From d513a0ced549ef2be8903a7b4794256110ba1805 Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Mon, 20 Apr 2026 13:02:22 -0700
Subject: [PATCH 1/2] security: remove hardcoded API keys from
 post-rebuild-setup.sh

GitGuardian detected exposed MiniMax API key and GitHub PAT in the
script's default values. Replaced with env var reads from .env file
(which is gitignored). Script now validates required secrets exist
before proceeding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/post-rebuild-setup.sh | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/scripts/post-rebuild-setup.sh b/scripts/post-rebuild-setup.sh
index 2bff9e33..afa370e4 100644
--- a/scripts/post-rebuild-setup.sh
+++ b/scripts/post-rebuild-setup.sh
@@ -2,6 +2,11 @@
 # Post-rebuild setup — run after docker compose up -d --build
 # Inserts global secrets that the provisioner injects into every workspace container.
 # Without these, agents can't call MiniMax or push to GitHub.
+#
+# Required env vars (set in .env or export before running):
+#   MINIMAX_API_KEY  — MiniMax M2.7 API key
+#   GITHUB_PAT       — GitHub fine-grained PAT (366-day)
+#   ADMIN_TOKEN      — platform admin token
 
 set -euo pipefail
 
@@ -9,7 +14,25 @@ DB_CONTAINER="${DB_CONTAINER:-molecule-monorepo-postgres-1}"
 DB_USER="${DB_USER:-dev}"
 DB_NAME="${DB_NAME:-molecule}"
 PLATFORM_URL="${PLATFORM_URL:-http://127.0.0.1:8080}"
-ADMIN_TOKEN="${ADMIN_TOKEN:-HlgeMb8LjQLXg/B4y8hYzhbCQlg5LNu0oEa4IjShARE=}"
+
+# Source .env if it exists (picks up ADMIN_TOKEN, MINIMAX_API_KEY, GITHUB_PAT)
+if [ -f .env ]; then
+    set -a; source .env; set +a
+fi
+
+# Validate required secrets
+if [ -z "${MINIMAX_API_KEY:-}" ]; then
+    echo "ERROR: MINIMAX_API_KEY not set. Add to .env or export it."
+    exit 1
+fi
+if [ -z "${GITHUB_PAT:-}" ]; then
+    echo "ERROR: GITHUB_PAT not set. Add to .env or export it."
+    exit 1
+fi
+if [ -z "${ADMIN_TOKEN:-}" ]; then
+    echo "ERROR: ADMIN_TOKEN not set. Add to .env or export it."
+    exit 1
+fi
 
 echo "=== Waiting for platform health ==="
 until curl -s --max-time 5 "$PLATFORM_URL/health" >/dev/null 2>&1; do
@@ -22,12 +45,12 @@ echo "=== Inserting global secrets ==="
 docker exec "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" -c "
 INSERT INTO global_secrets (key, encrypted_value, encryption_version) VALUES
 ('ANTHROPIC_BASE_URL', 'https://api.minimax.io/anthropic', 0),
-('ANTHROPIC_AUTH_TOKEN', '${MINIMAX_API_KEY:-sk-cp-lHt-QFSyZwZxeo_fMbmLUX3VgHOwbKGMXUZb6PS2U15D3fqjDB2qPh1OVEzvfvWs9CgcrUpyU7C682uVT_8GBy9RFLaFzBcdLkKdVcPX4yj9UaXNTH82KVw}', 0),
+('ANTHROPIC_AUTH_TOKEN', '$MINIMAX_API_KEY', 0),
 ('ANTHROPIC_MODEL', 'MiniMax-M2.7', 0),
 ('ANTHROPIC_SMALL_FAST_MODEL', 'MiniMax-M2.7', 0),
 ('API_TIMEOUT_MS', '3000000', 0),
 ('CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC', '1', 0),
-('GITHUB_TOKEN', '${GITHUB_PAT:-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}', 0)
+('GITHUB_TOKEN', '$GITHUB_PAT', 0)
 ON CONFLICT (key) DO UPDATE SET encrypted_value = EXCLUDED.encrypted_value;
 "
 echo "  7 global secrets set"

From 488fde03a7287facd1693b1596e3fa22d1fa3dd7 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Mon, 20 Apr 2026 13:14:56 -0700
Subject: [PATCH 2/2] fix(middleware): TenantGuard passes through /cp/* to CP
 proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Today's rollout of cp_proxy (PR #1095/1096) mounted /cp/* as a
reverse-proxy to the control plane, but the TenantGuard middleware
runs first in the global chain and 404s anything that isn't in its
exact-path allowlist (/health + /metrics). Every /cp/auth/me fetch
from canvas landed on a 40µs 404 before ever reaching the proxy.

/cp/* is handled upstream (WorkOS session + admin bearer), so the
tenant doesn't need to attach org identity for those paths. Passing
them through is correct — matches the design where the tenant
platform is a pure transit layer for /cp/*.

Verified: /cp/auth/me via tunnel now returns 401 (correct unauth
from CP) instead of 404 from TenantGuard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 workspace-server/internal/middleware/tenant_guard.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/workspace-server/internal/middleware/tenant_guard.go b/workspace-server/internal/middleware/tenant_guard.go
index 78309bba..6692c5c3 100644
--- a/workspace-server/internal/middleware/tenant_guard.go
+++ b/workspace-server/internal/middleware/tenant_guard.go
@@ -67,6 +67,15 @@ func TenantGuardWithOrgID(configuredOrgID string) gin.HandlerFunc {
 			c.Next()
 			return
 		}
+		// /cp/* is reverse-proxied to the control plane. The CP has its
+		// own auth (WorkOS session cookie + admin bearer) so the tenant
+		// doesn't need to attach org identity here. Bypassing the guard
+		// avoids blocking the proxy with a 404 that would then look
+		// like the CP is down.
+		if strings.HasPrefix(c.Request.URL.Path, "/cp/") {
+			c.Next()
+			return
+		}
 		// Primary: explicit X-Molecule-Org-Id header (direct access path,
 		// e.g. from molecli or internal tooling that sets it directly).
 		if c.GetHeader(tenantOrgIDHeader) == configuredOrgID {