Skip to content

fix(sell): stop defaulting agent offer description to the internal objective#768

Merged
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/agent-description-leak
Jul 16, 2026
Merged

fix(sell): stop defaulting agent offer description to the internal objective#768
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/agent-description-leak

Conversation

@bussyjd

@bussyjd bussyjd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Canary402 field report — issue 9 (⚠️ agent objectives leak into public descriptions)

obol sell agent defaulted spec.registration.description — published to the storefront catalog, skill.md and registration documents, regardless of --no-register — to the entire internal Agent objective, potentially exposing tool addresses and operational instructions.

Fix

The objective fallback is removed: an omitted --description now falls through to the controller's existing safe generic defaults (same behavior as sell http/sell mcp). The flag's usage text no longer documents the leaky default, and the CLI warns when registering without an explicit description. Description resolution is extracted into a small pure function so the non-propagation is directly unit-tested.

go build ./... && go test ./cmd/obol/... green.

Part of the Canary402 field-report sweep (6 PRs). Commit unsigned — batch re-sign before merge if required.

https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk

…jective

sell_agent.go silently defaulted an omitted --description to agent.Objective
— free-text operator instructions that can contain wallet addresses and
tool endpoints — and wrote it unconditionally into
spec.registration.description, which is always published to the
storefront catalog, skill.md, OpenAPI doc, and (when enabled) the
ERC-8004 registration document, regardless of --no-register.

Remove the fallback so an empty --description now falls through to the
controller's existing safe generic default, matching sell http/sell mcp.
Also fixes the Usage text that documented the leaky default and warns
the operator when registration is enabled with no description set.

Addresses a Canary402 field report.

Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
@bussyjd bussyjd merged commit 15e4bab into integration/v0.14.0-rc0 Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant