molecule-ai/molecule-core
49
0
Fork 2
Code Issues 146 Pull Requests 159 Actions 5 Packages Projects Releases Wiki Activity

feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146) #1555

Merged
hongming merged 1 commits from feat/146-forbidden-env-guard into main 2026-05-19 01:57:31 +00:00
Conversation 2 Commits 1 Files Changed 6
+731
core-security commented 2026-05-19 01:22:38 +00:00
Member
Copy Link
Copy Source

Summary

Implements RFC#523 (internal#523) — task #146. Refuse to start a tenant workspace if any operator-fleet-scope env var name is present.

Threat model: a leaked GITEA_TOKEN / CP_ADMIN_API_TOKEN / RAILWAY_TOKEN / INFISICAL_OPERATOR_TOKEN / MOLECULE_OPERATOR_* in a tenant container would let a compromised agent escalate from "compromise of one workspace" to "compromise of the whole platform."

3-layer defense-in-depth

L1 — provisioner-side fail-closed abort (Go)

  • New workspace_provision_forbidden_env.go + hook in prepareProvisionContext
  • Runs immediately after loadWorkspaceSecrets, BEFORE per-agent applyAgentGitHTTPCreds (which legitimately sets a fallback GITEA_TOKEN)
  • Catches leaks from operator-controlled stores: global_secrets, workspace_secrets
  • Existing forensic #145 silent-strip in provisioner.buildContainerEnv stays as defense-in-depth

L2 — workspace/entrypoint.sh top-of-file env-grep

  • POSIX-portable (works on busybox/alpine/debian/macOS-test)
  • exit 1 with explicit error naming the offending keys
  • MOLECULE_TENANT_GUARD_DISABLE=1 escape hatch for local-dev (NEVER in tenant containers)

L3 — .gitea/workflows/lint-forbidden-env-keys.yml

  • Scans workspace-server/internal/**.go for new code hardcoding a forbidden env-var name
  • Exempts deny-set definitions + pre-existing persona-fallback paths (downstream silent-strip + new L1 already cover the runtime risk)

Open-source-template compatibility

Deny set lives in Go and YAML constants — NOT hardcoded in any open-source template's start.sh. Per memory feedback_open_source_templates_no_hardcoded_org_internals, templates published as separate repos (template-codex / template-hermes / template-openclaw) get their L2 in follow-up template PRs with a fork-friendly default deny set (no MOLECULE_-specific literal). The MOLECULE_OPERATOR_ prefix appears only in the internal claude-code template's entrypoint.sh here.

Test plan

  • L1 unit tests (go test):
    • TestIsForbiddenTenantEnvKey_ExactMatches — 25 cases (all 16 forbidden + 9 allowed)
    • TestIsForbiddenTenantEnvKey_PrefixMatches — 8 cases (4 MOLECULE_OPERATOR_*, 4 adjacent-allowed)
    • TestFindForbiddenTenantEnvKeys_NoneAndEmpty
    • TestFindForbiddenTenantEnvKeys_SingleAndMultipleSorted
    • TestFormatForbiddenTenantEnvError_Phrasing — singular vs plural
  • L2 shell test (workspace/tests/test_entrypoint_forbidden_env_guard.sh): 12 cases — clean / per-agent-vars-pass / 5 forbidden-blocks / 2 MOLECULE_OPERATOR_* blocks / 2 adjacent-pass / disable-flag-bypass
  • L3 verified locally: current tree passes; synthetic offender (envVars["GITEA_TOKEN"] = "x") is caught
  • CI green on this PR
  • (Follow-up E2E in staging per RFC#523 §Acceptance) provision with GITEA_TOKEN in payload → 4xx with forbidden_env_keys extra
  • (Follow-up E2E) docker run -e GITEA_TOKEN=foo <image> → exit 1 within 5s

Refs

Out of scope (per RFC#523)

  • Value-shaped (40-byte hex) leak detection — separate secret-scan workflow
  • Per-tenant Infisical scoping — already done (reference_prod_team_infisical_identities)
  • L2 add to external open-source templates (template-codex / template-hermes / template-openclaw) — follow-up PRs in those repos

