security(keys): key-leak audit + SECURITY.md threat model#44
Closed
ernestprovo23 wants to merge 4 commits into
Closed
security(keys): key-leak audit + SECURITY.md threat model#44ernestprovo23 wants to merge 4 commits into
ernestprovo23 wants to merge 4 commits into
Conversation
Audit and harden the BYO-keys leak surface ahead of v1.0, with regression tests per vector (tests/test_keyleak_audit.py): - cache write path: assert a planted key-shaped secret echoed in a provider error never reaches a cache file/filename/key (cache stores the already- redacted CouncilResult); add an explicit invariant comment in cache.store. - streaming path: assert a mid-stream provider error echoing a key is absent from every streamed StreamEvent AND the final ModelAnswer; document the transport->providers redaction boundary in stream_sse. - __repr__/__str__: assert no adapter/config/result object renders key material (no object stores a key; transient request headers are not retained). - provider 400/422 echo: assert buffered error capture runs through redact() for prefixed and unprefixed custom-endpoint keys. - httpx/httpcore DEBUG logging (out-of-band of redact): document loudly and add an opt-in guard_transport_logging() helper that drops transport DEBUG records (the only level that emits auth headers). - audit-found gap (not in the original attack map): the partial-failure catch-alls in Council.fan_out and streaming._drive_member built error strings from raw exception text without redact(); wrap both in redact(). Add a Threat model section to SECURITY.md (trust boundary, what IS protected, accepted limitations, vector map) without touching the disclosure policy. Add .gitleaks.toml allowlisting the obviously-fake test fixtures (test tree only). Tests 191 -> 209; coverage 89%+. Disclosure policy unchanged.
cab6334 to
4edecae
Compare
…ture The two handler-count assertions in test_logging.py counted ALL handlers on the conclave logger, which fails under newer pytest (9.x) whose logging plugin injects LogCaptureHandler instances. Filter to conclave's own StreamHandler via a _app_stream_handlers helper (excludes any handler whose class name contains "Capture") so the tests assert on conclave's one-shot config without coupling to the pytest version. Passes under pytest 8.4.2 and 9.1.0. Test-only; no source change. Unblocks CI for the key-leak audit PR.
…hain (RANK 1/5) The httpx exception raised on a transport failure carries a live .request whose .headers hold the Authorization/x-api-key value. Surfacing it as TransportError.__cause__/__context__ left the key one cause-chain hop away, leaking under traceback.format_exception, logging.exception, or a cause-chain repr. The four raise sites in post_json/stream_sse now route through _raise_transport_error (raise ... from None) plus a boundary clear that nulls __context__, so neither a formatter nor a direct attribute walk can reach the header-bearing exception. Pinned by V8 tests.
…t-out (RANK 6) Council.__init__ now calls transport.guard_transport_logging() automatically unless allow_transport_debug_logging=True, so a process holding a real key is protected from httpx/httpcore DEBUG header leakage out of the box. The guard is idempotent and scoped to the httpx/httpcore loggers only; it never touches the host root logger. SECURITY.md reworded from opt-in to default-on/opt-out, with a new What-IS-protected bullet and vector-map rows for the cause-chain hardening (RANK 1/5) and the default-on guard (RANK 6). Adds V9 (guard default-on + opt-out) and V10 (client close hygiene, RANK 8) regression tests.
Member
Author
|
Superseded by #45 (integrated into the v1.0.0 release commit). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR-B of the conclave v1.0 release: KEY-LEAK AUDIT + THREAT MODEL
Backs conclave's headline BYO-keys / key-rigor claim. Audits + fixes the residual key-leak surface a security reviewer probes day 1, with a regression test per vector, and adds a Threat model section to SECURITY.md.
Per-vector summary
Invariants
DO NOT MERGE — pending dogfood review by conclave's own adversarial council on audit completeness.