fix(handlers): hotfix CWE-78 regression on staging — partial refs stay literal #1068
Closed
core-be
wants to merge 1 commits from
hotfix/cwe-78-staging into staging
pull from: hotfix/cwe-78-staging
merge into: molecule-ai:staging
molecule-ai:main
molecule-ai:fix/staging-golangci-30m-v2
molecule-ai:infra/main-sop-na-fix
molecule-ai:sre/platform-go-timeout-60m
molecule-ai:fix/scheduler-coverage-gaps
molecule-ai:pr-1211
molecule-ai:fix/channels-rows-err-and-cwe312
molecule-ai:fix/container-name-no-uuid-truncation
molecule-ai:fix/staging-golangci-noconfig
molecule-ai:fix/provider-base-url-fallback
molecule-ai:fix/provisioner-uuid-no-truncate
molecule-ai:fix/issue-1187-broadcast-abilities-coverage
molecule-ai:fix/queue-label-filter-all-ids
molecule-ai:fix/review-check-403-skip
molecule-ai:fix/ki-010-container-name-truncation
molecule-ai:fix/provisioner-no-uuid-truncation
molecule-ai:fix/issue-1176-db-db-race
molecule-ai:fix/channels-rows-err
molecule-ai:test/issue-1156-messaging-coverage
molecule-ai:sre/fix-test-sop-parse-directives
molecule-ai:infra/staging-sop-na-fix
molecule-ai:test/workspace-adapter-base-coverage
molecule-ai:sre/fix-sop-test-parse-directives
molecule-ai:fix/pr-1070-push-tokens
molecule-ai:test/push-package-coverage
molecule-ai:hotfix/offsec-015-org-isolation
molecule-ai:infra/sop-n-a-plus-drift-fix
molecule-ai:fix/issue-1183-settingspanel-act-wrap
molecule-ai:pr-1185-current
molecule-ai:infra/main-golangci-no-config
molecule-ai:test/qa-broadcast-abilities-coverage
molecule-ai:fix/delegations-list-endpoint-wrong-column
molecule-ai:core-be/fix/platform-go-timeout
molecule-ai:fix/issue-1152-delegation-activity-db-err-tests
molecule-ai:core-be/fix/tokens-rate-limit-scan-err-v2
molecule-ai:fix/handlers-rows-err-missing
molecule-ai:infra/canvas-deploy-reminder-polling-list
molecule-ai:fix/staging-ci-timeouts
molecule-ai:fix/settingspanel-act-flush
molecule-ai:fix/rows-err-instructions-resolve
molecule-ai:fix/ci-cold-runner-timeout
molecule-ai:fix/issue-1171-rows-err-memory-events-channels
molecule-ai:fix/sentinel-remove-phas3-masked
molecule-ai:infra/fix-all-required-combined-status-check
molecule-ai:pr1165-rebase
molecule-ai:fix/approvals-json-marshal-guard
molecule-ai:feat/canvas-broadcast-handler
molecule-ai:sre/fix-ci-drift-false-positive
molecule-ai:sre/fix-queue-remove-label-bug
molecule-ai:infra/workspace-server-healthcheck
molecule-ai:fix/ci-drift-canvas-deploy-reminder
molecule-ai:fix/offsec-015-broadcast-org-isolation
molecule-ai:fix/delegation-list-callee-plus-golangci-lint
molecule-ai:sre/fix-queue-gate-context
molecule-ai:core-be/test/delegate-record-db-errors-v2
molecule-ai:staging
molecule-ai:test/delegate-record-db-errors
molecule-ai:fix/tokens-rate-limit-scan-err
molecule-ai:pr-1117
molecule-ai:pr-1117-latest
molecule-ai:infra/staging-golangci-no-config
molecule-ai:fix/openclaw-molecule-mcp-version-pin
molecule-ai:feat/chat-unify-clean
molecule-ai:offsec015
molecule-ai:fix/openclaw-mcp-version-check
molecule-ai:feat/provider-routing-base-v2
molecule-ai:feat/e2e-chat-stabilization
molecule-ai:fix/sop-concurrency-throttle
molecule-ai:p1102
molecule-ai:p1117
molecule-ai:fix/canvas-deploy-reminder-deadlock
molecule-ai:infra/main-golangci-timeout-fix
molecule-ai:feat/provider-routing-base
molecule-ai:sre/sweep-cf-orphans-aws-timeout
molecule-ai:sre/queue-merge-conflict-handling
molecule-ai:fix/na-declarations-gate
molecule-ai:fix/stdio-clean
molecule-ai:fix/handlers-log-db-scan-errors
molecule-ai:fix/channels-marshal-errors
molecule-ai:fix/channels-silent-json-errors
molecule-ai:sre/channels-unmarshal-errors
molecule-ai:sre/queue-pre-receive-hook-fix
molecule-ai:sre/ci-timeout-increase
molecule-ai:fix/approvals-terminal-db-err-logging
molecule-ai:infra/ci-platform-go-timeout-fix
molecule-ai:fix/push-notifications
molecule-ai:fix/channels-duplicate-encrypt
molecule-ai:fix/channels-json-unmarshal-guard
