From d11601a0db6f447c8f3be2673da16720f751ee85 Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Sun, 19 Apr 2026 22:03:25 +0000 Subject: [PATCH] =?UTF-8?q?fix(security):=20update=20molecule-monorepo=20?= =?UTF-8?q?=E2=86=92=20molecule-core=20in=20SAFE-MCP=20advisory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Terminology fix: all references to the repo now use the correct name molecule-core (was molecule-monorepo). No content changes beyond the repo name update. Co-Authored-By: Claude Opus 4.7 --- content/docs/security/safe-mcp-advisory.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/docs/security/safe-mcp-advisory.mdx b/content/docs/security/safe-mcp-advisory.mdx index 2b52f23..8d65674 100644 --- a/content/docs/security/safe-mcp-advisory.mdx +++ b/content/docs/security/safe-mcp-advisory.mdx @@ -14,7 +14,7 @@ affect **self-hosted** deployments. If you are using the SaaS offering at **Severity:** HIGH (G-01, G-02, G-03) **Affected versions:** All self-hosted deployments prior to the fixes shipped in PRs #808 and associated plugin updates. -**Fixed in:** `molecule-monorepo` PRs #808 (platform), #809 (plugin scaffold). +**Fixed in:** `molecule-core` PRs #808 (platform), #809 (plugin scaffold). --- @@ -98,7 +98,7 @@ key pair. The platform verifies signatures against the author's published public key, computes and stores schema hashes for pinning, and rejects connections where the schema hash has changed since the last verified session — providing "rug pull protection." This follows the MCPS L3 trust level: signed tool definitions -required. Track progress in `molecule-monorepo` issue tracker. +required. Track progress in `molecule-core` issue tracker. Until signing is available, treat plugin manifests as untrusted input. @@ -198,7 +198,7 @@ install requests that reference unpinned or unverified sources. *(MCP09: "no asset inventory or endpoint discovery process")* - [ ] Set `PLUGIN_ALLOW_UNPINNED=false` (when available) *(MCP09: "teams can deploy MCP servers without central registration or security review")* -- [ ] Watch `molecule-monorepo` for the manifest-signing feature +- [ ] Watch `molecule-core` for the manifest-signing feature *(MCPS L3: "tool definition signatures required")* --- @@ -258,5 +258,5 @@ the G-02 long-term mitigation: ## Reporting security issues If you discover a new security issue in Molecule AI, please report it via -GitHub Security Advisories on `Molecule-AI/molecule-monorepo` or contact the +GitHub Security Advisories on `Molecule-AI/molecule-core` or contact the security team through your support channel.