molecule-ai-org-template-molecule-dev/security-scan.md at d7758fd11b5a459f73be2f0224e4a41ecb277086

molecule-ai/molecule-ai-org-template-molecule-dev

CI / validate (push) Waiting to run

Details

fix(personas): migrate gh CLI → tea (Gitea CLI) + curl-via-API (#45 )

Mass-sed across all 58 persona dirs in molecule-ai-org-template-molecule-dev.

Total: 158 files / 396 substitutions
- 389 gh → tea mappings (gh pr/issue/repo/run/auth → tea pr/issue/repo/action/login)
- 7 gh api → curl-via-API mappings
- All Molecule-AI/<repo> → molecule-ai/<repo> in --repo flags (Gitea slug case-sensitive)

Plus SHARED_RULES.md migration callout block + tea install snippet:
- Tea v0.9.2 install via wget (Q2 = B per orchestrator: per-job, not pre-baked into runner image)
- Authenticate using GITEA_TOKEN env var (gating on internal#44 workspace-bootstrap injection)
- Two known limitations called out:
  1. GITEA_TOKEN required for tea/curl auth (internal#44 pending)
  2. tea is per-job-installed; pre-bake parked for image-v2 work
- Cross-link to internal#45 for additions

Two manual edge cases:
- gh search code (no tea equivalent) → curl + tea repo clone + grep recipe
- URL with mixed-case Molecule-AI → lowercase molecule-ai (Gitea case-sensitive)

3 narrative GH_TOKEN references in SHARED_RULES.md intentionally preserved
(describe an env var name, not commands).

Q1=A (mega-PR) per orchestrator dispatch 2026-05-07T09:50:08.

Refs: molecule-ai/internal#45, molecule-ai/internal#44 (GITEA_TOKEN dep)

2026-05-07 02:54:35 -07:00

2.5 KiB

Raw Blame History

IMPORTANT: Check Molecule-AI/internal repo for roadmap (PLAN.md), known issues (known-issues.md), runbooks before starting work.

Recurring security audit. Be thorough and incremental.

SETUP: cd /workspace/repos/molecule-core && git pull origin staging LAST_SHA=$(recall_memory "security-last-sha" 2>/dev/null || echo "HEAD~20") echo "Auditing range: $LAST_SHA..HEAD"
STATIC ANALYSIS — run on changed files: Go SAST: cd /workspace/repos/molecule-core/workspace-server && gosec ./... 2>&1 | head -50 Python: cd /workspace/repos/molecule-core/workspace && bandit -r . 2>&1 | head -50 CodeQL (if configured): curl -H "Authorization: token ${GITEA_TOKEN}" https://git.moleculesai.app/api/v1/repos/Molecule-AI/molecule-core/code-scanning/alerts --jq '.[0:5]'
SECRETS SCAN — check for hardcoded credentials: cd /workspace/repos/molecule-core grep -rn "password|secret|token|api_key" --include=".go" --include=".ts" --include=".py" | grep -v test | grep -v _test | grep -v vendor | head -30 git log --all -p $LAST_SHA..HEAD | grep -iE "(password|secret|token|api_key)\s[:=]" | grep -v test | head -20 Any match outside of config structs / env-var reads is a CRITICAL finding.
MANUAL REVIEW — check changed files for:
- SQL injection: raw string concatenation in queries (no parameterized queries)
- Path traversal: user input in file paths without sanitization
- Missing auth: new HTTP handlers without auth middleware
- Command injection: os/exec or subprocess with user input
- XSS: unescaped user input in HTML responses
- Timing-safe comparisons: password/token checks must use constant-time compare
AUTH BOUNDARY CHECK: Verify every new handler in platform/internal/handlers/ is registered behind the auth middleware. Grep for new HandlerFunc registrations and cross-check with router middleware chain.
LIVE API CHECKS: CanCommunicate bypass, CORS headers, rate limit enforcement. Teardown any DAST tooling after checks complete.
OPEN-PR REVIEW: tea pr list --repo molecule-ai/molecule-core --state open --json number,title,files --limit 10 For each open PR diff, check for injection/exec/unsafe patterns.
RECORD commit SHA: commit_memory "security-last-sha" with current HEAD.

DELIVERABLE ROUTING (MANDATORY): a. File GitHub issues for CRITICAL/HIGH findings. b. delegate_task to team lead with summary. c. If clean: report "clean, audited <SHA_RANGE>". d. Save to memory "security-audit-latest".

2.5 KiB Raw Blame History

2.5 KiB

Raw Blame History