refactor: final surgical removal of hardcoded provider defaults and insecure HMAC fallback

2026-04-12 19:42:20 -04:00
parent bfe46003d1
commit 10a500c480
4 changed files with 37 additions and 33 deletions
--- a/literate/protocol.org
+++ b/literate/protocol.org
@@ -66,13 +66,14 @@ The ~frame-message~ function prepares an outgoing Lisp string for transmission.
  (let ((len (length msg-string))
        (enforce-hmac (uiop:getenv "HARNESS_PROTOCOL_ENFORCE_HMAC")))
    (if (and enforce-hmac (string-equal enforce-hmac "true"))
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (format nil "~(~6,'0x~)~a~a" len signature msg-string)))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (format nil "~(~6,'0x~)~a~a" len signature msg-string))))
        (format nil "~(~6,'0x~)~a" len msg-string))))
 #+end_src

@@ -100,14 +101,15 @@ Parsing is the high-security inverse of framing. This function acts as the final
        (error "Message length mismatch. Expected ~a, got ~a" expected-len (length actual-msg)))
      
      (when use-hmac
-        (let* ((secret (or (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET") "default-insecure-key"))
-               (key (ironclad:ascii-string-to-byte-array secret))
-               (hmac (ironclad:make-mac :hmac key :sha256))
-               (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
-          (ironclad:update-mac hmac payload-bytes)
-          (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-            (unless (string-equal signature expected-signature)
-              (error "Harness Protocol Integrity Failure: HMAC mismatch")))))
+        (let ((secret (uiop:getenv "HARNESS_PROTOCOL_HMAC_SECRET")))
+          (unless secret (error "HARNESS_PROTOCOL_HMAC_SECRET is required when security is enabled."))
+          (let* ((key (ironclad:ascii-string-to-byte-array secret))
+                 (hmac (ironclad:make-mac :hmac key :sha256))
+                 (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
+            (ironclad:update-mac hmac payload-bytes)
+            (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
+              (unless (string-equal signature expected-signature)
+                (error "Harness Protocol Integrity Failure: HMAC mismatch"))))))
      
      ;; SECURITY: Disable the reader's ability to execute code during parsing
      (let ((*read-eval* nil))