core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
4ff45f8955
molecule-core/workspace-server/internal
History
Molecule AI Core Platform Lead 4ff45f8955 fix(registry): add always-blocked ranges to validateAgentURL (TEST-NET, CGNAT, multicast, fc00) 
The validateAgentURL function was missing several ranges from the always-
blocked list. In SaaS mode only link-local, loopback, and IPv6 metadata
were blocked — TEST-NET (192.0.2/24, 198.51.100/24, 203.0.113/24),
CGNAT (100.64.0.0/10), IPv4 multicast (224.0.0.0/4), and fc00::/8 (IPv6
ULA non-routable prefix) were allowed through.

These ranges are never valid agent URLs in any deployment:
- TEST-NET (RFC-5737): documentation-only, no real hosts
- CGNAT (RFC-6598): never used as VPC subnets on AWS/GCP/Azure
- IPv4 multicast: never a unicast agent endpoint
- fc00::/8: non-routable prefix (fd00::/8 stays allowed in SaaS mode)

Also tighten the non-SaaS ULA block: instead of blocking fc00::/7 (the
supernet covering both fc00 and fd00), split it into always-blocked
fc00::/8 (above) + non-SaaS-only fd00::/8. This makes the SaaS relaxation
explicit and auditable.

Fixes TestValidateAgentURL_SaaSMode_StillBlocksMetadataEtAl failure.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-24 16:54:23 +00:00
..
artifacts chore: sync staging to main — 1188 commits, 5 conflicts resolved (#1743) 2026-04-23 18:30:18 +00:00
bundle
channels chore: sync staging to main — 1188 commits, 5 conflicts resolved (#1743) 2026-04-23 18:30:18 +00:00
crypto
db
envx
events
handlers fix(registry): add always-blocked ranges to validateAgentURL (TEST-NET, CGNAT, multicast, fc00) 2026-04-24 16:54:23 +00:00
metrics
middleware test(middleware): add last_used_at ExpectExec for WorkspaceAuth org-token tests 2026-04-24 13:01:42 +00:00
models fix: CWE-78 rm scope, go vet failures, delegation idempotency 2026-04-21 18:22:30 +00:00
orgtoken fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes 2026-04-24 07:16:54 +00:00
plugins
provisioner Merge branch 'staging' into test/2026-04-23-regression-suite 2026-04-24 01:55:06 +00:00
registry
router fix(admin/a2a_queue): add drop-stale endpoint for post-incident queue cleanup 2026-04-24 02:08:35 +00:00
scheduler feat(scheduler): sweepPhantomBusy — clear stuck active_tasks from crashed runs (extracted from #1664) 2026-04-22 19:57:49 -07:00
supervised
ws
wsauth