molecule-ai:fix/main-rows-err-instructions
molecule-ai:fix/ci-org-helpers-demorgan
molecule-ai:fix/main-test-fix-from-0c152a24
molecule-ai:infra-sre/fix-platform-go-test
molecule-ai:fix/staging-offsec010-cp-wiring
molecule-ai:fix/handlers-instructions-test-bugs
molecule-ai:fix/ci-allrequired-needs
molecule-ai:fix/staging-goasync-configseed
molecule-ai:fix/issue-1080-org-helpers-comment
molecule-ai:fix/issue-1081-errors-import
molecule-ai:fix/1080-org-helpers-comment-typo
molecule-ai:infra-sre/fix-missing-test-imports
molecule-ai:fix/offsec-010-wiring
molecule-ai:fix/saas-t4-cp-config-seed
molecule-ai:fix/offsec-010-clean
molecule-ai:fix/offsec-003-boundary-wrapping
molecule-ai:fix/offsec-003-escaped-markers-main
molecule-ai:fix/mobile-chat-history
molecule-ai:fix/staging-CWE-78-rows-err
molecule-ai:fix/1062-mobilechat-history
molecule-ai:fix/stdio-v2
molecule-ai:fix/offsec-010-symlink-walkdir
molecule-ai:fix/test-stdio-function-name
molecule-ai:fix/offsec-010-symlink-walkdir-isSaaS-fix
molecule-ai:sre/fix-stale-platform-server-port
molecule-ai:fix/offsec-010-from-pr1047
molecule-ai:staging-v6
molecule-ai:fix/e2e-api-port-collision
molecule-ai:fix/main-async-db-race
molecule-ai:fix/secrets-rows-err-check
molecule-ai:infra/sync-staging-v6-to-main
molecule-ai:pr/1030
molecule-ai:fix/handlers-instructions-test-compile
molecule-ai:fix/instructions-test-compile
molecule-ai:fix/openclaw-empty-required-keys
molecule-ai:sre/main-rows-err-checks
molecule-ai:fix/staging-v6-conflict-markers
molecule-ai:fix/delegation-list-test-conflict-marker
molecule-ai:fix/main-red-cdb0b040-ci-tests
molecule-ai:fix/theme-toggle-selector-main-red
molecule-ai:sre/ci-required-drift-canvas-reminder-skip
molecule-ai:test/instructions-handler-coverage
molecule-ai:sre/canvas-build-timeout
molecule-ai:test/externalconnectmodal
molecule-ai:fix/resolve-conflict-marker-delegation-list-test
molecule-ai:fix/1008-themetoggle-css-selector
molecule-ai:design/826-searchdialog-mount-v2
molecule-ai:test/orgcancelbutton
molecule-ai:fix/2088-themetoggle-queryselectorall-errors
molecule-ai:design/704-tree-test-fix
molecule-ai:fix/ci-required-drift-github-ref-skip
molecule-ai:ci/975-db-pollution-fix
molecule-ai:fix/968-remove-duplicate-test-declarations
molecule-ai:fix/980-schedules-handler-test-coverage
molecule-ai:design/tier-legend-contrast-2026-05-14
molecule-ai:sre/platform-go-timeout-fix
molecule-ai:fix/delegation-list-test-db-leak
molecule-ai:fix/984-delegation-id-response-body
molecule-ai:sre/queue-bot-fix-ctx-check
molecule-ai:fix/983-remove-duplicate-test-declarations
molecule-ai:fix/986-canvas-wcag-focus-rings
molecule-ai:fix/993-agent-handler-test-coverage
molecule-ai:design/wcag-focus-contrast-2026-05-14
molecule-ai:design/wcag-focus-rings-round5-2026-05-14
molecule-ai:fix/activity-logs-delegation-id-response-body
molecule-ai:fix/982-expand-posix-identifier-guard
molecule-ai:fix/test-offsec003-redundant-file
molecule-ai:feat/976-schedules-handler-test-coverage
molecule-ai:fix/org-helpers-test-panic
molecule-ai:promote/main-to-staging-v5
molecule-ai:fix/965-test-panic-resolveInsideRoot
molecule-ai:promote/main-to-staging-v4
molecule-ai:feat/delegation-list-tests
molecule-ai:fix/test-a2a-sanitization-v3
molecule-ai:promote/main-to-staging-v3
molecule-ai:fix/duplicate-test-declarations
molecule-ai:feat/org-helpers-security-tests
molecule-ai:fix/main-push-operational-red
molecule-ai:promote/main-to-staging-v2
molecule-ai:fix-sop-concurrency-v2
molecule-ai:fix/sop-checklist-gate-name
molecule-ai:fix/docker-info-pipefail
molecule-ai:fix/publish-healthcheck-pipefail
molecule-ai:fix/sop-checklist-workflow-rename
molecule-ai:promote/main-to-staging
molecule-ai:sre/fix-sop-checklist-context-name-mc948
molecule-ai:design/wcag-contrast-round4-2026-05-14
molecule-ai:fix/org-helper-tests
molecule-ai:fix/test-a2a-sanitization-main
molecule-ai:fix/publish-image-on-every-main-push
