pdurlej/kan-ductor

Fork 0

security: machine activity audit view exposes raw input/result JSON without summaries #55

New issue

Open

opened 2026-05-10 14:19:42 +02:00 by pdurlej · 2 comments

pdurlej commented

2026-05-10 14:19:42 +02:00

Owner

Source

3+3 review on PR #43 (feat(web): add machine activity audit view), merged 2026-05-10 via chain drain #52.

"audit view is developer-useful but exposes raw input/result JSON and lacks incident-grade summaries/copy/export/pagination. Either improve it or explicitly gate/label as maintainer debug view."

Problem

The audit view currently dumps raw input and result JSON blobs for each agent action. This may include:

sourceRef (e.g. signal:+48508463453:<message_id>) — Signal numbers visible in UI
Idempotency keys (low risk, but still internal)
Internal IDs leaking through nested objects
Card metadata that may contain sensitive content

Without redaction or summary mode, the audit view leaks internal context to anyone with workspace access.

Scope

Two paths:

(a) Harden — convert to incident-grade view:

Per-action summary line (human-readable: "Iskra moved card 'Signal note 14:32' from Captured → Doing")
Redact known sensitive fields (sourceRef Signal numbers, etc.) by default
Show raw JSON only on click-to-expand for maintainer-role users
Add copy/export with same redaction
Add pagination (current may dump entire history)

(b) Gate — if hardening is too much scope:

Add audit:debug-view scope, gate UI route on it
Label clearly as "Maintainer Debug View — contains raw payloads"
Default off, operator opts in

Acceptance criteria

Either path implemented and shipped
Operator can answer "what did Iskra do today?" without seeing raw JSON unless explicitly opted in
No Signal numbers / sensitive sourceRefs in default view

Refs

PR #43 (chain drain via #52)
3+3 review comment id 3191

Owner gates

Production exposure of audit view: Piotr review.

## Source 3+3 review on PR #43 (`feat(web): add machine activity audit view`), merged 2026-05-10 via chain drain #52. > "audit view is developer-useful but exposes raw input/result JSON and lacks incident-grade summaries/copy/export/pagination. Either improve it or explicitly gate/label as maintainer debug view." ## Problem The audit view currently dumps raw `input` and `result` JSON blobs for each agent action. This may include: - `sourceRef` (e.g. `signal:+48508463453:<message_id>`) — Signal numbers visible in UI - Idempotency keys (low risk, but still internal) - Internal IDs leaking through nested objects - Card metadata that may contain sensitive content Without redaction or summary mode, the audit view leaks internal context to anyone with workspace access. ## Scope Two paths: **(a) Harden** — convert to incident-grade view: - Per-action summary line (human-readable: "Iskra moved card 'Signal note 14:32' from Captured → Doing") - Redact known sensitive fields (sourceRef Signal numbers, etc.) by default - Show raw JSON only on click-to-expand for maintainer-role users - Add copy/export with same redaction - Add pagination (current may dump entire history) **(b) Gate** — if hardening is too much scope: - Add `audit:debug-view` scope, gate UI route on it - Label clearly as "Maintainer Debug View — contains raw payloads" - Default off, operator opts in ## Acceptance criteria - Either path implemented and shipped - Operator can answer "what did Iskra do today?" without seeing raw JSON unless explicitly opted in - No Signal numbers / sensitive sourceRefs in default view ## Refs - PR #43 (chain drain via #52) - 3+3 review comment id 3191 ## Owner gates - Production exposure of audit view: Piotr review.

pdurlej added the

security

3plus3-followup

priority:p0

labels

2026-05-10 14:19:42 +02:00

ollama referenced this issue

2026-05-18 09:28:38 +02:00

cross-repo: security gate pattern matches infisical-mcp + platform infisical identity work #78

codex referenced this issue

2026-05-28 01:20:39 +02:00

gemini(w1): add audit redaction fixtures for Signal refs and idempotency keys #105

codex referenced this issue

2026-05-28 01:20:41 +02:00

gemini(w3): machine audit view pagination smoke #119

codex commented

2026-06-04 01:33:53 +02:00

Collaborator

Deployment evidence (Codex, 2026-06-04):

Deployed Kan-ductor sha-98f70e7e0cce on RS2000 using platform release compose and kan-migrate.
Runtime smoke passed: kan-web and kan-mcp are healthy; /mcp/health returns ok: true and upstream kanApi: "ok".
Code evidence at deployed commit: audit read path defaults includeRaw to false.
Raw audit payload access requires workspace:manage; otherwise audit input/result goes through redactAuditPayload(...).
Default response hides raw idempotency/source internals and reports rawPayloadVisible: false / payloadRedacted: true.

Recommendation: #55 is truly closed.

Deployment evidence (Codex, 2026-06-04): - Deployed Kan-ductor `sha-98f70e7e0cce` on RS2000 using platform release compose and `kan-migrate`. - Runtime smoke passed: `kan-web` and `kan-mcp` are healthy; `/mcp/health` returns `ok: true` and upstream `kanApi: "ok"`. - Code evidence at deployed commit: audit read path defaults `includeRaw` to `false`. - Raw audit payload access requires `workspace:manage`; otherwise audit input/result goes through `redactAuditPayload(...)`. - Default response hides raw idempotency/source internals and reports `rawPayloadVisible: false` / `payloadRedacted: true`. Recommendation: #55 is truly closed.

