molecule-ai/docs
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): update molecule-monorepo → molecule-core in SAFE-MCP advisory

Browse Source 
Terminology fix: all references to the repo now use the correct name
molecule-core (was molecule-monorepo). No content changes beyond the
repo name update.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · documentation-specialist 2026-04-19 22:03:25 +00:00
parent 451a2cca1a
commit d11601a0db
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/docs/security/safe-mcp-advisory.mdx
View File

@ -14,7 +14,7 @@ affect **self-hosted** deployments. If you are using the SaaS offering at
**Severity:** HIGH (G-01, G-02, G-03)
**Affected versions:** All self-hosted deployments prior to the fixes shipped
in PRs #808 and associated plugin updates.
**Fixed in:** `molecule-monorepo` PRs #808 (platform), #809 (plugin scaffold).
**Fixed in:** `molecule-core` PRs #808 (platform), #809 (plugin scaffold).
---
@ -98,7 +98,7 @@ key pair. The platform verifies signatures against the author's published public
key, computes and stores schema hashes for pinning, and rejects connections where
the schema hash has changed since the last verified session — providing "rug pull
protection." This follows the MCPS L3 trust level: signed tool definitions
required. Track progress in `molecule-monorepo` issue tracker.
required. Track progress in `molecule-core` issue tracker.
Until signing is available, treat plugin manifests as untrusted input.
@ -198,7 +198,7 @@ install requests that reference unpinned or unverified sources.
*(MCP09: "no asset inventory or endpoint discovery process")*
- [ ] Set `PLUGIN_ALLOW_UNPINNED=false` (when available)
*(MCP09: "teams can deploy MCP servers without central registration or security review")*
- [ ] Watch `molecule-monorepo` for the manifest-signing feature
- [ ] Watch `molecule-core` for the manifest-signing feature
*(MCPS L3: "tool definition signatures required")*
---
@ -258,5 +258,5 @@ the G-02 long-term mitigation:
## Reporting security issues
If you discover a new security issue in Molecule AI, please report it via
GitHub Security Advisories on `Molecule-AI/molecule-monorepo` or contact the
GitHub Security Advisories on `Molecule-AI/molecule-core` or contact the
security team through your support channel.