Merge pull request #14 from Deep-CodeAI/fix/auth-secret-hygiene

Skobeltsyn · web-flow · commit b99643b624df · 2026-05-03T12:23:52.000+03:00
Fix/auth secret hygiene
diff --git a/src/main/kotlin/agents_engine/core/Skill.kt b/src/main/kotlin/agents_engine/core/Skill.kt
@@ -82,6 +82,21 @@ class Skill<IN, OUT>(
         outputTransformer = block
     }
 
+    /**
+     * #856 — opt-in for memory tools. When ANY skill on an agent calls `useMemory()`,
+     * the agentic loop respects the opt-in: only skills that called this get
+     * `memory_read` / `memory_write` / `memory_search` in their allowlist. When NO
+     * skill opts in, the legacy auto-inject (every skill gets memory if memoryBank
+     * is set) is preserved for backward compatibility.
+     */
+    var useMemory: Boolean = false
+        private set
+
+    fun useMemory() {
+        checkNotFrozen()
+        useMemory = true
+    }
+
     fun execute(input: IN): OUT {
         val impl = checkNotNull(implementation) {
             "Skill \"$name\" has no implementation. Add implementedBy { } block."
diff --git a/src/main/kotlin/agents_engine/mcp/McpAuth.kt b/src/main/kotlin/agents_engine/mcp/McpAuth.kt
@@ -9,6 +9,19 @@ sealed interface McpAuth {
     /** No credentials sent. Default. */
     object None : McpAuth
 
-    /** Sends `Authorization: Bearer <token>` on every request. */
-    data class Bearer(val token: String) : McpAuth
+    /**
+     * Sends `Authorization: Bearer <token>` on every request.
+     *
+     * The token is held as a `String` for compatibility with `data class`
+     * equality. **toString() is overridden to redact the token** so a
+     * `println(auth)` or `Throwable.message` referencing this instance
+     * doesn't leak the credential into logs (#857).
+     *
+     * Future work: store the token as `CharArray` and add an explicit
+     * `close()` that wipes it. That requires a richer API surface (the
+     * transport must know when to wipe) and is left as a follow-up.
+     */
+    data class Bearer(val token: String) : McpAuth {
+        override fun toString(): String = "Bearer(token=<redacted>)"
+    }
 }
diff --git a/src/main/kotlin/agents_engine/model/AgenticLoop.kt b/src/main/kotlin/agents_engine/model/AgenticLoop.kt
@@ -28,12 +28,19 @@ suspend fun <IN> executeAgentic(
 
     val messages = mutableListOf<LlmMessage>()
 
-    // Action tools: tools the skill explicitly lists + agent capabilities + auto-injected memory tools
+    // Action tools: tools the skill explicitly lists + agent capabilities + memory tools
     val skillToolDefs = skill.toolNames?.mapNotNull { agent.toolMap[it] } ?: emptyList()
     val autoToolDefs = agent.autoToolNames.mapNotNull { agent.toolMap[it] }
-    val memoryToolDefs = if (agent.memoryBank != null)
-        agent.toolMap.values.filter { it.name in setOf("memory_read", "memory_write", "memory_search") }
-    else emptyList()
+    // #856 — memory-tool authorization is per-skill when ANY skill opts in via
+    // `useMemory()`. If none opt in, fall back to the legacy default-on behavior
+    // (every skill gets memory tools when memoryBank is set) so existing
+    // single-skill agents don't break.
+    val anySkillOptedIntoMemory = agent.skills.values.any { it.useMemory }
+    val memoryToolDefs = when {
+        agent.memoryBank == null -> emptyList()
+        anySkillOptedIntoMemory && !skill.useMemory -> emptyList()
+        else -> agent.toolMap.values.filter { it.name in setOf("memory_read", "memory_write", "memory_search") }
+    }
     val actionToolDefs = (skillToolDefs + autoToolDefs + memoryToolDefs).distinctBy { it.name }
 
     // Knowledge tools: exposed lazily — LLM calls them to load context on demand
diff --git a/src/test/kotlin/agents_engine/mcp/McpAuthRedactionTest.kt b/src/test/kotlin/agents_engine/mcp/McpAuthRedactionTest.kt
@@ -0,0 +1,44 @@
+package agents_engine.mcp
+
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertFalse
+import kotlin.test.assertTrue
+
+// Tests for #857 — McpAuth.Bearer.toString() must NOT leak the token.
+class McpAuthRedactionTest {
+
+    @Test
+    fun `Bearer toString does not contain the token value`() {
+        val secret = "sk-very-secret-token-do-not-leak"
+        val auth = McpAuth.Bearer(secret)
+        val rendered = auth.toString()
+        assertFalse(rendered.contains(secret), "toString must not include the raw token; got: '$rendered'")
+        assertTrue(rendered.contains("redacted", ignoreCase = true), "toString must indicate redaction; got: '$rendered'")
+    }
+
+    @Test
+    fun `Bearer toString does not leak via interpolation`() {
+        val secret = "sk-another-secret-token"
+        val auth = McpAuth.Bearer(secret)
+        val s = "$auth"
+        assertFalse(s.contains(secret), "string interpolation must not leak token; got: '$s'")
+    }
+
+    @Test
+    fun `Bearer equals and hashCode still work (data-class semantics preserved)`() {
+        val a = McpAuth.Bearer("same")
+        val b = McpAuth.Bearer("same")
+        val c = McpAuth.Bearer("different")
+        assertEquals(a, b)
+        assertEquals(a.hashCode(), b.hashCode())
+        assertFalse(a == c, "different tokens must not be equal")
+    }
+
+    @Test
+    fun `Bearer token property still returns the actual value (programmatic access preserved)`() {
+        val secret = "sk-programmatic"
+        val auth = McpAuth.Bearer(secret)
+        assertEquals(secret, auth.token, "the .token property must still expose the value for HTTP-header building")
+    }
+}
diff --git a/src/test/kotlin/agents_engine/model/MemoryToolPerSkillOptInTest.kt b/src/test/kotlin/agents_engine/model/MemoryToolPerSkillOptInTest.kt
@@ -0,0 +1,123 @@
+package agents_engine.model
+
+import agents_engine.core.MemoryBank
+import agents_engine.core.agent
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertFalse
+import kotlin.test.assertTrue
+
+// Tests for #856 — per-skill memory-tool opt-in.
+//
+// When ANY skill on an agent calls `useMemory()`, the agentic loop respects
+// that opt-in: skills that did NOT opt in must NOT receive memory_* tools in
+// their authorized set. When no skill opts in, the legacy default-on behavior
+// is preserved for single-skill agents that already work today.
+class MemoryToolPerSkillOptInTest {
+
+    private fun snoopAuthorizedTools(captureLatest: MutableList<List<String>>): ModelClient {
+        // Use the system message that the agentic loop builds — it lists every tool
+        // available to the current skill. We can read it back from the captured
+        // messages of the first chat() call.
+        return ModelClient { msgs ->
+            val sys = msgs.firstOrNull { it.role == "system" }
+            val tools = sys?.content
+                ?.lineSequence()
+                ?.filter { it.startsWith("- ") }
+                ?.map { it.removePrefix("- ").substringBefore(":") }
+                ?.toList()
+                ?: emptyList()
+            captureLatest.add(tools)
+            LlmResponse.Text("done")
+        }
+    }
+
+    @Test
+    fun `legacy single-skill agent with memoryBank still auto-gets memory tools (backward compat)`() {
+        val captured = mutableListOf<List<String>>()
+        val a = agent<String, String>("legacy") {
+            model { ollama("test"); client = snoopAuthorizedTools(captured) }
+            memory(MemoryBank())
+            skills { skill<String, String>("only", "stub") { tools() } }
+        }
+        a("hi")
+        assertTrue(captured.single().contains("memory_read"), "legacy auto-inject must still work; got: ${captured.single()}")
+        assertTrue(captured.single().contains("memory_write"))
+        assertTrue(captured.single().contains("memory_search"))
+    }
+
+    @Test
+    fun `when one skill opts in, a non-opted-in skill on the same agent loses memory access`() {
+        // The core security guarantee — auto-inject across ALL skills was the bug.
+        // With two skills on one agent (one opts in, one doesn't), the non-opted
+        // skill's authorized tool set must NOT include memory_*.
+        // The mock client first answers the skill-router LLM call (returning a
+        // SkillRoute pointing at "read-only"), then snoops the second call's
+        // system prompt for the "read-only" skill's authorized tools.
+        val captured = mutableListOf<List<String>>()
+        var callIdx = 0
+        val client = ModelClient { msgs ->
+            callIdx++
+            if (callIdx == 1) {
+                // Skill router call — return a JSON SkillRoute.
+                LlmResponse.Text("""{"skillName":"read-only","confidence":1.0,"rationale":"x"}""")
+            } else {
+                // Skill execution call — capture the system prompt's tool listing.
+                val sys = msgs.firstOrNull { it.role == "system" }
+                captured.add(
+                    sys?.content?.lineSequence()
+                        ?.filter { it.startsWith("- ") }
+                        ?.map { it.removePrefix("- ").substringBefore(":") }
+                        ?.toList()
+                        ?: emptyList(),
+                )
+                LlmResponse.Text("done")
+            }
+        }
+        val a = agent<String, String>("two-skill") {
+            model { ollama("test"); this.client = client }
+            memory(MemoryBank())
+            skills {
+                skill<String, String>("read-only", "answers questions") { tools() }
+                skill<String, String>("memo-writer", "writes notes") { tools(); useMemory() }
+            }
+        }
+        a("input")
+        val tools = captured.single()
+        assertFalse(tools.contains("memory_read"), "non-opted-in skill must NOT receive memory_read; got: $tools")
+        assertFalse(tools.contains("memory_write"), "non-opted-in skill must NOT receive memory_write; got: $tools")
+        assertFalse(tools.contains("memory_search"), "non-opted-in skill must NOT receive memory_search; got: $tools")
+    }
+
+    @Test
+    fun `opted-in skill DOES receive memory tools`() {
+        val captured = mutableListOf<List<String>>()
+        val a = agent<String, String>("writer") {
+            model { ollama("test"); client = snoopAuthorizedTools(captured) }
+            memory(MemoryBank())
+            skills {
+                skill<String, String>("memo-writer", "uses memory") { tools(); useMemory() }
+            }
+        }
+        a("hi")
+        val tools = captured.single()
+        assertTrue(tools.contains("memory_read"), "opted-in skill must receive memory_read; got: $tools")
+        assertTrue(tools.contains("memory_write"))
+        assertTrue(tools.contains("memory_search"))
+    }
+
+    @Test
+    fun `agent without memoryBank never injects memory tools regardless of useMemory`() {
+        val captured = mutableListOf<List<String>>()
+        val a = agent<String, String>("no-memory") {
+            model { ollama("test"); client = snoopAuthorizedTools(captured) }
+            // no memory(...) call
+            skills {
+                skill<String, String>("s", "stub") { tools(); useMemory() }
+            }
+        }
+        a("hi")
+        val tools = captured.single()
+        assertEquals(emptyList(), tools.filter { it.startsWith("memory_") }, "no memoryBank means no memory tools regardless of opt-in")
+    }
+}
