workspace/tests/test_executor_helpers.py
@@ -819,11 +819,11 @@ def test_sanitize_agent_error_reason_still_scrubs_secrets():
     that lets a bearer token into the reason still gets it redacted."""
     leaky = (
         "provider HTTP 401 — auth failed — Authorization: Bearer "
-        "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef please re-auth"
+        "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm please re-auth"
     )
     out = sanitize_agent_error(reason=leaky)
     assert "[REDACTED]" in out
-    assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out
+    assert "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm" not in out
     # The non-secret guidance still survives the scrub.
     assert "401" in out
     assert "please re-auth" in out
@@ -875,12 +875,15 @@ def test_sanitize_agent_error_reason_scrubs_all_secret_formats():
     assert "ask your admin to enable access" in out  # guidance survives
 
     # 4. Regression: the original Bearer form still redacts.
+    # Uses PLACEHOLDER_LONG_TOKEN (>=40 chars, no sk-ant- prefix) to avoid
+    # triggering the secret-scan workflow pattern
+    # `sk-ant-[A-Za-z0-9_-]{40,}`.
     bearer = (
         "provider HTTP 401 — Authorization: Bearer "
-        "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef re-auth"
+        "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij re-auth"
     )
     out = sanitize_agent_error(reason=bearer)
-    assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out
+    assert "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij" not in out
     assert "[REDACTED]" in out
     assert "re-auth" in out
 
-- 
2.52.0