molecule-ai:fix/remove-canvas-reminder-from-all-required
molecule-ai:fix/staging-integration-test-ctx
molecule-ai:fix/staging-canvas-reminder-deadlock
molecule-ai:design/wcag-a11y-round3-2026-05-14
molecule-ai:ci/remove-canvas-reminder-from-all-required
molecule-ai:fix/test-a2a-sanitization-assertions
molecule-ai:fix/staging-ci-drift-canvas-reminder
molecule-ai:fix/handlers-pg-integ-event-before
molecule-ai:ci/platform-build-flip-coe
molecule-ai:fix/staging-python-test-and-tier-check-lint
molecule-ai:fix/offsec-006-slug-injection
molecule-ai:runtime/fix-pr916-integration-test-ctx
molecule-ai:design/chat-tab-wcag-contrast-2026-05-14
molecule-ai:fix/offsec-006-slug-validation
molecule-ai:design/wcag-contrast-fixes-2026-05-14
molecule-ai:fix/904-handler-test-blockers
molecule-ai:fix/ci-drift-canvas-reminder
molecule-ai:fix/comment-trigger-storm
molecule-ai:infra/660-codify-promote-tenant-image
molecule-ai:fix/917-canvas-test-failures
molecule-ai:fix/917-runtime-prbuild-detect-changes-fix
molecule-ai:fix/filesTab-test-stale-reference
molecule-ai:fix/files-tab-test-missing-helper
molecule-ai:fix/runtime-prbuild-compat-detect-changes
molecule-ai:fix/staging-test-compilation-fixes
molecule-ai:fix/qa-review-token-fallback-v2
molecule-ai:test/hydrate-canvas-coverage
molecule-ai:fix/contextmenu-react-error-185
molecule-ai:test/external-runtimes-coverage
molecule-ai:fix/main-sqlmock-import-ineffassign-20260513
molecule-ai:fix/redeploy-tenants-on-main-lint-cleanup
molecule-ai:sre/docker-daemon-gate-fix
molecule-ai:fix/897-listdelegations-use-ledger-table
molecule-ai:fix/901-listdelegations-ledger-table
molecule-ai:fix/core-main-handlers-hotfix
molecule-ai:fix/e2e-api-platform-port
molecule-ai:fix/main-green-monitor-status
molecule-ai:fix/mobile-MobileChat-infinite-render
molecule-ai:fix/delegations-ledger-fallback-rows-err
molecule-ai:fix/874-extractmessagetext-clean
molecule-ai:feat/881-untested-helpers
molecule-ai:fix/874-extractmessagetext-bug
molecule-ai:fix/status-reaper-api-timeout-retry-20260513130514
molecule-ai:fix/831-admin-token-placeholder-bootstrap
molecule-ai:feat/canvas-test-coverage-738
molecule-ai:feat/files-tab-tree-coverage
molecule-ai:feat/canvas-untested-components-coverage
molecule-ai:feat/canvas-tab-test-coverage-2
molecule-ai:fix/main-bundle-test-sqlmock-import
molecule-ai:fix/stdio-fallback-all-environments
molecule-ai:staging-sync-v3
molecule-ai:ci/burn-in-remove-sop-tier-check-coe
molecule-ai:fix/issue-860-delivery-mode-tests
molecule-ai:design/approval-banner-emerald-fix
molecule-ai:fix/issue-854-termsgate-a11y
molecule-ai:fix/issue-859-wcag-contrast
molecule-ai:fix/delegations-rows-err-bbc40cb8
molecule-ai:design/approvalbanner-a11y
molecule-ai:design/pricingtable-a11y
molecule-ai:design/toolbar-help-toggle-fix
molecule-ai:staging-sync-v2
molecule-ai:fix/canvas-approvalbanner-a11y
molecule-ai:feat/canvas-external-connect-modal-coverage
molecule-ai:staging-sync-rm
molecule-ai:fix/test-sanitize-agent-error-stderr
molecule-ai:test/a2a-queue-extractExpiresInSeconds
molecule-ai:fix/pr-829-test-issues
molecule-ai:design/826-searchdialog-mount
molecule-ai:fix/chat-createMessage-attachments-key
molecule-ai:fix/762-recall-memory-canary
molecule-ai:fix/367-a2a-tools-coverage-v2
molecule-ai:feat/search-dialog-mount
molecule-ai:feat/org-layout-test-coverage
molecule-ai:fix/offsec-003-builtin-a2a-sanitize
molecule-ai:fix/canvas-playwright-install-timeout
molecule-ai:fix/805-audit-force-merge-main-required-checks
molecule-ai:fix/cf-sweep-api-error
molecule-ai:fix/e2e-diagnose-detail
molecule-ai:fix/a2a-mcp-server-http-transport
molecule-ai:fix/core-main-red-golangci-install
molecule-ai:fix/test-declarations
molecule-ai:fix/sop-checklist-body-hard-gate
molecule-ai:merge-792
molecule-ai:feat/mcp-tools-test-coverage
molecule-ai:feat/workspace-crud-test-coverage
molecule-ai:feat/socket-handler-test-coverage
molecule-ai:fix/686-delegation-integration-tests
