fix(x402): inject agent upstream auth + close cross-namespace agent.ref gap#566
Open
bussyjd wants to merge 4 commits into
Open
fix(x402): inject agent upstream auth + close cross-namespace agent.ref gap#566bussyjd wants to merge 4 commits into
bussyjd wants to merge 4 commits into
Conversation
resolveAgentOffer accepted any ref.Namespace, while the verifier route source in PR #556 keys the hermes-api-server API_SERVER_KEY lookup off offer.Spec.Agent.Ref.Namespace. Combined with the cluster-wide openclaw-monetize-write ClusterRoleBinding, any principal holding the Hermes obol-agent SA token could publish a ServiceOffer in their own namespace referencing another tenant's Agent, causing the verifier to inject the victim's API_SERVER_KEY as upstream Authorization on a route under attacker-controlled path and payTo. Paying buyers would gain authenticated proxy access to the victim Hermes /api/* (chat, skills, sub-agent management, wallet ops). Fail-closed in the controller before any route is published or any bearer is resolved. The legitimate flow (mother creates offer in the agent's own namespace) is preserved. Flagged on PR #556 by @OisinKyne; not exploitable in today's single- mother layout, but lands ahead of sub-agent SA split / multi-mother marketplace mode.
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aggregates the two follow-up x402 agent fixes on top of v0.10.0-rc7 (already merged to main via #565).
What's included
1c990b3fix/agent-ref-namespace-confused-deputy)spec.agent.ref.namespace != metadata.namespaceat the controller boundary. Fail-closed, single-line invariant.f4bd11ffix/agent-seller-upstream-auth)Authorization: Bearer <API_SERVER_KEY>into agent-route upstream after x402 verification. Fixes 401 onobol sell agentpaid path.Both source PRs are closed in favour of this aggregate. Their full discussion threads live there and remain linked from the closing comments.
Review context (carried over from #556 + #564)
API_SERVER_KEYvalue to a buyer?" Full analysis in #556's comment thread — short version: literal-value leak is fine (UpstreamURLis controller-derived from in-cluster Hermes Service DNS; verifier proxies viahttputil.ReverseProxyand never echoesAuthorization), but the analysis surfaced a latent confused-deputy issue:resolveAgentOfferdidn't enforce thatspec.agent.ref.namespacematched the offer namespace, so a principal with namespace-scoped serviceoffers write could publish an offer pointingagent.refat another tenant's Agent, get the route published with the victim's bearer, and serve as an x402-gated proxy into the victim Hermes/api/*.serviceofferswrite, and it already has cluster-wide write over its children), but becomes exploitable the moment sub-agent SAs split out or multi-mother marketplace mode lands.Validation
go build ./...clean onrelease/v0.10.0-rc8.go vet ./...clean (pre-existingunsafe.Pointerwarnings ininternal/enclave/enclave_darwin.gounrelated to these changes).flows/release-smoke.shran 13/13 PASS onv0.10.0-rc7(the base of this branch) againstqwen36-deepon a Spark2 vLLM endpoint. The two follow-up commits don't change runtime payment plumbing — they only constrain controller acceptance — so the green smoke is the relevant gate.Test plan
go test ./internal/serviceoffercontroller/... ./internal/x402/... -count=1New regressions covered by #564's commit:
TestResolveAgentOffer_RejectsCrossNamespaceRef+serviceoffer_sourceroute-zero assertion when ref mismatches. Existing happy-path tests updated to setmetadata.namespaceso they exercise the post-guard codepath.