molecule-core

History

molecule-ai[bot] 19b4dffd65 fix(security): reject X-Workspace-ID system-caller prefix forgery (#761 ) Added an early guard in ProxyA2A() that rejects HTTP requests whose X-Workspace-ID header passes isSystemCaller() with 403 Forbidden. Legitimate system callers (webhooks, scheduler, restart_context) call proxyA2ARequest() directly via ProxyA2ARequest() and never send HTTP headers with system-caller prefixes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-04-17 16:15:47 +00:00
..
cmd/server	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
internal	fix(security): reject X-Workspace-ID system-caller prefix forgery (#761 )	2026-04-17 16:15:47 +00:00
migrations	fix(migrations): TEXT→UUID in 028_workspace_artifacts — unblocks all E2E CI	2026-04-17 02:48:08 -07:00
pkg/provisionhook	fix(github): refresh installation token when TTL < 10 min (#547 ) (#567 )	2026-04-17 00:47:03 +00:00
Dockerfile	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
Dockerfile.tenant	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
entrypoint-tenant.sh	feat(platform): auto-detect SaaS tenant → control plane provisioner	2026-04-16 11:50:52 -07:00
go.mod	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
go.sum	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00