Feature/secure credentials and auth fix#6800
Open
SyedaAnshrahGillani wants to merge 2 commits intoaden-hive:mainfrom
Open
Feature/secure credentials and auth fix#6800SyedaAnshrahGillani wants to merge 2 commits intoaden-hive:mainfrom
SyedaAnshrahGillani wants to merge 2 commits intoaden-hive:mainfrom
Conversation
- Implement secure, atomic file writing with restricted permissions (0o600) - Apply secure writing to all credential storage backends (EncryptedFileStorage, Claude, Antigravity, Codex) - Fix critical bug in antigravity_auth where stale OAuth state could cause incorrect logins - Ensure OAuth callback servers are properly closed after use to prevent resource leaks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR improves the security and robustness of credential management across the Hive ecosystem. It addresses a critical bug in the Antigravity OAuth flow where stale authentication states could persist between runs, ensures all sensitive credential files (Google, OpenAI, and Anthropic) are written atomically with restricted filesystem permissions (0o600), and prevents resource leaks by properly closing callback servers.
Type of Change
Related Issues
N/A
Changes Made
Enhanced atomic_write: Updated core/framework/utils/io.py to support an
optional chmod parameter, ensuring temporary files are secured before
being moved to their final destination.
Fixed Antigravity OAuth State: Modified core/antigravity_auth.py to reset
OAuthCallbackHandler state (auth code, state, error) at the start of
every callback wait. This prevents "instant failures" or security risks
from stale data in previous attempts.
Resource Management: Added try...finally blocks to ensure the HTTPServer
used for OAuth callbacks is always closed (server_close()), preventing
"Address already in use" errors on retries.
Restricted Permissions: Applied 0o600 permissions and atomic writes to
all credential storage backends:
Describe the tests you ran to verify your changes:
Manual testing performed: Verified through code analysis that the
enhanced atomic_write correctly applies chmod and that Antigravity now
resets its global handler state.
Self-review of all security-sensitive file operations.
Checklist
management bugs.