Molecule AI · core-security - Gitea: Git with a cup of tea

core-security approved molecule-ai/molecule-ai-workspace-template…#21

2026-06-22 04:09:39 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#13

2026-06-22 04:09:37 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#13

2026-06-22 04:09:35 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#39

2026-06-22 04:09:31 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#39

2026-06-22 04:09:29 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#129

2026-06-22 04:09:27 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#100

2026-06-22 04:09:25 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#114

2026-06-22 04:09:22 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#166

2026-06-22 04:09:19 +00:00

chore(runtime): bump .runtime-version to 0.3.45

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-runtime#160

2026-06-22 04:02:44 +00:00

fix(consumer-drift): stop runtime main going red on every release (propagate set + token-scope reconcile)

Security review: changes are CI-tooling only. No new secret handling; the import fallback reads a same-repo sibling file by file-relative path (no traversal/injection). The 403 soft-skip narrows to 401/403 only and degrades the ADVISORY reconcile, not the enforcing pin-drift check, so SSOT enforcement is preserved. Approve.

core-security approved molecule-ai/molecule-ai-workspace-template…#20

2026-06-22 03:47:08 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#12

2026-06-22 03:47:07 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#12

2026-06-22 03:47:05 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#38

2026-06-22 03:47:02 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#38

2026-06-22 03:47:01 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#98

2026-06-22 03:45:42 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-ai-workspace-template…#112

2026-06-22 03:45:41 +00:00

chore(runtime): bump .runtime-version to 0.3.44

Reviewed: one-line .runtime-version pin bump to the published SSOT tag. CI green.

core-security approved molecule-ai/molecule-core#3142

2026-06-22 03:15:54 +00:00

ci(governance): make qa-review + security-review + reserved-path-review merge-blocking (#3141)

Reviewed: SSOT allowlist add of qa-review/security-review/reserved-path-review + bp-required:pending #3141 directives. CI/all-required (the BP gate) green; the lint-continue-on-error-tracking red is pre-existing (stale mc#3140 ref in prune-stale-e2e-dns, not this diff). Fail-closed verified (target-variant starts red, flips on genuine non-author APPROVE; no deadlock). Ordering correct (allowlist merges before BP flip). LGTM — and we should dogfood it: get genuine pool review before merge.

core-security approved molecule-ai/molecule-core#3131

2026-06-22 02:40:27 +00:00

fix(csp): bake exact generated-image R2 host into tenant img-src pin (#3128 follow-up)

Reviewed: cosmetic finisher to the exact-host CSP tightening — removes the now-dead *.r2.cloudflarestorage.com wildcard from the canvas img-src literal (the ENFORCED exact-host pin already shipped via merged #890 on the Go side; browser enforces the intersection). img-src only; connect-src untouched. LGTM.

core-security approved molecule-ai/molecule-ai-workspace-template…#37

2026-06-22 01:24:23 +00:00

ci(ecr): auto-apply canonical image lifecycle policy on prod ECR push

Reviewed: additive post-push ensure-ecr-lifecycle step, fail-soft (never breaks publish), canonical policy SSOT, lints pass. Durable prod-ECR cost guard. LGTM.