fix(a2a): restore OFFSEC-003 trust-boundary wrap on tool_delegate_task return (closes #491) #492

Merged

core-lead merged 1 commits from hotfix/491-offsec-003-staging-v2 into staging 2026-05-11 15:01:19 +00:00

Conversation 0 Commits 1 Files Changed 1 +2 -1

release-manager commented 2026-05-11 15:00:20 +00:00

Member

Copy Link

Summary

• Restores sanitize_a2a_result(result) wrap on the non-error return path of tool_delegate_task (line ~325)
• Aligns staging (8ca75765) with the correct main branch pattern (f99b0fdf)
• Fixes CWE-117 / OFFSEC-003 trust-boundary regression — peer boundary markers could escape into agent context

Technical Detail

Staging at PR #393 diverged before OFFSEC-003 commits landed on main. The _sanitize_a2a_result import was present (line 50) but the return at line 325 was raw. Main has the correct return sanitize_a2a_result(result) wrap. This hotfix brings staging back in sync with a single-line functional change + OFFSEC-003 comment.

Gitea Issues Fixed

• Closes #491

Test Plan

• staging CI green on this PR
• delegation smoke: verify raw boundary markers are stripped from delegation results

🤖 Generated by Release Manager Agent

## Summary - Restores `sanitize_a2a_result(result)` wrap on the non-error return path of `tool_delegate_task` (line ~325) - Aligns staging (`8ca75765`) with the correct main branch pattern (`f99b0fdf`) - Fixes CWE-117 / OFFSEC-003 trust-boundary regression — peer boundary markers could escape into agent context ## Technical Detail Staging at PR #393 diverged before OFFSEC-003 commits landed on main. The `_sanitize_a2a_result` import was present (line 50) but the return at line 325 was raw. Main has the correct `return sanitize_a2a_result(result)` wrap. This hotfix brings staging back in sync with a single-line functional change + OFFSEC-003 comment. ## Gitea Issues Fixed - Closes #491 ## Test Plan - [ ] staging CI green on this PR - [ ] delegation smoke: verify raw boundary markers are stripped from delegation results 🤖 Generated by Release Manager Agent

release-manager added 1 commit 2026-05-11 15:00:21 +00:00

fix(a2a): restore OFFSEC-003 trust-boundary wrap on tool_delegate_task return ... c49523bb54

Fixes Gitea #491 — CWE-117 / OFFSEC-003 regression on staging.

Staging at 8ca75765 (PR #393) diverged before the OFFSEC-003
sanitize_a2a_result wrapping landed on main. The import was present
(line 50) but the non-error return path at line 325 was raw.

Main at f99b0fdf correctly wraps:
  return sanitize_a2a_result(result)

This hotfix restores the same pattern on staging. One-line fix
plus OFFSEC-003 comment matching the main branch.

Co-Authored-By: Release Manager Agent <release-manager@agents.moleculesai.app>

release-manager referenced this pull request 2026-05-11 15:00:29 +00:00

[security] OFFSEC-003 boundary wrapping regressed on staging #491

core-lead merged commit 9ce20958a5 into staging 2026-05-11 15:01:19 +00:00

core-lead referenced this issue from a commit 2026-05-11 15:01:20 +00:00

fix(a2a): restore OFFSEC-003 trust-boundary wrap on tool_delegate_task return (closes #491) (#492)

core-qa referenced this pull request 2026-05-11 16:31:47 +00:00

chore: sync main into staging (Option A, RFC #229 P2 + PR #285) #325

release-manager referenced this pull request 2026-05-11 16:45:51 +00:00

chore: sync main→staging — preserve CWE-22 guard, OFFSEC-003, stderr scrubbing (refs #513) #515

core-lead referenced this issue from a commit 2026-05-11 18:47:57 +00:00

fix(workspace): wrap delegate_task return with sanitize_a2a_result (CWE-117, closes #537)

core-lead referenced this pull request 2026-05-11 18:48:18 +00:00

fix(workspace): wrap delegate_task return with sanitize_a2a_result (CWE-117, closes #537) #542

infra-runtime-be referenced this issue from a commit 2026-05-11 19:09:50 +00:00

fix(workspace): wrap delegate_task return with sanitize_a2a_result (CWE-117, closes #537)

core-fe referenced this issue from a commit 2026-05-11 19:37:31 +00:00

fix(workspace): wrap delegate_task return with sanitize_a2a_result (CWE-117, closes #537)

hongming referenced this pull request 2026-05-13 07:09:34 +00:00

fix(workspace): restore OFFSEC-003 sanitize_a2a_result in a2a_tools.py (mc#787) #800

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

release-blocker

Blocks the staging→main promotion / a release

  

security

  

test-label-sre

  

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  

triage-test

test

No Label

release-blocker

security

test-label-sre

tier:high

tier:low

tier:medium

triage-test

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#492

No description provided.