Skip to content

[AAASM-3570] 🔒 (python-sdk): SDK credential/token hygiene & log-leak prevention#174

Merged
Chisanan232 merged 2 commits into
masterfrom
v0.0.1/AAASM-3570/sdk_token_hygiene
Jun 24, 2026
Merged

[AAASM-3570] 🔒 (python-sdk): SDK credential/token hygiene & log-leak prevention#174
Chisanan232 merged 2 commits into
masterfrom
v0.0.1/AAASM-3570/sdk_token_hygiene

Conversation

@Chisanan232

Copy link
Copy Markdown
Contributor

Description

Ensures the Python SDK never logs or reprs the gateway API key or the Authorization: Bearer header (Story AAASM-3570, subtask AAASM-3642).

  • Added an explicit __repr__ to GatewayClient that elides api_key — it shows only whether a key is set (<redacted> vs None), never the value. (Python's default repr already hides it, but an explicit one guarantees no future repr(), debug log, or traceback frame leaks the credential.)
  • Audited the EdgeEmitter fire-and-forget error path, which logs with exc_info=True: a realistic transport failure does not pull the configured key / bearer header into the record. A regression test forces that path and asserts the sentinel never appears.

The api_key is the only credential the Python layer holds; the gateway credential_token lives Rust-side in aa-sdk-client (hardened in the agent-assembly PR for AAASM-3629/3634/3638) and is never materialized in Python.

Type of Change

  • ♻️ Refactoring (add redacting __repr__)

Breaking Changes

  • No

Related Issues

  • Related JIRA ticket: AAASM-3570 (subtask AAASM-3642)
  • Relates to AAASM-3562 (proxy credential hygiene)

Testing

  • Unit tests added/updated

Run locally (.venv/bin/...):

  • pytest test/ — 664 passed, 16 skipped (skips are native/optional-dep gated; unrelated)
  • pytest test/unit/client/test_credential_redaction.py — 3 passed (repr redaction + emitter no-leak)
  • ruff check . / ruff format --check on changed files — clean
  • mypy on changed files — clean (pre-existing agent_assembly._core import-not-found errors are the native module not being built locally; unrelated to this change)

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Comments added for complex logic
  • Documentation updated if needed (doc-comment on __repr__)

⚠️ No hard-coded crypto secrets: the test uses a redaction sentinel only.

…3642)

Guarantee no repr()/debug log/traceback frame can leak the API key — the
repr shows only whether a key is set (<redacted>) not its value.
…ASM-3642)

Assert repr(GatewayClient) elides the key and the fire-and-forget
EdgeEmitter error path (logged with exc_info=True) captures no sentinel
api_key / Bearer header in its record.
@sonarqubecloud

Copy link
Copy Markdown

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Chisanan232

Copy link
Copy Markdown
Contributor Author

Review — AAASM-3570 / AAASM-3642 (python-sdk credential redaction) ✅ READY

CI (authoritative): 0 fail / 0 pending. CI Success, CodeQL, SonarCloud, pip-audit, unit/integration tests, codecov/patch all pass. Skipped jobs are docs-deploy + e2e (acceptance-class). MERGEABLE.

Scope coverage — AAASM-3642 delivered:

  • GatewayClient.__repr__ elides api_key<redacted> (or None when unset), so no traceback frame / debug log / repr() leaks the bearer credential. ✔
  • New test/unit/client/test_credential_redaction.py: asserts repr() hides a SENTINEL key, and drives the EdgeEmitter exc_info=True failure path (worker thread joined — no flaky sleep) asserting neither SENTINEL nor Bearer SENTINEL appears in captured log records. ✔

No api_key persisted to disk/env (diff is repr + test only). Relates AAASM-3562.

Verdict: READY to merge.

— Claude Code

@Chisanan232 Chisanan232 merged commit 84e82ce into master Jun 24, 2026
24 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3570/sdk_token_hygiene branch June 24, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant