molecule-ai/molecule-ai-workspace-runtime
38
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
c72fbfc9a4
molecule-ai-workspace-runtime/tests
History
Molecule AI Infra-Runtime-BE c72fbfc9a4 fix(builtin_tools/audit): fail-secure RBAC — read-only default when config unavailable 
Fixes #11 (CWE-285): get_workspace_roles() returned ["operator"] (full
delegate/approve/memory.write) when workspace config could not be loaded.
Changed to ["read-only"] — deny-by-default per Principle of Least
Privilege. Add regression tests in tests/test_audit.py.

Also includes:
- main.py: remove token prefix log (CWE-532) — issue #10/#17
- a2a_mcp_server.py: RBAC gate on sensitive MCP tools (CWE-862) — issue #12
- cli_executor.py: sanitize stderr in error logs (CWE-209) — issue #13
- tests/test_a2a_mcp_server.py: 5 new regression tests for MCP RBAC

Co-Authored-By: Infra-Runtime-BE <infra-runtime-be@molecule.ai>
2026-04-20 22:47:38 +00:00
..
conftest.py test: move sdk stubs to conftest.py (consistent across all test modules) 2026-04-16 11:15:45 -07:00
test_a2a_mcp_server.py fix(builtin_tools/audit): fail-secure RBAC — read-only default when config unavailable 2026-04-20 22:47:38 +00:00
test_audit.py fix(builtin_tools/audit): fail-secure RBAC — read-only default when config unavailable 2026-04-20 22:47:38 +00:00
test_imports.py fix: switch top-level from adapters import to absolute imports (#1) 2026-04-16 07:53:03 -07:00
test_session_resume_gate.py test: move sdk stubs to conftest.py (consistent across all test modules) 2026-04-16 11:15:45 -07:00