[AAASM-3570] 🔒 (python-sdk): SDK credential/token hygiene & log-leak prevention#174
Merged
Merged
Conversation
…3642) Guarantee no repr()/debug log/traceback frame can leak the API key — the repr shows only whether a key is set (<redacted>) not its value.
…ASM-3642) Assert repr(GatewayClient) elides the key and the fire-and-forget EdgeEmitter error path (logged with exc_info=True) captures no sentinel api_key / Bearer header in its record.
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
Author
Review — AAASM-3570 / AAASM-3642 (python-sdk credential redaction) ✅ READYCI (authoritative): 0 fail / 0 pending. Scope coverage — AAASM-3642 delivered:
No api_key persisted to disk/env (diff is repr + test only). Relates AAASM-3562. Verdict: READY to merge. — Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Description
Ensures the Python SDK never logs or reprs the gateway API key or the
Authorization: Bearerheader (Story AAASM-3570, subtask AAASM-3642).__repr__toGatewayClientthat elidesapi_key— it shows only whether a key is set (<redacted>vsNone), never the value. (Python's default repr already hides it, but an explicit one guarantees no futurerepr(), debug log, or traceback frame leaks the credential.)EdgeEmitterfire-and-forget error path, which logs withexc_info=True: a realistic transport failure does not pull the configured key / bearer header into the record. A regression test forces that path and asserts the sentinel never appears.The
api_keyis the only credential the Python layer holds; the gatewaycredential_tokenlives Rust-side inaa-sdk-client(hardened in the agent-assembly PR for AAASM-3629/3634/3638) and is never materialized in Python.Type of Change
__repr__)Breaking Changes
Related Issues
Testing
Run locally (
.venv/bin/...):pytest test/— 664 passed, 16 skipped (skips are native/optional-dep gated; unrelated)pytest test/unit/client/test_credential_redaction.py— 3 passed (repr redaction + emitter no-leak)ruff check ./ruff format --checkon changed files — cleanmypyon changed files — clean (pre-existingagent_assembly._coreimport-not-found errors are the native module not being built locally; unrelated to this change)Checklist
__repr__)