molecule-ai/molecule-ai-org-template-molecule-dev
34
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
d7758fd11b
molecule-ai-org-template-mo.../cp-security/schedules/security-scan.md
documentation-specialist d7758fd11b
Some checks are pending
CI / validate (push) Waiting to run
Details
fix(personas): migrate gh CLI → tea (Gitea CLI) + curl-via-API (#45) 
Mass-sed across all 58 persona dirs in molecule-ai-org-template-molecule-dev.

Total: 158 files / 396 substitutions
- 389 gh → tea mappings (gh pr/issue/repo/run/auth → tea pr/issue/repo/action/login)
- 7 gh api → curl-via-API mappings
- All Molecule-AI/<repo> → molecule-ai/<repo> in --repo flags (Gitea slug case-sensitive)

Plus SHARED_RULES.md migration callout block + tea install snippet:
- Tea v0.9.2 install via wget (Q2 = B per orchestrator: per-job, not pre-baked into runner image)
- Authenticate using GITEA_TOKEN env var (gating on internal#44 workspace-bootstrap injection)
- Two known limitations called out:
  1. GITEA_TOKEN required for tea/curl auth (internal#44 pending)
  2. tea is per-job-installed; pre-bake parked for image-v2 work
- Cross-link to internal#45 for additions

Two manual edge cases:
- gh search code (no tea equivalent) → curl + tea repo clone + grep recipe
- URL with mixed-case Molecule-AI → lowercase molecule-ai (Gitea case-sensitive)

3 narrative GH_TOKEN references in SHARED_RULES.md intentionally preserved
(describe an env var name, not commands).

Q1=A (mega-PR) per orchestrator dispatch 2026-05-07T09:50:08.

Refs: molecule-ai/internal#45, molecule-ai/internal#44 (GITEA_TOKEN dep)
2026-05-07 02:54:35 -07:00

2.4 KiB
Raw Blame History

IMPORTANT: Check Molecule-AI/internal repo for roadmap (PLAN.md), known issues (known-issues.md), runbooks before starting work.

Recurring security audit. Be thorough and incremental.

  1. SETUP: cd /workspace/repos/molecule-controlplane && git pull origin staging LAST_SHA=$(recall_memory "security-last-sha" 2>/dev/null || echo "HEAD~20") echo "Auditing range: $LAST_SHA..HEAD"

  2. STATIC ANALYSIS — run on changed files: cd /workspace/repos/molecule-controlplane && npm audit 2>&1 | head -30 Check for known CVEs in dependencies.

  3. TENANT ISOLATION SECURITY — critical checks: a. Auth middleware: verify every route goes through tenant auth. grep -rn "router.(get|post|put|delete|patch)" --include="*.ts" src/ | grep -v middleware | grep -v test | head -20 Any route registered without auth middleware is a P0. b. Cross-tenant data access: verify all DB queries scope by tenant_id. grep -rn "SELECT.*FROM|UPDATE.SET|DELETE.FROM" --include=".ts" --include=".js" src/ | grep -v tenant_id | grep -v test | grep -v migration | head -20 c. Tenant header spoofing: verify tenant_id comes from auth token, not request headers. d. Billing isolation: verify billing operations are scoped to the authenticated tenant.

  4. SECRETS SCAN: cd /workspace/repos/molecule-controlplane grep -rn "password|secret|token|api_key|stripe" --include=".ts" --include=".js" | grep -v test | grep -v node_modules | grep -v ".env" | head -30 git log --all -p $LAST_SHA..HEAD | grep -iE "(password|secret|token|api_key)\s*[:=]" | grep -v test | head -20

  5. MANUAL REVIEW — check changed files for:

    • SQL injection: raw string concatenation in queries
    • Missing auth on new endpoints
    • Privilege escalation: admin-only routes accessible by tenant users
    • Webhook signature verification: all incoming webhooks (Stripe, GitHub) must verify signatures
    • Rate limiting: tenant-scoped rate limits on all write endpoints

  6. OPEN-PR REVIEW: tea pr list --repo molecule-ai/molecule-controlplane --state open --json number,title,files --limit 10 For each open PR diff, check for injection/auth-bypass/tenant-leak patterns.

  7. RECORD commit SHA: commit_memory "security-last-sha" with current HEAD.

DELIVERABLE ROUTING (MANDATORY): a. File GitHub issues for CRITICAL/HIGH findings. b. delegate_task to team lead with summary. c. If clean: report "clean, audited <SHA_RANGE>". d. Save to memory "security-audit-latest".