🤖 Generated with Claude Code

## Summary Implements RFC#523 (internal#523) — task #146. Refuse to start a tenant workspace if any operator-fleet-scope env var name is present. Threat model: a leaked `GITEA_TOKEN` / `CP_ADMIN_API_TOKEN` / `RAILWAY_TOKEN` / `INFISICAL_OPERATOR_TOKEN` / `MOLECULE_OPERATOR_*` in a tenant container would let a compromised agent escalate from "compromise of one workspace" to "compromise of the whole platform." ## 3-layer defense-in-depth **L1 — provisioner-side fail-closed abort (Go)** - New `workspace_provision_forbidden_env.go` + hook in `prepareProvisionContext` - Runs immediately after `loadWorkspaceSecrets`, BEFORE per-agent `applyAgentGitHTTPCreds` (which legitimately sets a fallback `GITEA_TOKEN`) - Catches leaks from operator-controlled stores: `global_secrets`, `workspace_secrets` - Existing forensic #145 silent-strip in `provisioner.buildContainerEnv` stays as defense-in-depth **L2 — `workspace/entrypoint.sh` top-of-file env-grep** - POSIX-portable (works on busybox/alpine/debian/macOS-test) - `exit 1` with explicit error naming the offending keys - `MOLECULE_TENANT_GUARD_DISABLE=1` escape hatch for local-dev (NEVER in tenant containers) **L3 — `.gitea/workflows/lint-forbidden-env-keys.yml`** - Scans `workspace-server/internal/**.go` for new code hardcoding a forbidden env-var name - Exempts deny-set definitions + pre-existing persona-fallback paths (downstream silent-strip + new L1 already cover the runtime risk) ## Open-source-template compatibility Deny set lives in Go and YAML constants — NOT hardcoded in any open-source template's `start.sh`. Per memory `feedback_open_source_templates_no_hardcoded_org_internals`, templates published as separate repos (template-codex / template-hermes / template-openclaw) get their L2 in follow-up template PRs with a fork-friendly default deny set (no `MOLECULE_`-specific literal). The `MOLECULE_OPERATOR_` prefix appears only in the **internal** claude-code template's `entrypoint.sh` here. ## Test plan - [x] L1 unit tests (go test): - `TestIsForbiddenTenantEnvKey_ExactMatches` — 25 cases (all 16 forbidden + 9 allowed) - `TestIsForbiddenTenantEnvKey_PrefixMatches` — 8 cases (4 MOLECULE_OPERATOR_*, 4 adjacent-allowed) - `TestFindForbiddenTenantEnvKeys_NoneAndEmpty` - `TestFindForbiddenTenantEnvKeys_SingleAndMultipleSorted` - `TestFormatForbiddenTenantEnvError_Phrasing` — singular vs plural - [x] L2 shell test (`workspace/tests/test_entrypoint_forbidden_env_guard.sh`): 12 cases — clean / per-agent-vars-pass / 5 forbidden-blocks / 2 MOLECULE_OPERATOR_* blocks / 2 adjacent-pass / disable-flag-bypass - [x] L3 verified locally: current tree passes; synthetic offender (`envVars["GITEA_TOKEN"] = "x"`) is caught - [ ] CI green on this PR - [ ] (Follow-up E2E in staging per RFC#523 §Acceptance) provision with `GITEA_TOKEN` in payload → 4xx with `forbidden_env_keys` extra - [ ] (Follow-up E2E) `docker run -e GITEA_TOKEN=foo <image>` → exit 1 within 5s ## Refs - RFC#523 / internal#523 - Task #146 - Memory `feedback_passwords_in_chat_are_burned` - Memory `feedback_per_agent_gitea_identity_default` - Memory `feedback_open_source_templates_no_hardcoded_org_internals` - Memory `feedback_check_vendor_docs_and_actual_source_before_guess_api_shape` (verified POSIX `env` semantics + Go `os.Environ` / map contract before writing) ## Out of scope (per RFC#523) - Value-shaped (40-byte hex) leak detection — separate secret-scan workflow - Per-tenant Infisical scoping — already done (`reference_prod_team_infisical_identities`) - L2 add to external open-source templates (template-codex / template-hermes / template-openclaw) — follow-up PRs in those repos 🤖 Generated with [Claude Code](https://claude.com/claude-code)
core-security added 1 commit 2026-05-19 01:22:39 +00:00
feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146)
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 7s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 11s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 8s
Details
E2E Chat / detect-changes (pull_request) Successful in 12s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s
Details
Harness Replays / detect-changes (pull_request) Successful in 7s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 9s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m14s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m18s
Details
CI / Platform (Go) (pull_request) Successful in 5m6s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m7s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s
Details
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Details
publish-runtime-autobump / pr-validate (pull_request) Successful in 27s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
gate-check-v3 / gate-check (pull_request) Successful in 5s
Details
security-review / approved (pull_request) Failing after 5s
Details
qa-review / approved (pull_request) Failing after 6s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request) Successful in 4s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m26s
Details
CI / Canvas (Next.js) (pull_request) Successful in 6m10s
Details
CI / Python Lint & Test (pull_request) Successful in 6m38s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m20s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 10s
Details
Harness Replays / Harness Replays (pull_request) Successful in 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1m32s
Details
E2E Chat / E2E Chat (pull_request) Failing after 5m29s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 1m4s
Details
CI / all-required (pull_request) emitter-null compensating success (feedback_gitea_emitter_null_state_blocks_merge); CI ran, state never persisted by Gitea 1.22.6 emitter
audit-force-merge / audit (pull_request) Successful in 4s
Details
aabf933a5c 
Refuse to start a tenant workspace if any operator-fleet-scope env var
name is present. Threat model: a leaked GITEA_TOKEN /
CP_ADMIN_API_TOKEN / RAILWAY_TOKEN / INFISICAL_OPERATOR_TOKEN /
MOLECULE_OPERATOR_* in a tenant container would let a compromised
agent escalate from "compromise of one workspace" to "compromise of
the whole platform."

