core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
c964210e88
molecule-core/platform/internal
History
Molecule AI QA Engineer c964210e88 test(supply-chain): TDD spec for plugin supply-chain hardening (#768) 
Adds platform/internal/plugins/supply_chain_test.go with 8 tests (7 from
the spec + 1 end-to-end combo) specifying both security controls.

Control 1 — SHA256 content integrity (tests 1-3 + end-to-end):
  Tests call VerifyManifestIntegrity(stagedDir string) error, which does
  NOT exist yet → 5 compile errors / build failure until supply_chain.go
  is written. Once stubbed to nil, SHA256Mismatch test fails at runtime.

  VerifyManifestIntegrity contract:
    - manifest.json absent → nil (backward compat)
    - manifest.json present, no sha256 field → nil (backward compat)
    - sha256 matches computed stagedDirDigest → nil
    - sha256 mismatch → error mentioning "sha256"

  stagedDirDigest algorithm (canonical, test + impl must agree):
    Walk all files except manifest.json, sorted by rel path,
    format each as "<rel>\x00<content>", concatenate, SHA256, hex.

Control 2 — Pinned-ref enforcement (tests 4-7):
  Tests call GithubResolver.Fetch with/without "#ref" fragment.
  Currently returns nil for bare refs → TestPluginInstall_UnpinnedRef_Rejected
  fails (GitRunner IS called; no "pinned ref" in error message).
  PLUGIN_ALLOW_UNPINNED=true escape hatch tested by test 7.

RED state summary (current):
  go test ./internal/plugins/... -v -run TestPluginInstall
  → build failed: 5× undefined: VerifyManifestIntegrity
  → (with no-op stub) 2 runtime failures:
       FAIL TestPluginInstall_SHA256Mismatch_AbortsInstall
       FAIL TestPluginInstall_UnpinnedRef_Rejected

Backend Engineer implementation checklist:
  [ ] Add supply_chain.go in package plugins with VerifyManifestIntegrity
  [ ] Add pinned-ref gate to GithubResolver.Fetch in github.go
  [ ] PLUGIN_ALLOW_UNPINNED=true check skips the gate
  [ ] All 8 tests GREEN before merge

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 16:41:32 +00:00
..
artifacts fix(platform): address security review findings on CF Artifacts (#641) 2026-04-17 06:39:47 +00:00
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels fix(security): cap discord error response body read at 4096 bytes 2026-04-17 10:46:09 +00:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db fix(liveness): raise workspace TTL 60s → 180s to survive Opus synthesis (#386) 2026-04-16 00:05:45 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events feat(platform): AG-UI compatible SSE endpoint for streaming agent events (#590) 2026-04-17 05:16:51 +00:00
handlers Merge pull request #692 from Molecule-AI/fix/issue-680-681-workspace-auth 2026-04-17 11:03:25 +00:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware Merge pull request #629 from Molecule-AI/fix/issue-614-security-headers 2026-04-17 06:18:25 +00:00
models fix(gate-1): resolve merge conflicts with main 2026-04-17 06:27:14 +00:00
plugins test(supply-chain): TDD spec for plugin supply-chain hardening (#768) 2026-04-17 16:41:32 +00:00
provisioner fix: restore cp_provisioner.go updated for EC2 backend 2026-04-16 14:25:43 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router Merge pull request #692 from Molecule-AI/fix/issue-680-681-workspace-auth 2026-04-17 11:03:25 +00:00
scheduler fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): close WorkspaceAuth fail-open on non-existent workspace IDs (#318) 2026-04-15 21:02:29 -07:00