molecule-ai/molecule-core
39
0
Fork 2
Code Issues 46 Pull Requests 32 Actions 6 Packages Projects Releases Wiki Activity

fix(workspace): OFFSEC-003 sanitize polling-path delegation results #390

Merged
core-be merged 1 commits from runtime/offsec-003-polling-path-v2 into staging 2026-05-11 05:20:33 +00:00
Conversation 2 Commits 1 Files Changed 2 +112 -2

1 Commits

Author SHA1 Message Date
Molecule AI Infra-Runtime-BE
8e94c178d2 fix(workspace): OFFSEC-003 sanitize polling-path delegation results
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s
Details
sop-tier-check / tier-check (pull_request) Manual override — infra#241 runner broken. OFFSEC-003 polling-path sanitization fix.
Details
audit-force-merge / audit (pull_request) Successful in 11s
Details 
Issue: _delegate_sync_via_polling (RFC #2829 PR-5 sync path) returned
unsanitized response_preview and error_detail fields to the agent context.
A malicious peer could inject trust-boundary markers to break the boundary
established by the main sanitization layer.

Changes:
- a2a_tools_delegation.py: sanitize response_preview before returning on
  completed; sanitize error_detail/summary before wrapping in _A2A_ERROR_PREFIX
- test_a2a_tools_delegation.py: TestPollingPathSanitization covers both paths

Companion to PR #382 (runtime/offsec-003-executor-sanitize) which covers
the async heartbeat path in executor_helpers.read_delegation_results.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-11 04:53:48 +00:00