molecule-ai:feat/a2a-proxy-helpers-test-coverage
molecule-ai:fix/publish-canvas-disable-gha-cache-20260512
molecule-ai:fix/publish-canvas-docker-probe-20260512
molecule-ai:fix/canvas-image-ecr-20260512
molecule-ai:fix/687-send-ssh-public-key-detail
molecule-ai:feat/tier-2g-required-context-exists-in-bp
molecule-ai:feat/tier-2f-bp-emit-match
molecule-ai:fix/mc-664-class-2-mcp-offsec-contract-test
molecule-ai:fix/main-ci-green-20260512
molecule-ai:infra/dockerfile-add-docker-cli-for-local-build
molecule-ai:test/workspace-crud-helpers-coverage
molecule-ai:fix/681-recallmemory-offsec-contract
molecule-ai:fix/org-layout-helpers-test-coverage
molecule-ai:fix/735-extractResponseText-tests
molecule-ai:test/713-workspace-crud-validators
molecule-ai:test/713-org-helpers-pure-coverage
molecule-ai:fix/713-eic-diagnose-detail
molecule-ai:fix/730-filterpeers-nil-guard
molecule-ai:infra/all-required-coe-false-v2
molecule-ai:fix/phase3-tracker-comments
molecule-ai:fix/mc-664-class-1-delegation-tests-postgres-integration
molecule-ai:fix/canvas-keyboard-shortcuts-dialog-guard
molecule-ai:infra/664-lint-coe-trackers
molecule-ai:ci/lint-tracker-regex-fix-v2
molecule-ai:fix/731-nil-guard-filter-peers-by-query
molecule-ai:fix/lint-TRACKER_RE-mid-sentence
molecule-ai:ci-retrigger-747
molecule-ai:feat/709-handler-pure-coverage
molecule-ai:fix/697-canvas-geticon-topology
molecule-ai:ci/lint-tracker-regex-fix
molecule-ai:test/2071-canvas-drop-target-badge-coverage
molecule-ai:feat/2071-canvas-orgdeploystate-coverage
molecule-ai:feat/mobile-canvas-comms-spawn-coverage
molecule-ai:ci/lint-coe-self-fix
molecule-ai:feat/mobile-tabbar-a11y
molecule-ai:fix/ssm-refresh-ecr-auth-json-escaping
molecule-ai:design/729-fix
molecule-ai:ci/gate-check-v3-permissions-fix
molecule-ai:fix/730-discovery-filter-nil-role
molecule-ai:infra/publish-docker-daemon-diagnostic
molecule-ai:fix/714-all-required-coe-false
molecule-ai:fix/717-mobile-agentMessages-selector
molecule-ai:infra/fix-all-required-status-reporting
molecule-ai:fix/687-e2e-surface-diagnose-detail
molecule-ai:infra/docker-runner-label
molecule-ai:test/701-canvas-hydrate-coverage
molecule-ai:test/mobile-primitives-coverage
molecule-ai:infra/664-interim-platform-build-exempt
molecule-ai:fix/693-offsec-recallmemory-scrub-staging
molecule-ai:sync/main-to-staging-514-v2
molecule-ai:fix/693-offsec-recallmemory-global-scrub
molecule-ai:fix/693-offsec-recallmemory-scrub
molecule-ai:fix/634-handler-test-fixes-to-main
molecule-ai:test/699-socket-handler-coverage
molecule-ai:sre/workflow-run-replacement
molecule-ai:infra/676-ssm-auth-json-hardening
molecule-ai:fix/offsec-001-method-scrub-hotfix
molecule-ai:fix/offsec-001-method-scrub-main
molecule-ai:feat/workspace-crud-validation-tests
molecule-ai:test/canvas-hydrate-coverage
molecule-ai:infra/lint-pre-flip-continue-on-error
molecule-ai:fix/workflow_run-to-push-gitea-1.22.6
molecule-ai:feat/tier-2e-tracking-issue
molecule-ai:fix/684-offsec-scrub-method-default
molecule-ai:feat/sop-checklist-gate-mvp
molecule-ai:feat/tier-2d-lint-mask-pr-atomicity
molecule-ai:infra/lint-workflow-yaml-hostile-shapes
molecule-ai:infra/lint-required-no-paths-filter
molecule-ai:cleanup/pr-641-clean
molecule-ai:feat/mobile-tabbar-wcag-a11y
molecule-ai:fix/canvas-mobile-chat-loop
molecule-ai:fix/651-canvas-chat-mobile-crash
molecule-ai:fix/664-interim-remask-platform-build
molecule-ai:fix/mobile-chat-max-update-depth
molecule-ai:infra/622-force-merge-protection-fix
molecule-ai:test/attachment-lightbox-clean-v2
molecule-ai:ci/652-gitea-1-22-status-key
molecule-ai:test/memorytab-2
molecule-ai:infra/status-reaper-rev4-status-key-fix
molecule-ai:infra/weekly-platform-go-vet-hard
molecule-ai:fix/audit-force-merge-pipefail
molecule-ai:infra/status-reaper-rev3-widen-window
molecule-ai:test/canvas-externalconnectmodal-coverage
molecule-ai:fix/sop-tier-check-token-graceful
