rethink-public/envelope_authorizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: surface a tampered capability flag as a clean error, not a traceback

Browse Source 
a tampered or foreign GCM capability flag raises cryptography's InvalidTag (subclasses Exception, not ValueError/RuntimeError), which escaped the CLI's catch tuple as a raw traceback on the authorize/verify paths. main() now catches InvalidTag and surfaces '[\xe2\x9c\x98] capability flag failed authentication — tampered or wrong DEK'. also corrected the stale CLAUDE.md storage note that still described the swallow-wrapped mongo methods instead of the fail-loud raw-collection path.

Signed-off-by: disqualifier <dev@disqualifier.me>
This commit is contained in:
disqualifier 2026-06-29 01:10:25 -04:00
parent 13bf77f0f4
commit eced5333d6
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/envelope_authorizer/cli.py
View File

@ -9,6 +9,8 @@ command loads config and resolves a storage backend first. expected failures
import argparse
import sys
from cryptography.exceptions import InvalidTag
from . import __version__
from .config import ConfigError, load_config
from .commands import CommandError, authorize, config_init, init, list_keys, revoke, verify
@ -88,6 +90,8 @@ def main() -> int:
storage = resolve(config)
handlers[args.cmd](config, storage, args)
return 0
except InvalidTag:
return _fail("capability flag failed authentication — tampered or wrong DEK")
except (ConfigError, CommandError, RuntimeError, ValueError, FileNotFoundError) as error:
return _fail(str(error))