core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
5f26313921
molecule-core/workspace-template
History
Molecule AI Backend Engineer 7584267a80 fix(security): address Security Auditor findings on audit-ledger (#651) 
- Replace == HMAC comparisons with hmac.compare_digest (Python) and
  hmac.Equal (Go) in ledger.py, verify.py, and audit.go to prevent
  timing oracle attacks (Fixes 1-6)
- Increase PBKDF2 iterations from 100K to 210K in both ledger.py and
  audit.go — must match for cross-language verification (Fix 7)
- Return chain_valid: null when offset > 0 (paginated views cannot
  verify a truncated chain; null means "not computed") (Fix 8)
- Remove module-level AUDIT_LEDGER_SALT attribute from ledger.py; read
  the secret exclusively from os.environ inside _get_hmac_key() so the
  salt is not exposed in the module namespace (Fix 9)
- Update tests: use monkeypatch.setenv/delenv instead of setattr on the
  removed AUDIT_LEDGER_SALT attribute; update testAuditKey helper to
  use 210K iterations; add TestAuditQuery_PaginatedOffsetReturnsNullChainValid
- Fix migration 028: workspace_id column type TEXT → UUID to match
  workspaces.id UUID primary key

All tests pass: 1043 pytest + 0 Go test failures.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 07:30:10 +00:00
..
adapters feat(adapters): add Google ADK runtime adapter (#542) 2026-04-17 00:08:17 +00:00
builtin_tools fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
molecule_audit fix(security): address Security Auditor findings on audit-ledger (#651) 2026-04-17 07:30:10 +00:00
plugins_registry fix(plugins_registry): deduplicate handlers in _deep_merge_hooks() 2026-04-17 05:22:00 +00:00
policies initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
scripts fix(github): refresh installation token when TTL < 10 min (#547) (#567) 2026-04-17 00:47:03 +00:00
skill_loader fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
tests fix(security): address Security Auditor findings on audit-ledger (#651) 2026-04-17 07:30:10 +00:00
a2a_cli.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
a2a_client.py fix(a2a): add missing Authorization header to delegation and message calls (#401) 2026-04-16 00:53:18 -07:00
a2a_executor.py fix: properly remove adapter subdirectories + move shared code to root 2026-04-16 04:59:13 -07:00
a2a_mcp_server.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
a2a_tools.py fix(a2a): add missing Authorization header to delegation and message calls (#401) 2026-04-16 00:53:18 -07:00
adapter_base.py fix: properly remove adapter subdirectories + move shared code to root 2026-04-16 04:59:13 -07:00
agent.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
build-all.sh chore: extract workspace runtime to PyPI + move adapter Dockerfiles to template repos 2026-04-16 04:33:10 -07:00
claude_sdk_executor.py fix(claude-sdk): #160 — probe CLI directly when SDK swallowed the real stderr 2026-04-15 11:50:55 -07:00
cli_executor.py feat(adapters): add gemini-cli runtime adapter (closes #332) (#379) 2026-04-15 23:30:00 -07:00
config.py fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
consolidation.py fix(security): N1 — add auth headers to all platform calls in Python callers 2026-04-14 08:37:50 +00:00
coordinator.py fix: properly remove adapter subdirectories + move shared code to root 2026-04-16 04:59:13 -07:00
Dockerfile chore: extract workspace runtime to PyPI + move adapter Dockerfiles to template repos 2026-04-16 04:33:10 -07:00
entrypoint.sh fix(github): refresh installation token when TTL < 10 min (#547) (#567) 2026-04-17 00:47:03 +00:00
events.py fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
executor_helpers.py fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
heartbeat.py fix(security): N1 — add auth headers to all platform calls in Python callers 2026-04-14 08:37:50 +00:00
hermes_executor.py feat(hermes): expose reasoning mode for Hermes 4 via OpenAI-compat API (#496) 2026-04-16 20:38:45 +00:00
initial_prompt.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
main.py fix(security): /transcript endpoint fails closed when auth token missing (#328) 2026-04-15 21:17:37 -07:00
molecule_ai_status.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
platform_auth.py fix(security): H3 github_pat_ redaction + M4 atomic token write (audit cycle 10) 2026-04-14 09:34:27 +00:00
plugins.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
preflight.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
prompt.py fix: properly remove adapter subdirectories + move shared code to root 2026-04-16 04:59:13 -07:00
pytest.ini initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
requirements.txt feat: molecule-audit-ledger — HMAC-SHA256 immutable agent event log (#594) 2026-04-17 06:55:36 +00:00
shared_runtime.py fix: properly remove adapter subdirectories + move shared code to root 2026-04-16 04:59:13 -07:00
transcript_auth.py fix(security): /transcript endpoint fails closed when auth token missing (#328) 2026-04-15 21:17:37 -07:00
watcher.py fix(security): H1 — replace MD5 with SHA-256 in config/skill watchers 2026-04-14 07:52:07 +00:00