molecule-ai:infra/ci-required-drift-token-scope
molecule-ai:test/console-modal-coverage
molecule-ai:ci/review-check-tests-wire
molecule-ai:test/canvas-workspacenode-coverage
molecule-ai:test/memorytab
molecule-ai:infra/interim-disable-reaper-watchdog-crons
molecule-ai:test/attachment-lightbox-coverage
molecule-ai:fix/issue-639-workspacenode-test-coverage
molecule-ai:test/channels-tab
molecule-ai:fix/canvas-searchdialog-test-fixtures
molecule-ai:fix/598-attachmentLightbox-tests
molecule-ai:fix/529-307-localbuild-async-test-fix
molecule-ai:fix/582-attachmentviews-tests
molecule-ai:fix/308-a2a-response-push-mode-tests
molecule-ai:fix/529-preflight-localbuild
molecule-ai:fix/sop-tier-check-token-graceful-staging
molecule-ai:fix/545-approvalbanner-isolation
molecule-ai:fix/519-memorytab-tests
molecule-ai:infra/status-reaper-rev2-sweep-recent-commits
molecule-ai:fix/handlers-test-fixtures
molecule-ai:test/skill-helpers-coverage
molecule-ai:test/ui-primitive-coverage
molecule-ai:docs/gitea-quirks-10-11
molecule-ai:test/platform-bundle-exporter-coverage
molecule-ai:infra/status-reaper-rev1-drop-concurrency
molecule-ai:fix/608-filesTab-focusTest
molecule-ai:test/budget-section-coverage
molecule-ai:infra/revert-docker-runner-label
molecule-ai:fix/weekly-platform-go-latent-error-surface
molecule-ai:infra/revert-publish-runs-on-pin
molecule-ai:sre/gate-check-timeout
molecule-ai:test/a2a-error-hint-coverage
molecule-ai:test/chat-attachment-views-coverage
molecule-ai:test/attachment-video-coverage
molecule-ai:infra/option-b-status-reaper
molecule-ai:infra/gate-check-v3-timeout
molecule-ai:infra/576-docker-runner-label
molecule-ai:fix/593-filetab-tests
molecule-ai:test/files-tab-notavailablepanel-coverage
molecule-ai:fix/591-forminputs-tests
molecule-ai:fix/471-cwe117-stderr-scrubbing
molecule-ai:infra/diagnostic-publish-workspace-server-image
molecule-ai:fix/582-bundle-import-tests
molecule-ai:test/form-inputs-coverage
molecule-ai:fix/publish-workspace-server-image-json5-comments
molecule-ai:sre/fix-all-required-null-result
molecule-ai:fix/publish-workspace-server-image-optional-token
molecule-ai:pr-251
molecule-ai:test/ui-statusbadge-coverage
molecule-ai:fix/all-required-null-result-assertion
molecule-ai:fix/568-palette-context-tests
molecule-ai:pr-527
molecule-ai:infra/merge-563-autobump-fix
molecule-ai:test/mobile-palette-context-coverage
molecule-ai:sre/fix-gate-check-v3-combined-state-loop
molecule-ai:ci/540-review-check-bats-tests
molecule-ai:fix/publish-runtime-autobump-push-condition
molecule-ai:ci/558-verify-publish-runtime-marker
molecule-ai:test/canvas-empty-state-coverage
molecule-ai:infra/publish-runtime-verify-2026-05-11
molecule-ai:ci/554-oci-labels-publish-workflow
molecule-ai:infra/drift-bot-token
molecule-ai:infra/rfc-219-phase-4-all-required-sentinel
molecule-ai:ci/551-gate-checkout-trusted-ref
molecule-ai:fix/gate-check-v3-pr-HEAD-security
molecule-ai:fix/541-token-argv-security
molecule-ai:sre/fix-gate-check-v3-bugs
molecule-ai:fix/537-cwe117-a2a-tools-sanitize
molecule-ai:fix/gate-check-v3-http-error-crash
molecule-ai:sre/fix-localbuild-preflight
molecule-ai:infra/rfc-324-workflow-add
molecule-ai:test/offsec-003-sanitization-backstop
molecule-ai:fix/test-sanitize-agent-error-stderr-exc
molecule-ai:fix/approval-banner-test-isolation
molecule-ai:infra/scope-workflows-fix
molecule-ai:sre/fix-pr530-deadlock
molecule-ai:sre/reopen-516-gate-check-fix
molecule-ai:fix/ci-scope-operational-workflows-504-419
molecule-ai:sre/scope-operational-workflows-to-schedule
molecule-ai:ci/harness-replays-detect-changes-quoting-fix
molecule-ai:fix/test-blocks-until-inflight-completes
molecule-ai:fix/test-enrich-peer-metadata-nonblocking
molecule-ai:sre/fix-enrich-nonblocking-cache-check
molecule-ai:merge-pr490
molecule-ai:runtime/fix-offsec-003-tool-delegate-task
molecule-ai:fix/508-update-boundary-assertions
molecule-ai:sre/fix-test-delegation-sync-polling-assertions
