Context
agent-kernel models raw driver results, safe Frame objects, handles, provenance, and action traces. The intended boundary is clear: raw driver output should not reach the LLM-safe frame unless explicitly allowed for safe admin paths.
Problem
As the execution, audit, and MCP layers grow, it becomes easier for raw data or sensitive arguments to leak through frames, traces, dry-run results, or error messages. The repo needs focused tests that lock down the redaction/firewall boundary.
Scope
- Add regression tests for raw result to frame conversion/redaction.
- Cover allowed fields, PII-like fields, secret-like values, handle-only output, raw response mode, and trace/audit metadata.
- Verify warnings/provenance are preserved without exposing raw sensitive values.
- Add small docs/comments describing the expected boundary.
Out of scope
- Do not implement a full secret scanner.
- Do not change authorization semantics except where a test reveals a bug.
- Do not add real credentials or personal data to fixtures.
- Do not remove admin/raw modes if they are intentional; document and test their constraints.
Suggested implementation
Inspect firewall/redaction code, Frame, RawResult, Handle, ActionTrace, and tests around response modes. Use synthetic records with fields such as email, token, internal_notes, and public_status. Assert that only allowed data reaches the frame and that traces contain safe metadata.
Acceptance criteria
Tests
Add unit tests for frame construction/firewall behavior and trace generation. Include negative assertions for synthetic secret values and PII-like values.
Documentation
Update architecture or firewall docs with a brief statement of what may appear in frames/traces versus what must stay in handles/raw storage.
Dependencies
Related to #73 if traces are extended. Can be implemented independently for current models.
AI agent notes
Start by locating firewall/redaction tests and response mode handling. Use obviously fake secrets. Prefer exact assertions over broad snapshots. Be careful that test failure output does not print fake secret strings unnecessarily.
Context
agent-kernelmodels raw driver results, safeFrameobjects, handles, provenance, and action traces. The intended boundary is clear: raw driver output should not reach the LLM-safe frame unless explicitly allowed for safe admin paths.Problem
As the execution, audit, and MCP layers grow, it becomes easier for raw data or sensitive arguments to leak through frames, traces, dry-run results, or error messages. The repo needs focused tests that lock down the redaction/firewall boundary.
Scope
Out of scope
Suggested implementation
Inspect firewall/redaction code,
Frame,RawResult,Handle,ActionTrace, and tests around response modes. Use synthetic records with fields such asemail,token,internal_notes, andpublic_status. Assert that only allowed data reaches the frame and that traces contain safe metadata.Acceptance criteria
Tests
Add unit tests for frame construction/firewall behavior and trace generation. Include negative assertions for synthetic secret values and PII-like values.
Documentation
Update architecture or firewall docs with a brief statement of what may appear in frames/traces versus what must stay in handles/raw storage.
Dependencies
Related to #73 if traces are extended. Can be implemented independently for current models.
AI agent notes
Start by locating firewall/redaction tests and response mode handling. Use obviously fake secrets. Prefer exact assertions over broad snapshots. Be careful that test failure output does not print fake secret strings unnecessarily.