security: delete MUSE_AGENT_KEY — no backward compat (HIGH-2)

MUSE_AGENT_KEY (PEM bytes in env var) is gone. Env vars expose key material in /proc/<pid>/environ and process listings. The only supported injection mechanism is MUSE_AGENT_KEY_FD.

Deleted: - tests/test_signing_hd_seed.py — entire file tested removed mechanisms (MUSE_AGENT_HD_SEED, MUSE_AGENT_KEY); 9 of 27 were already failing

Cleaned (no references remain in source or docs): - muse/cli/commands/sign.py — docstring now lists MUSE_AGENT_KEY_FD as step 1 - muse/core/keypair.py — removed stale env var mention from docstring - docs/agent-guide.md — updated injection description to fd-based - docs/agent-provenance.md — rewrote ephemeral key section + resolution order - tests/test_agent_key_fd.py — removed III5 warning test (no backward compat)

sha256:c31c80786c5a51a2332a31b0e67339e2f9e09ef1d65b9b849a9264570f6c2105 sha

sha256:6ec622eeddc8f5721ffbe2e933b7258870b47cc3e16e0cdf06684f1d36c0a5ef parent

sha256:64bcf98cf9e2b58b0e208782f02593b2fd2bf7d8a70fcfc24c141f4ad1526c9c snapshot

← Older Oldest on task/high2-remove-muse-agent-key

All commits

Newer → Latest on task/high2-remove-muse-agent-key

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:c31c80786c5a51a2332a31b0e67339e2f9e09ef1d65b9b849a9264570f6c2105 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/cli/commands/sign.py

Signature Cryptographically verified

Snapshot

ID sha256:64bcf98cf9e2b58b0e208782f02593b2fd2bf7d8a70fcfc24c141f4ad1526c9c

Files 0

Browse tree at this commit →

Commit

SHA sha256:c31c80786c5a51a2332a31b0e67339e2f9e09ef1d65b9b849a9264570f6c2105

Parent

sha256:6ec622eeddc8f5721ffbe2e933b7258870b47cc3e16e0cdf06684f1d36c0a5ef

Branch task/high2-remove-muse-agent-key