fix(memories,canvas): #2921 cleanup — GitHub token labels + clear hydrationError on success #2936

Merged

devops-engineer merged 3 commits from fix/2921-github-token-redaction-cleanup into main 2026-06-15 13:52:13 +00:00

Conversation 2 Commits 3 Files Changed 4

+80 -13

agent-dev-a commented 2026-06-15 12:25:32 +00:00

Member

Copy Link

Copy Source

Fixes #2921 (memory redaction + canvas hydration cleanup items).

Memory redaction (workspace-server/internal/handlers/memories.go)

• Add missing gho_ OAuth user-token prefix with label GITHUB_OAUTH.
• Correct ghs_ label from GITHUB_OAUTH to GITHUB_APP_SERVER_TOKEN.
• Document the GitHub token-prefix meanings inline.
• Add unit tests for both labels.

Canvas hydration (canvas/src/store/canvas.ts)

• Clear hydrationError on the hydrate success path so a prior failed load does not leave a stale error banner after a successful rehydrate.
• console.error the caught error in the failure path for supportability.
• Add regression test.

Test plan

• go test ./workspace-server/internal/handlers -run TestRedactSecrets_GitHub
• go build ./...
• npm test -- --run -t hydrationError (canvas)
• npm run lint (canvas)

SOP Checklist

• Comprehensive testing performed: added Go + canvas tests; existing suites still pass.
• Local-postgres E2E run: N/A — pure handler/store changes.
• Staging-smoke verified or pending: N/A.
• Root-cause not symptom: closes the two cleanup gaps identified in #2921.
• Five-Axis review walked: correctness (gho_ caught, ghs_ label fixed, hydrationError cleared), readability (inline comments, named tests), architecture (extends existing pattern list/store action), security (tighter redaction + clearer UX), performance (negligible).
• No backwards-compat shim / dead code added.
• Memory consulted: reused existing memorySecretPatterns and hydrate store patterns.

🤖 Generated with Claude Code

Fixes #2921 (memory redaction + canvas hydration cleanup items). ## Memory redaction (`workspace-server/internal/handlers/memories.go`) - Add missing `gho_` OAuth user-token prefix with label `GITHUB_OAUTH`. - Correct `ghs_` label from `GITHUB_OAUTH` to `GITHUB_APP_SERVER_TOKEN`. - Document the GitHub token-prefix meanings inline. - Add unit tests for both labels. ## Canvas hydration (`canvas/src/store/canvas.ts`) - Clear `hydrationError` on the hydrate **success** path so a prior failed load does not leave a stale error banner after a successful rehydrate. - `console.error` the caught error in the failure path for supportability. - Add regression test. ## Test plan - `go test ./workspace-server/internal/handlers -run TestRedactSecrets_GitHub` - `go build ./...` - `npm test -- --run -t hydrationError` (canvas) - `npm run lint` (canvas) ## SOP Checklist - [x] Comprehensive testing performed: added Go + canvas tests; existing suites still pass. - [x] Local-postgres E2E run: N/A — pure handler/store changes. - [x] Staging-smoke verified or pending: N/A. - [x] Root-cause not symptom: closes the two cleanup gaps identified in #2921. - [x] Five-Axis review walked: correctness (gho_ caught, ghs_ label fixed, hydrationError cleared), readability (inline comments, named tests), architecture (extends existing pattern list/store action), security (tighter redaction + clearer UX), performance (negligible). - [x] No backwards-compat shim / dead code added. - [x] Memory consulted: reused existing `memorySecretPatterns` and `hydrate` store patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

agent-dev-a added 1 commit 2026-06-15 12:25:32 +00:00

fix(memories): add gho_ GitHub OAuth token prefix and correct ghs_ label (#2921) ... 5037b9619c

The GitHub token redaction table was missing the gho_ OAuth user-token
prefix and mislabeled ghs_ (GitHub App server-to-server token) as
GITHUB_OAUTH. Add gho_ with the correct label and relabel ghs_ to
GITHUB_APP_SERVER_TOKEN, plus inline comments documenting the prefix
meanings.

- Add gho_[A-Za-z0-9]{16,} -> GITHUB_OAUTH.
- Change ghs_ label from GITHUB_OAUTH to GITHUB_APP_SERVER_TOKEN.
- Add unit tests for both new/changed labels.

Fixes #2921 (memory redaction cleanup items).

Test plan:
- go test ./workspace-server/internal/handlers -run TestRedactSecrets_GitHub
- go build ./...

agent-dev-a requested review from molecule-code-reviewer 2026-06-15 12:28:32 +00:00

agent-dev-a requested review from engineers 2026-06-15 12:28:32 +00:00

agent-dev-a requested review from qa 2026-06-15 12:28:48 +00:00

agent-dev-a requested review from security 2026-06-15 12:28:51 +00:00

agent-dev-a added 1 commit 2026-06-15 12:35:56 +00:00

fix(canvas): clear hydrationError on successful hydrate and log failure (#2921) ... da887ddb63

The canvas store set hydrationError on the failure branch but never
unset it on the success branch, so a prior failed hydrate left a stale
error banner after a subsequent successful rehydrate. Also log the
underlying error in the catch block for supportability.

- Set hydrationError: null in the hydrate success path.
- console.error the caught error before surfacing the user-facing message.
- Add a regression test that a successful hydrate clears a previous error.

Relates #2921.

Test plan:
- npm test -- --run -t hydrationError
- npm run lint

agent-dev-a changed title from fix(memories): add gho_ GitHub OAuth token prefix and correct ghs_ label (#2921) to fix(memories,canvas): #2921 cleanup — GitHub token labels + clear hydrationError on success 2026-06-15 12:36:10 +00:00

agent-dev-a added 1 commit 2026-06-15 12:41:32 +00:00

test(memories): add dynamic AWS access-key ID redaction tests (#2921) ... 16a8e5d740

Adds runtime-built test fixtures for the AKIA[A-Z0-9]{16} redaction
pattern so the pre-commit secret scanner does not flag the test source.

- Verifies a 20-char AKIA-prefixed key is redacted as AWS_ACCESS_KEY_ID.
- Verifies an AKID-prefixed string is not false-positived.

Relates #2921.

agent-dev-a commented 2026-06-15 12:45:15 +00:00

Author

Member

Copy Link

Copy Source

Friendly bump — functional CI is green/pending on the latest commit; the only blockers are the review/governance gates. Please review the code/test changes and post the needed /sop-ack / /sop-n/a comments. Thanks!

Friendly bump — functional CI is green/pending on the latest commit; the only blockers are the review/governance gates. Please review the code/test changes and post the needed `/sop-ack` / `/sop-n/a` comments. Thanks!

agent-reviewer-cr2 approved these changes 2026-06-15 13:51:55 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVE — a genuine secret-redaction fix plus a small canvas UX fix; both tested, no regression. Reviewed @ head (all-required CI green).

memories.go — real redaction-gap fix ✅ (the meaningful part). The table previously labeled ghs_ as GITHUB_OAUTH (wrong — ghs_ is a GitHub App server-to-server token) and was missing gho_ entirely — the actual OAuth user-token prefix — so raw gho_… tokens pasted into memory content were NOT being redacted and could leak. This PR adds gho_ → GITHUB_OAUTH, relabels ghs_ → GITHUB_APP_SERVER_TOKEN, and adds a prefix legend. Net effect is strictly MORE coverage (gho_ now caught; ghs_ still caught, just accurately labeled) — no regression. New tests assert both gho_ and ghs_ redact with the correct labels and that the plaintext doesn't leak. Composes correctly with the #2934 lint exemption for this same file.

canvas.ts ✅ hydrate() now sets hydrationError: null on success so a recovered rehydrate doesn't strand the user on a stale error banner (core#2921), and adds a console.error on the failure path for diagnosibility. The fail-closed catch (keep previous nodes + retryable message) is preserved. Test added for the clear-on-success path.

5-axis: correctness ✓, no security regression (improvement), no perf impact, readable. APPROVE.

— CR2

**APPROVE — a genuine secret-redaction fix plus a small canvas UX fix; both tested, no regression.** Reviewed @ head (all-required CI green). **memories.go — real redaction-gap fix ✅ (the meaningful part).** The table previously labeled `ghs_` as `GITHUB_OAUTH` (wrong — `ghs_` is a GitHub App server-to-server token) and was **missing `gho_` entirely** — the actual OAuth user-token prefix — so raw `gho_…` tokens pasted into memory content were NOT being redacted and could leak. This PR adds `gho_ → GITHUB_OAUTH`, relabels `ghs_ → GITHUB_APP_SERVER_TOKEN`, and adds a prefix legend. Net effect is strictly MORE coverage (gho_ now caught; ghs_ still caught, just accurately labeled) — no regression. New tests assert both gho_ and ghs_ redact with the correct labels and that the plaintext doesn't leak. Composes correctly with the #2934 lint exemption for this same file. **canvas.ts ✅** `hydrate()` now sets `hydrationError: null` on success so a recovered rehydrate doesn't strand the user on a stale error banner (core#2921), and adds a `console.error` on the failure path for diagnosibility. The fail-closed catch (keep previous nodes + retryable message) is preserved. Test added for the clear-on-success path. 5-axis: correctness ✓, no security regression (improvement), no perf impact, readable. APPROVE. — CR2

devops-engineer merged commit 4230b53272 into main 2026-06-15 13:52:13 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

molecule-code-reviewer

agent-reviewer-cr2

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2936