scripts/build_runtime_package.py

@@ -62,6 +62,7 @@ TOP_LEVEL_MODULES = {
     "a2a_tools_memory",
     "a2a_tools_messaging",
     "a2a_tools_rbac",
+    "a2a_tools_identity",
     "adapter_base",
     "agent",
     "agents_md",

workspace/tests/test_executor_helpers.py

@@ -819,11 +819,11 @@ def test_sanitize_agent_error_reason_still_scrubs_secrets():
     that lets a bearer token into the reason still gets it redacted."""
     leaky = (
         "provider HTTP 401 — auth failed — Authorization: Bearer "
-        "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef please re-auth"
+        "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm please re-auth"
     )
     out = sanitize_agent_error(reason=leaky)
     assert "[REDACTED]" in out
-    assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out
+    assert "PLACEHOLDER_LONG_TOKEN_0123456789abcdefghijklm" not in out
     # The non-secret guidance still survives the scrub.
     assert "401" in out
     assert "please re-auth" in out
@@ -875,12 +875,15 @@ def test_sanitize_agent_error_reason_scrubs_all_secret_formats():
     assert "ask your admin to enable access" in out  # guidance survives
 
     # 4. Regression: the original Bearer form still redacts.
+    # Uses PLACEHOLDER_LONG_TOKEN (>=40 chars, no sk-ant- prefix) to avoid
+    # triggering the secret-scan workflow pattern
+    # `sk-ant-[A-Za-z0-9_-]{40,}`.
     bearer = (
         "provider HTTP 401 — Authorization: Bearer "
-        "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef re-auth"
+        "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij re-auth"
     )
     out = sanitize_agent_error(reason=bearer)
-    assert "sk-ant-DEADBEEFDEADBEEFDEADBEEF0123456789abcdef" not in out
+    assert "PLACEHOLDER_LONG_TOKEN_9876543210abcdefghij" not in out
     assert "[REDACTED]" in out
     assert "re-auth" in out