chore(template): Security Auditor DAST must clean up its own test artifacts

Follow-up to root-cause analysis in #17 (see 2026-04-14 02:14 UTC comment). The Security Auditor's hourly DAST was creating test workspaces, secrets, and plugins to probe auth/validation logic — but only secrets and plugins had teardown in the prompt. Workspace-create probes leaked rows into `workspaces` with sequential IDs aaaaaaaa- bbbbbbbb- cccccccc- dddddddd-, each trapped in a restart loop on missing config.yaml. Four hourly runs, four leaked workspaces. Adds explicit step 4a: DAST TEARDOWN. Maintains three lists (workspaces, secrets, plugins) populated as probes run, and iterates them at the end with DELETE calls. Uses `|| true` so partial teardown failures don't break the audit, but every created artifact gets a cleanup attempt. Doesn't remove the cleanup the cron was already doing for secrets/plugins — just formalises the pattern so workspace-create (and any future probe surface) is covered by the same contract. Related: - #17 — rogue workspace restart loop (root cause was this) - #26 — audit cron routing (this PR sits alongside that structure)
2026-04-13 22:05:06 -07:00 · 2026-04-13 22:05:06 -07:00 · 4f9f08b76b
commit 4f9f08b76b
parent 684d62cb43
1 changed files with 28 additions and 0 deletions
--- a/org-templates/molecule-dev/org.yaml
+++ b/org-templates/molecule-dev/org.yaml
@ -250,6 +250,34 @@ workspaces:
                     - CORS: verify Access-Control-Allow-Origin on a cross-origin request
                     - Rate limit headers on /health

+                  4a. DAST TEARDOWN (MANDATORY — prevents test-artifact leak into prod DB):
+                      Any workspace, secret, or plugin you CREATE during this audit must be
+                      DELETED before this step exits. Maintain three lists as you go:
+
+                        TESTS_WORKSPACES=""   # workspace IDs you POSTed
+                        TESTS_SECRETS=""      # secret keys you set
+                        TESTS_PLUGINS=""      # "<ws_id>:<plugin_name>" pairs
+
+                      At the end of step 4, iterate each list and DELETE — even if the audit
+                      aborts, the teardown block must run:
+
+                        for ws_id in $TESTS_WORKSPACES; do
+                          curl -s -X DELETE "http://host.docker.internal:8080/workspaces/$ws_id" \
+                            -H "Authorization: Bearer $WORKSPACE_AUTH_TOKEN" > /dev/null || true
+                        done
+                        for key in $TESTS_SECRETS; do
+                          curl -s -X DELETE "http://host.docker.internal:8080/admin/secrets/$key" > /dev/null || true
+                        done
+                        for pair in $TESTS_PLUGINS; do
+                          ws="${pair%:*}"; pl="${pair#*:}"
+                          curl -s -X DELETE "http://host.docker.internal:8080/workspaces/$ws/plugins/$pl" > /dev/null || true
+                        done
+
+                      Prior incident (#17): repeated DAST runs leaked 4 workspaces
+                      (aaaaaaaa-/bbbbbbbb-/cccccccc-/dddddddd-) into the live DB, each trapped
+                      in a restart loop on missing config.yaml. This teardown step prevents
+                      that class of leak regardless of which specific probes you run.
+
                  5. SECRETS SCAN: last 20 commits grepped for token patterns
                     (sk-ant, sk-or, api_key= etc.) excluding test files.