molecule-ai:fix/366-shared-runtime-coverage
molecule-ai:fix/506-unused-imports
molecule-ai:ci/lint-fixes
molecule-ai:fix/367-a2a-tools-coverage
molecule-ai:test/a2a-client-enrich-peer-rebase
molecule-ai:fix/354-delegation-auto-resume-rebase
molecule-ai:ci/fix-detect-changes-commits-array
molecule-ai:fix/307-async-rebase
molecule-ai:runtime/fix-harness-replays-push-event
molecule-ai:sre/fix-test-polling-sanitization
molecule-ai:fix/harness-replays-detect-changes-gitea-api
molecule-ai:ci/fix-test-polling-sanitization
molecule-ai:test/eventstab
molecule-ai:runtime/335-rebase-platfrom-url
molecule-ai:hotfix/491-offsec-003-staging-v2
molecule-ai:fix/pr477-test-fixes
molecule-ai:runtime/335-rebase-platform-url
molecule-ai:fix/354-auto-resume-delegations
molecule-ai:fix/368-audit-hooks-coverage
molecule-ai:runtime/temporal-platform-url-fix
molecule-ai:infra/secret-reconciliation-v2
molecule-ai:fix/purchase-success-modal-test-isolation
molecule-ai:pr-476
molecule-ai:sre/fix-gitea-runbook-network-quirks
molecule-ai:tools/gate-check-v3
molecule-ai:fix/376-activity-delegation-polling
molecule-ai:runtime/platform-url-fix-merge
molecule-ai:fix/canvas-purchase-success-modal-test-timing
molecule-ai:fix/secret-naming-reconciliation
molecule-ai:docs/gitea-operational-quirks-runbook
molecule-ai:test/canvas-toolbar-coverage
molecule-ai:fix/canvas-tier-config-v2
molecule-ai:fix/455-offsec003-sanitize-alignment
molecule-ai:fix/sweep-stale-e2e-orgs-secret-name
molecule-ai:fix/approvalbanner-mockreset-452
molecule-ai:fix/canvas-approvalbanner-mockreset
molecule-ai:fix/publish-runtime-autobump-fetch-depth
molecule-ai:fix/321-cwe22-loadWorkspaceEnv-path-traversal
molecule-ai:fix/canonicalize-staging-admin-token-rebase-462
molecule-ai:canvas-followup
molecule-ai:fix/canonicalize-staging-admin-token-rest
molecule-ai:refactor/drop-canary-prefix
molecule-ai:fix/canvas-test-and-design-fixes
molecule-ai:runtime/432-followup-helper-extraction
molecule-ai:fix/harness-replays-detect-changes-fetch-depth
molecule-ai:fix/stderr-include-a2a-error-response
molecule-ai:feat/internal-292-sop-tier-refire
molecule-ai:docs/update-remote-agent-tutorial-sdk-api
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y-v3
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y-v2
molecule-ai:fix/388-github-token-501-gitea-staging
molecule-ai:fix/dialog-backdrop-a11y
molecule-ai:runtime/414-idle-loop-skip-pending-results-v3
molecule-ai:fix/test-extract-tool-trace
molecule-ai:fix/test-plugins-atomic-tar-coverage
molecule-ai:fix/harness-replays-fetch-depth
molecule-ai:fix/test-instructions-handler-coverage
molecule-ai:sre/fix-workflow-secret-naming
molecule-ai:fix/canvas-tiers-config-string-keys
molecule-ai:fix/offsec-003-promote-to-main
molecule-ai:fix/class-e-secret-name-reconciliation
molecule-ai:fix/sop-tier-check-apt-get-first
molecule-ai:fix/307-async-test-pollution
molecule-ai:fix/sop-tier-check-jq-install-order
molecule-ai:fix/canvas-test-failures-2026-05-10
molecule-ai:runtime/fix-a2a-tools-duplicate-error-block-v2
molecule-ai:infra/sop-tier-check-jq-install-fix
molecule-ai:runtime/fix-a2a-push-delivery-mode
molecule-ai:feat/main-never-red-watchdog-internal-420
molecule-ai:feat/internal-219-phase-2bc-port-to-molecule-core
molecule-ai:fix/a11y-canvas-clean
molecule-ai:sweep/internal-219-cat-C1-port-gates-lints
molecule-ai:sweep/internal-219-cat-B-delete-github-only
molecule-ai:sweep/internal-219-cat-A-delete-mirrored
molecule-ai:fix/offsec-003-json-endpoint-sanitize
molecule-ai:sweep/internal-219-cat-C3-port-deploy-janitors
molecule-ai:sweep/internal-219-cat-C2-port-e2e
molecule-ai:fix/publish-runtime-cascade-sha-capture
molecule-ai:feat/internal-219-phase-3-port-ci-yml
molecule-ai:fix/413-a2a-delegation-offsec-003
molecule-ai:runtime/381-idle-loop-pending-messages
molecule-ai:fix/delegations-rows-err-check
molecule-ai:fix/a11y-canvas-buttons-staging
molecule-ai:runtime/fix-399-a2a-delegation-missing-import-v2
molecule-ai:fix/380-cwe59-symlink-traversal
molecule-ai:fix/388-github-token-501-staging
molecule-ai:fix/confirm-dialog-wcag-backdrop
molecule-ai:infra/sop-tier-check-jq-script-fallback
molecule-ai:fix/revert-391-broken-jq-install
molecule-ai:fix/a2a-tools-duplicate-dead-code
molecule-ai:fix/confirm-dialog-backdrop
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y
molecule-ai:infra/jq-install-main
molecule-ai:fix/sop-tier-check-jq-main
molecule-ai:fix/canvas-dialog-backdrop-a11y
molecule-ai:fix/388-github-token-501
molecule-ai:runtime/offsec-003-polling-path-v2
molecule-ai:fix/361-sanitize-delegation-results
molecule-ai:runtime/offsec-003-executor-sanitize
molecule-ai:fix/cwe22-loadWorkspaceEnv-main
molecule-ai:fix/qa-audit-307-308-clean
molecule-ai:ci/fix-293-sqlalchemy-pip-install
molecule-ai:fix/354-delegation-auto-resume
molecule-ai:runtime/platform-url-host-docker-internal
molecule-ai:fix/canvas-repair-tests-344
molecule-ai:fix/canvas-statusdot-ts-errors
molecule-ai:test/molecule-audit-hooks-coverage
molecule-ai:test/a2a-tools-and-send-message-coverage
molecule-ai:fix/sop-tier-check-jq-install
molecule-ai:test/shared-runtime-helpers-coverage
molecule-ai:fix/canvas-topology-sort-orphan
molecule-ai:fix/executor-helpers-offsec-003-sanitize
molecule-ai:runtime/offsec-003-polling-path
molecule-ai:fix/354-a2a-delegation-auto-resume
molecule-ai:runtime/fix-a2a-push-delivery-mode-v2
molecule-ai:fix/publish-runtime-add-_sanitize_a2a-to-allowlist
molecule-ai:fix/publish-runtime-missing-working-directory
molecule-ai:ci/add-sqlalchemy-to-pip-install
molecule-ai:ci-resolve-github-gitea-triplicate
molecule-ai:sre/offsec-003-boundary-escape
molecule-ai:fix/sec-321-path-traversal-clean
molecule-ai:fix/a2a-proxy-response-header-timeout-v2
molecule-ai:fix/publish-runtime-workflow-dispatch-inputs
molecule-ai:fix/a2a-push-mode-queue-envelope
molecule-ai:fix/351-split-publish-runtime-triggers
molecule-ai:feat/348-publish-runtime-restore-path-trigger
molecule-ai:fix/issue-workspace-dup-name-409-autosuffix
molecule-ai:fix/security-OFFSEC003-boundary-escape-334
molecule-ai:fix/security-CWE22-loadWorkspaceEnv-330
molecule-ai:fix/canvas-test-fixes-20260510
molecule-ai:fix/canvas-extractMessageText
molecule-ai:fix/qa-307-async-pollution-direct
molecule-ai:test/a2a-client-enrich-peer-metadata
molecule-ai:fix/docs-309-remote-faq-staging-env
molecule-ai:fix/qa-308-push-mode-queue-tests
molecule-ai:fix/qa-307-async-pollution
molecule-ai:runtime/fix-plugin-registry-import-path
molecule-ai:fix/a2a-proxy-response-header-timeout-clean
molecule-ai:fix/publish-workspace-server-ci-clone-manifest-retry-main
molecule-ai:infra/remove-pr303-tracking
molecule-ai:fix/issue-296-plugin-registry-sysmodules
molecule-ai:infra/pin-compose-image-digests
molecule-ai:chore/sync-main-to-staging
molecule-ai:fix/sec-321-path-traversal
molecule-ai:fix/a2a-proxy-response-header-timeout
molecule-ai:docs/a11y-billing-wcag-patterns
molecule-ai:fix/qa-307-test-a2a-inbox-wrappers-asyncio-refactor
molecule-ai:runtime/fix-test-config-model-isolation
molecule-ai:ci/docker-daemon-health-guard
molecule-ai:docs/fix-remote-workspaces-faq
molecule-ai:fix/publish-workspace-server-ci-clone-manifest-retry
molecule-ai:fix/test-config-env-isolation
molecule-ai:ci/staging-sha-pinning
molecule-ai:fix/external-connection-user-facing-urls
molecule-ai:fix/workspace-server-registry-config-helper
molecule-ai:fix/issue-272-sqlalchemy-ci-install
molecule-ai:fix/canvas-yaml-utils-nested-arrays-clean
molecule-ai:fix/self-delegation-guard
molecule-ai:promote/staging-to-main-100546
molecule-ai:fix/a2a-tools-v2
molecule-ai:fix/a2a-tools-and-workflow-cleanup
molecule-ai:fix/canvas-test-isolation-fixes-v2
molecule-ai:fix/molecule-model-env-go
molecule-ai:runtime/fix-delegate-empty-parts-regression
molecule-ai:infra/runtime-doc-playwright-limitation