Iskra commented

2026-06-09 03:10:10 +02:00

Collaborator

{
"confidence": 5,
"effort_hint": "medium",
"escalation": {
"kind": "none",
"reason": ""
},
"evidence_refs": [
{
"note": "Issue reports machine activity audit view exposing raw input and result JSON without safe summaries.",
"type": "forgejo",
"value": "issue-title-body-labels-and-target-snapshot"
},
{
"note": "Body states raw audit blobs may expose source references, internal IDs, idempotency keys, and sensitive card metadata.",
"type": "forgejo",
"value": "issue-body-problem"
},
{
"note": "Scope offers hardening into incident-grade summaries with redaction or explicitly gating it as maintainer debug view.",
"type": "forgejo",
"value": "issue-body-scope"
}
],
"impact": 5,
"judge_actor": {
"name": "iskra",
"runtime": "openclaw"
},
"judged_at": "2026-06-09T01:07:00Z",
"labels_to_apply": [
"judge/p0",
"judge/codex-candidate"
],
"piotr_fit": "high",
"priority": "p0",
"rationale_summary": "This is P0 Codex-ready security work because raw audit JSON can leak sensitive operational context to workspace users without redaction or gating.",
"reach": 5,
"recommended_next_action": "codex_candidate",
"rerun_reason": "no_prior_judgment",
"schema": "openclaw.judge.v0",
"target": {
"kind": "issue",
"number": 55,
"repo": "pdurlej/kan-ductor"
},
"target_snapshot": {
"body_hash": "sha256:c0e1dc3e13ebe05ee05e174cca232da1199dfc3070ed4718516ef4a74d7950cf",
"commit_count": null,
"evidence_hash": "sha256:f1386410257841335d33fbdba9c3fbb4aef7041b02d746fc73078d2c62b5f3b8",
"head_sha": null,
"labels": [
"3plus3-followup",
"priority:p0",
"security"
],
"labels_hash": "sha256:108b6261a9fa1681b7fbb2dafb7d389589e1dd87303b23bbb3bebb919f917115",
"state": "open",
"title_hash": "sha256:ce6626d064752f7c034f506b6bb15aa42ef3993d7a95fd15827807e96b6829c8",
"updated_at": "2026-06-04T01:33:53+02:00"
},
"top_caveat": "Prefer redacted incident-grade summaries by default and restrict raw JSON to an explicit maintainer-debug path."
}

{ "confidence": 5, "effort_hint": "medium", "escalation": { "kind": "none", "reason": "" }, "evidence_refs": [ { "note": "Issue reports machine activity audit view exposing raw input and result JSON without safe summaries.", "type": "forgejo", "value": "issue-title-body-labels-and-target-snapshot" }, { "note": "Body states raw audit blobs may expose source references, internal IDs, idempotency keys, and sensitive card metadata.", "type": "forgejo", "value": "issue-body-problem" }, { "note": "Scope offers hardening into incident-grade summaries with redaction or explicitly gating it as maintainer debug view.", "type": "forgejo", "value": "issue-body-scope" } ], "impact": 5, "judge_actor": { "name": "iskra", "runtime": "openclaw" }, "judged_at": "2026-06-09T01:07:00Z", "labels_to_apply": [ "judge/p0", "judge/codex-candidate" ], "piotr_fit": "high", "priority": "p0", "rationale_summary": "This is P0 Codex-ready security work because raw audit JSON can leak sensitive operational context to workspace users without redaction or gating.", "reach": 5, "recommended_next_action": "codex_candidate", "rerun_reason": "no_prior_judgment", "schema": "openclaw.judge.v0", "target": { "kind": "issue", "number": 55, "repo": "pdurlej/kan-ductor" }, "target_snapshot": { "body_hash": "sha256:c0e1dc3e13ebe05ee05e174cca232da1199dfc3070ed4718516ef4a74d7950cf", "commit_count": null, "evidence_hash": "sha256:f1386410257841335d33fbdba9c3fbb4aef7041b02d746fc73078d2c62b5f3b8", "head_sha": null, "labels": [ "3plus3-followup", "priority:p0", "security" ], "labels_hash": "sha256:108b6261a9fa1681b7fbb2dafb7d389589e1dd87303b23bbb3bebb919f917115", "state": "open", "title_hash": "sha256:ce6626d064752f7c034f506b6bb15aa42ef3993d7a95fd15827807e96b6829c8", "updated_at": "2026-06-04T01:33:53+02:00" }, "top_caveat": "Prefer redacted incident-grade summaries by default and restrict raw JSON to an explicit maintainer-debug path." }

Iskra added the

judge/codex-candidate

judge/p0

labels

2026-06-09 03:10:11 +02:00

Iskra referenced this issue from pdurlej/judging-claw

2026-06-09 03:10:11 +02:00

[Judging Claw] codex_candidate for pdurlej/kan-ductor#55 (p0) #74