Skip to content

Sanitize dashboard/status to prevent leaking brief contents#58

Open
ianalloway wants to merge 1 commit into
mainfrom
codex/fix-unauthenticated-dashboard-data-exposure
Open

Sanitize dashboard/status to prevent leaking brief contents#58
ianalloway wants to merge 1 commit into
mainfrom
codex/fix-unauthenticated-dashboard-data-exposure

Conversation

@ianalloway

Copy link
Copy Markdown
Owner

Motivation

  • The live dashboard and status SSE endpoints exposed full Markdown report contents by reading data/reports/*.md and embedding them into the status payload and rendered JS, bypassing the HMAC-protected delivery route semantics.
  • Any unauthenticated remote client reachable to the server could retrieve confidential briefs without a delivery token, so status/event endpoints must not include report bodies.

Description

  • Stop reading and embedding report Markdown in build_status_data() so it only enumerates brief IDs; report bodies are no longer loaded into the briefs map in solvent/dashboard.py.
  • Add a _sanitize_status_data() wrapper used by _refresh_status() and external status-file polling in solvent/server.py to redact briefs values (expose only IDs with empty values) before HTTP/SSE publishing.
  • Require delivery token checks on the preview API GET /api/briefs/{job_id} (added token parameter and verify_delivery_token guard) to match the canonical hosted brief route semantics in solvent/server.py.
  • Change dashboard client JS (rendered by solvent/dashboard.py) to avoid rendering embedded brief text and to show a placeholder message directing users to the token-protected hosted brief link.
  • Add regression tests in tests/test_server.py to assert status/dashboard pages do not disclose brief contents and that the preview API enforces delivery tokens.

Testing

  • Compiled changed modules with python -m py_compile solvent/dashboard.py solvent/server.py tests/test_server.py which succeeded.
  • Ran python -m unittest tests.test_server; tests executed in this environment but were skipped where the fastapi test client was not available (appropriate skip behavior), so headless client checks were not executed here.
  • Executed a targeted sentinel check (small Python run) that created a report file and validated that build_status_data() and render() do not include the secret; this check passed.
  • Ran full python -m unittest discover; this run surfaced unrelated environment/test-state failures (missing optional rich dependency causing skipped tests and an unrelated test observing persisted jobs), indicating the failures are not caused by the dashboard redaction changes.

Codex Task

Copilot AI review requested due to automatic review settings July 14, 2026 18:17

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants