refactor: final surgical removal of hardcoded provider defaults and insecure HMAC fallback

2026-04-12 19:42:20 -04:00
parent bfe46003d1
commit 10a500c480
4 changed files with 37 additions and 33 deletions
--- a/literate/neurosymbolic.org
+++ b/literate/neurosymbolic.org
@@ -45,10 +45,10 @@ The harness maintains a neutral registry of backends. Skills (like the LLM Gatew
 #+end_src

 ** Provider Cascade
-Intelligence is often a matter of availability. The cascade defines the order in which backends are attempted. Skills can dynamically override this list to optimize for cost, speed, or privacy.
+The ordered list of backends to attempt for neural reasoning. This list is ~nil~ by default and must be populated by skills (e.g., the LLM Gateway or Token Accountant) during the harness boot sequence.

 #+begin_src lisp :tangle ../src/neuro.lisp
-(defvar *provider-cascade* '(:openrouter :gemini-api))
+(defvar *provider-cascade* nil)
 #+end_src

 ** Register Associative Backend
--- a/literate/protocol.org
+++ b/literate/protocol.org
@@ -66,13 +66,14 @@ The ~frame-message~ function prepares an outgoing Lisp string for transmission.
  (let ((len (length msg-string))
        (enforce-hmac (uiop:getenv "HARNESS_PROTOCOL_ENFORCE_HMAC")))
    (if (and enforce-hmac (string-equal enforce-hmac "true"))
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (format nil "~(~6,'0x~)~a~a" len signature msg-string)))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (format nil "~(~6,'0x~)~a~a" len signature msg-string))))
        (format nil "~(~6,'0x~)~a" len msg-string))))
 #+end_src

@@ -100,14 +101,15 @@ Parsing is the high-security inverse of framing. This function acts as the final
        (error "Message length mismatch. Expected ~a, got ~a" expected-len (length actual-msg)))
      
      (when use-hmac
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (unless (string-equal signature expected-signature)
-              (error "Harness Protocol Integrity Failure: HMAC mismatch")))))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (unless (string-equal signature expected-signature)
+                (error "Harness Protocol Integrity Failure: HMAC mismatch"))))))
      
      ;; SECURITY: Disable the reader's ability to execute code during parsing
      (let ((*read-eval* nil))
--- a/src/neuro.lisp
+++ b/src/neuro.lisp
@@ -2,7 +2,7 @@

 (defvar *neuro-backends* (make-hash-table :test 'equal))

-(defvar *provider-cascade* '(:openrouter :gemini-api))
+(defvar *provider-cascade* nil)

 (defun register-neuro-backend (name fn) (setf (gethash name *neuro-backends*) fn))

--- a/src/protocol.lisp
+++ b/src/protocol.lisp
@@ -13,13 +13,14 @@
  (let ((len (length msg-string))
        (enforce-hmac (uiop:getenv "HARNESS_PROTOCOL_ENFORCE_HMAC")))
    (if (and enforce-hmac (string-equal enforce-hmac "true"))
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (format nil "~(~6,'0x~)~a~a" len signature msg-string)))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (format nil "~(~6,'0x~)~a~a" len signature msg-string))))
        (format nil "~(~6,'0x~)~a" len msg-string))))

 (defun parse-message (framed-string)
@@ -42,14 +43,15 @@
        (error "Message length mismatch. Expected ~a, got ~a" expected-len (length actual-msg)))
      
      (when use-hmac
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (unless (string-equal signature expected-signature)
-              (error "Harness Protocol Integrity Failure: HMAC mismatch")))))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (unless (string-equal signature expected-signature)
+                (error "Harness Protocol Integrity Failure: HMAC mismatch"))))))
      
      ;; SECURITY: Disable the reader's ability to execute code during parsing
      (let ((*read-eval* nil))