Prevent accidental runtime secret exposure by stopping the bulk export of AWS Secrets Manager values into os.environ, which made all secrets readable via dynamic environment-variable lookups (including user-controlled keys) and allowed secret exfiltration.
Description
Change load_secrets_into_environ() in mercury/secrets.py to only prime the in-process cache via get_secrets() and remove the os.environ.update(...) behavior so secrets are not exported process-wide.
Add get_secret_or_env(key: str) in mercury/secrets.py that returns a fixed-key Secrets Manager value or falls back to os.environ.get(key) for local/CI usage, with a clear warning not to pass user-controlled keys.
Update the Lambda cold-start entry in lambdad.py to document that the cache is primed (and not exported into os.environ).
Replace ad-hoc os.environ/os.getenv lookups in Tavily-related actions and apps/composio_search with get_secret_or_env() for fixed-key API secrets, and update the ci_checks/lint_direct_env_access.py guidance to recommend get_secret_or_env().
Update tests/test_secrets.py to assert the new behavior (cache is primed, os.environ is unchanged, and get_secret_or_env() precedence semantics).
Testing
Ran lint/format checks with python -m ruff check and python -m ruff format --check on modified files, and they passed.
Ran python -m compileall on the changed modules, which succeeded without syntax errors.
Ran unit tests in tests/test_secrets.py; a direct python -m pytest tests/test_secrets.py initially failed in this container because boto3/botocore are not installed, so tests were executed with in-process stubs for boto3/botocore, after which pytest reported 19 passed.
Added a small runtime assertion that after load_secrets_into_environ() the secrets cache contains values while os.environ remains unchanged (verified in the repo test run).
@kaavee315checks…codex/fix-secrets-manager-exposure-vulnerability → master8 files · +83 −48updated 3d ago