3-layer defense-in-depth:

L1 — provisioner-side fail-closed abort (Go):
  workspace_provision_forbidden_env.go + prepareProvisionContext hook.
  Runs immediately after loadWorkspaceSecrets, BEFORE the per-agent
  persona GIT_HTTP_* injection that legitimately sets a fallback
  GITEA_TOKEN. Catches leaks from the operator-controlled stores
  (global_secrets, workspace_secrets). The existing forensic #145
  silent-strip guard in provisioner.buildContainerEnv stays as
  defense-in-depth.

L2 — workspace/entrypoint.sh top-of-file env-grep + exit 1:
  Fires if both upstream layers are bypassed (e.g. docker run -e
  GITEA_TOKEN=... standalone). MOLECULE_TENANT_GUARD_DISABLE=1
  bypass for local-dev. POSIX-portable (busybox/alpine/debian).

L3 — .gitea/workflows/lint-forbidden-env-keys.yml:
  Scans workspace-server/internal/**.go for new code that hardcodes a
  forbidden env-var name. Exempts the deny-set definitions + the
  pre-existing persona-fallback paths whose downstream silent-strip +
  new L1 fail-closed already cover the runtime risk.

Tests:
  - L1: TestIsForbiddenTenantEnvKey_ExactMatches,
        TestIsForbiddenTenantEnvKey_PrefixMatches,
        TestFindForbiddenTenantEnvKeys_NoneAndEmpty,
        TestFindForbiddenTenantEnvKeys_SingleAndMultipleSorted,
        TestFormatForbiddenTenantEnvError_Phrasing
  - L2: workspace/tests/test_entrypoint_forbidden_env_guard.sh
        (12 cases — clean/per-agent/each-forbidden/prefix/disable-flag)
  - L3: verified locally that current tree passes + synthetic offender
        is caught

Open-source-template-friendly: the deny set lives in Go and YAML
constants, not hardcoded in any open-source template's start.sh.
Per memory feedback_open_source_templates_no_hardcoded_org_internals,
templates published as separate repos (template-codex / template-
hermes / template-openclaw) get their L2 added in follow-up template
PRs with a fork-friendly default deny set (no MOLECULE_-specific
literal). The MOLECULE_OPERATOR_ prefix appears only in the
internal claude-code template's entrypoint.sh.

Refs:
  - RFC#523 (internal#523)
  - Task #146
  - memory feedback_passwords_in_chat_are_burned
  - memory feedback_per_agent_gitea_identity_default
  - memory feedback_open_source_templates_no_hardcoded_org_internals
  - memory feedback_check_vendor_docs_and_actual_source_before_guess_api_shape
    (POSIX env-set semantics verified via shell test; Go os.Environ /
    map[string]string contract verified via go test)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
core-be approved these changes 2026-05-19 01:53:39 +00:00
core-be left a comment
Member
Copy Link
Copy Source

5-axis review on RFC#523 3-layer forbidden-env guardrail: correctness OK (L1 fail-closed at prepareProvisionContext, L2 entrypoint env-grep, L3 PR-time grep lint with exempt allowlist); readability OK (each layer's purpose + threat model documented inline); arch OK (drift detection via the test TestIsForbiddenTenantEnvKey_ExactMatches as SoT, layers cross-reference each other); security OK (operator-scope key NAMES blocked from tenant env writers, prefix scan covers MOLECULE_OPERATOR_*, exempt list is narrow + justified); perf OK (lint runs sub-second, L1 runs once per provision). APPROVED.

5-axis review on RFC#523 3-layer forbidden-env guardrail: correctness OK (L1 fail-closed at prepareProvisionContext, L2 entrypoint env-grep, L3 PR-time grep lint with exempt allowlist); readability OK (each layer's purpose + threat model documented inline); arch OK (drift detection via the test TestIsForbiddenTenantEnvKey_ExactMatches as SoT, layers cross-reference each other); security OK (operator-scope key NAMES blocked from tenant env writers, prefix scan covers MOLECULE_OPERATOR_*, exempt list is narrow + justified); perf OK (lint runs sub-second, L1 runs once per provision). APPROVED.
core-devops approved these changes 2026-05-19 01:53:40 +00:00
core-devops left a comment
Member
Copy Link
Copy Source

DevOps review: workflow has no paths: filter (feedback_path_filtered_workflow_cant_be_required compliant for required-ability), exempt list is narrow with per-class justification, grep -F + grep -E prefix pass cover both shapes. EXEMPT_PATHS reviewer-signoff comment is enforceable. APPROVED.

DevOps review: workflow has no paths: filter (feedback_path_filtered_workflow_cant_be_required compliant for required-ability), exempt list is narrow with per-class justification, grep -F + grep -E prefix pass cover both shapes. EXEMPT_PATHS reviewer-signoff comment is enforceable. APPROVED.
hongming merged commit f5cc9493bb into main 2026-05-19 01:57:31 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-be
core-devops
Labels
Clear labels
area/ci
CI/CD pipeline issues
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1555
Delete Branch "feat/146-forbidden-env-guard"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?