Skip to content

fix: hide typed browser text in display surfaces#61453

Open
SnowMat wants to merge 1 commit into
NousResearch:mainfrom
SnowMat:fix/redact-browser-type-display
Open

fix: hide typed browser text in display surfaces#61453
SnowMat wants to merge 1 commit into
NousResearch:mainfrom
SnowMat:fix/redact-browser-type-display

Conversation

@SnowMat

@SnowMat SnowMat commented Jul 9, 2026

Copy link
Copy Markdown

Summary

  • Always hide browser_type.text from display-facing tool arguments and browser results.
  • Recursively redact credential-like argument keys and concealed field payloads before progress/log callbacks.
  • Update browser type redaction tests and run-agent callback tests to cover non-token-looking passwords, not just API-key regex matches.

Why

Gateway progress/status surfaces can be permanent chat messages. browser_type is often used for passwords or other form secrets that do not match token/API-key regexes, so regex-only redaction is insufficient.

Tests

  • uv run --with pytest --with pyyaml python -m pytest tests/agent/test_display.py tests/tools/test_browser_type_redaction.py tests/run_agent/test_run_agent.py::TestConcurrentToolExecution::test_sequential_browser_type_callbacks_hide_typed_text tests/run_agent/test_run_agent.py::TestConcurrentToolExecution::test_concurrent_browser_type_callbacks_hide_typed_text -o 'addopts=' -q

@alt-glitch alt-glitch added type/security Security vulnerability or hardening tool/browser Browser automation (CDP, Playwright) comp/agent Core agent runtime: loop, agent_init, prompt builder, context-compression, responses endpoint P3 Low — cosmetic, nice to have needs-repro Bug needs reproduction steps labels Jul 9, 2026

@tonydwb tonydwb left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Summary

Verdict: LGTM

What the PR Does

Hide typed browser text in display surfaces by adding additional secret redaction keywords.

Assessment

  • Adds clientsecret, newpassword, password to the display secret list alongside existing api_key, secret, token.
  • Clean security hardening.

Reviewed by Hermes Agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp/agent Core agent runtime: loop, agent_init, prompt builder, context-compression, responses endpoint needs-repro Bug needs reproduction steps P3 Low — cosmetic, nice to have tool/browser Browser automation (CDP, Playwright) type/security Security vulnerability or hardening

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants