molecule-core

molecule-ai/molecule-core

Fork 2

Commit Graph

Author	SHA1	Message	Date
Hongming Wang	d8026347e5	chore: open-source restructure — rename dirs, remove internal files, scrub secrets Renames: - platform/ → workspace-server/ (Go module path stays as "platform" for external dep compat — will update after plugin module republish) - workspace-template/ → workspace/ Removed (moved to separate repos or deleted): - PLAN.md — internal roadmap (move to private project board) - HANDOFF.md, AGENTS.md — one-time internal session docs - .claude/ — gitignored entirely (local agent config) - infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy - org-templates/molecule-dev/ → standalone template repo - .mcp-eval/ → molecule-mcp-server repo - test-results/ — ephemeral, gitignored Security scrubbing: - Cloudflare account/zone/KV IDs → placeholders - Real EC2 IPs → <EC2_IP> in all docs - CF token prefix, Neon project ID, Fly app names → redacted - Langfuse dev credentials → parameterized - Personal runner username/machine name → generic Community files: - CONTRIBUTING.md — build, test, branch conventions - CODE_OF_CONDUCT.md — Contributor Covenant 2.1 All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml, README, CLAUDE.md updated for new directory names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-18 00:24:44 -07:00
Molecule AI Security Auditor	857dd941d5	docs(security): SAFE-MCP audit report 2026-04-17 (issue #747 ) Adds docs/security/safe-mcp-audit-2026-04-17.md — full SAFE-MCP ATT&CK audit of @molecule-ai/mcp-server against 4 high-priority techniques: SAFE-T1102 (Supply chain): - NEW-003 HIGH: Unpinned npm MCP packages in .mcp.json (npx -y) - VULN-003 HIGH: No manifest signing on GitHub plugin install - VULN-004 HIGH: Floating plugin refs, no version pinning enforced SAFE-T1201 (Prompt injection): - VULN-002 HIGH: GLOBAL memory poisoning — delimiter spoofing gap (partial mitigation via #767 globalMemoryDelimiter confirmed) - VULN-006 MEDIUM: No tool output sanitization in MCP server SAFE-T1301 (Excessive permissions): - NEW-002 MEDIUM: Default subprocess sandbox allows language=shell/bash SAFE-T1401 (Secret exfiltration): - NEW-001 MEDIUM: builtin_tools missing auth_headers() on A2A calls - VULN-005 MEDIUM: GLOBAL memories readable by all workspaces Confirmed fix: VULN-001 (X-Workspace-ID system-caller forge, #761) CLOSED. Closes #747. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 18:54:08 +00:00

Author

SHA1

Message

Date

Hongming Wang

d8026347e5

chore: open-source restructure — rename dirs, remove internal files, scrub secrets

Renames:
- platform/ → workspace-server/ (Go module path stays as "platform" for
  external dep compat — will update after plugin module republish)
- workspace-template/ → workspace/

Removed (moved to separate repos or deleted):
- PLAN.md — internal roadmap (move to private project board)
- HANDOFF.md, AGENTS.md — one-time internal session docs
- .claude/ — gitignored entirely (local agent config)
- infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy
- org-templates/molecule-dev/ → standalone template repo
- .mcp-eval/ → molecule-mcp-server repo
- test-results/ — ephemeral, gitignored

Security scrubbing:
- Cloudflare account/zone/KV IDs → placeholders
- Real EC2 IPs → <EC2_IP> in all docs
- CF token prefix, Neon project ID, Fly app names → redacted
- Langfuse dev credentials → parameterized
- Personal runner username/machine name → generic

Community files:
- CONTRIBUTING.md — build, test, branch conventions
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1

All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml,
README, CLAUDE.md updated for new directory names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-18 00:24:44 -07:00

Molecule AI Security Auditor

857dd941d5

docs(security): SAFE-MCP audit report 2026-04-17 (issue #747 )

Adds docs/security/safe-mcp-audit-2026-04-17.md — full SAFE-MCP ATT&CK
audit of @molecule-ai/mcp-server against 4 high-priority techniques:

SAFE-T1102 (Supply chain):
  - NEW-003 HIGH: Unpinned npm MCP packages in .mcp.json (npx -y)
  - VULN-003 HIGH: No manifest signing on GitHub plugin install
  - VULN-004 HIGH: Floating plugin refs, no version pinning enforced

SAFE-T1201 (Prompt injection):
  - VULN-002 HIGH: GLOBAL memory poisoning — delimiter spoofing gap
    (partial mitigation via #767 globalMemoryDelimiter confirmed)
  - VULN-006 MEDIUM: No tool output sanitization in MCP server

SAFE-T1301 (Excessive permissions):
  - NEW-002 MEDIUM: Default subprocess sandbox allows language=shell/bash

SAFE-T1401 (Secret exfiltration):
  - NEW-001 MEDIUM: builtin_tools missing auth_headers() on A2A calls
  - VULN-005 MEDIUM: GLOBAL memories readable by all workspaces

Confirmed fix: VULN-001 (X-Workspace-ID system-caller forge, #761) CLOSED.

Closes #747.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-17 18:54:08 +00:00

2 Commits