core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
7d1a189f2e
molecule-core/workspace-server
History
Molecule AI Infra-SRE 7d1a189f2e fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001) 
Replace all three err.Error() leaks in mcp.go with constant strings,
consistent with the same fix applied to 22 other files in PRs #1193/1206/1219/#168.

- Call handler (line ~329): "parse error: " + err.Error() → "parse error"
- dispatchRPC params unmarshal (line ~417): "invalid params: " + err.Error()
  → "invalid parameters"
- dispatchRPC tool call (line ~422): err.Error() → "tool call failed"
  + log.Printf server-side for forensics

Routes protected by WorkspaceAuth (C1) and MCPRateLimiter (C2) — this is
defence-in-depth per OFFSEC-001 / #259.

Tests added:
- TestMCPHandler_Call_MalformedJSON_ReturnsConstantParseError
- TestMCPHandler_dispatchRPC_InvalidParams_ReturnsConstantMessage
- TestMCPHandler_dispatchRPC_UnknownTool_ReturnsConstantMessage
- TestMCPHandler_dispatchRPC_InvalidParams_ArrayInsteadOfObject

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 09:01:51 +00:00
..
cmd docs(runbook): add admin-auth.md covering test-token route lockdown 2026-05-10 02:20:30 +00:00
internal fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001) 2026-05-10 09:01:51 +00:00
migrations feat(plugins): plugin drift detector + queue + admin apply endpoint (#123) 2026-05-10 00:39:50 +00:00
pkg/provisionhook feat(#1957): wire gh-identity plugin into workspace-server 2026-04-24 15:01:41 +00:00
.air.toml feat(local-dev): air-based hot-reload for workspace-server 2026-05-08 08:10:50 -07:00
.ci-force chore: force Platform(Go) CI run on main — validate go vet clean 2026-04-21 15:43:19 +00:00
.gitignore feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126) 2026-05-08 10:53:39 -07:00
.golangci.yaml chore(workspace-server): add golangci.yaml disabling errcheck 2026-04-24 07:16:54 +00:00
Dockerfile ci(docker): pin base image digests in all Dockerfiles 2026-05-09 23:56:39 +00:00
Dockerfile.dev ci(docker): pin base image digests in all Dockerfiles 2026-05-09 23:56:39 +00:00
Dockerfile.tenant fix(dockerfile-tenant): chown /org-templates to canvas user so !external resolver can mkdir cache 2026-05-09 19:40:52 -07:00
entrypoint-tenant.sh fix(memory-plugin): gate sidecar spawn on cutover-active 2026-05-05 12:39:03 -07:00
go.mod fix(deps): migrate gh-identity from GitHub to Gitea module path 2026-05-09 22:50:45 +00:00
go.sum chore: drop github-app-auth + swap GHCR→ECR (closes #157, #161) 2026-05-07 07:48:51 -07:00