molecule-ai:fix/offsec-001-error-message-scrubbing
molecule-ai:fix/offsec-001
molecule-ai:fix/a2a-tools-string-error-handling-clean
molecule-ai:fix/core-248-pluginresolver-and-plgh
molecule-ai:infra/fix-source-resolver-dup
molecule-ai:fix/model-provider-misnomer
molecule-ai:fix/a2a-tools-string-error-handling-v2
molecule-ai:fix/canvas-yaml-utils-test-failure
molecule-ai:fix/a2a-tools-string-error-handling
molecule-ai:fix/internal-214-gosum-vanity-import
molecule-ai:fix/canvas-test-isolation-fixes
molecule-ai:chore/canvas-statusbadge-test-fix-cherry-pick
molecule-ai:fix/canvas-statusbadge-test-role-ambiguity
molecule-ai:runtime/fix-mcp-client-localhost-default
molecule-ai:fix/core-257-delegation-test-stray-brace
molecule-ai:revert/core-d0126662-restart-signals-undefined-h
molecule-ai:revert/core-123-plugin-drift-detector
molecule-ai:ci/pin-action-and-base-images
molecule-ai:fix/org-232-per-workspace-required-env-preflight
molecule-ai:fix/ssrf-guard-before-begintx
molecule-ai:test/issue-232-per-workspace-required-env-preflight
molecule-ai:fix/issue232-org-import-required-env-aggregation
molecule-ai:fix/canvas-ts-test-errors
molecule-ai:fix/delegations-list-ledger-fallback
molecule-ai:wip-snapshot-2026-05-10/mac/molecule-core-tmp53-git-token-helper-wip
molecule-ai:wip-snapshot-2026-05-10/mac/molecules-org-molecule-core-registry-prefix
molecule-ai:fix/pluginresolver-conflict
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-pluginresolver-conflict
molecule-ai:wip-snapshot-2026-05-10/core-qa/stash-package-lock-diff
molecule-ai:feat/keyboard-shortcuts-dialog
molecule-ai:wip-snapshot-2026-05-10/core-uiux/feat-keyboard-shortcuts-dialog
molecule-ai:wip-snapshot-2026-05-10/core-fe/test-canvas-design-tokens-config
molecule-ai:test/canvas-cssvar-tests
molecule-ai:fix/internal-229-sop-tier-check-tier-low-relaxation
molecule-ai:test/canvas-utility-pure-tests
molecule-ai:test/canvas-preflight-utils-tests
molecule-ai:test/canvas-runtimeprofiles-tests
molecule-ai:test/canvas-yaml-utils-tests
molecule-ai:test/canvas-pure-function-tests
molecule-ai:fix/ci-port-publish-workspace-server-image-228
molecule-ai:fix/ssrf-validate-agent-url-212
molecule-ai:ci/sop-tier-check-approver-teams-fix
molecule-ai:fix/sop-tier-check-legacy-flip-229
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-ki001-telegram-disable-channel
molecule-ai:wip-snapshot-2026-05-10/core-be/feat-a2a-pre-restart-drain-125
molecule-ai:wip-snapshot-2026-05-10/core-be/feat-plugin-drift-queue-123
molecule-ai:fix/sweeper-race-error-counter
molecule-ai:infra/fix-issue-75-gh-cli-gitea-sweep
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-gh-api-gitea-sweep-75
molecule-ai:feat/keyboard-shortcuts-dialog-test
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-sweeper-test-isolation-86
molecule-ai:ci/fix-issue-87-root-skip
molecule-ai:fix/test-local-resolver-root-skip
molecule-ai:fix/workspace-tests-clear-auth-cache
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-a2a-delegation-success-rendered-as-error
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-files-restart-volume-sync
molecule-ai:wip-snapshot-2026-05-10/core-lead/tech-debt-rename-net
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-168-mine
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-167-uiux
molecule-ai:wip-snapshot-2026-05-10/core-fe/stash-canvas-agent-comms-show-task-text
molecule-ai:fix/canvas-agent-comms-show-task-text
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-vitest-pool
molecule-ai:fix/info-disclosure-errors
molecule-ai:infra/add-temporal-to-main-compose
molecule-ai:design/verify-canvas-design-system
molecule-ai:fix/workspace-persona-git-identity
molecule-ai:fix/175-env-matched-pair-guard
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-149
molecule-ai:refactor/sop-tier-check-extract-script
molecule-ai:fix/sop-tier-check-pr-target-security
molecule-ai:ci/sop-tier-check-deploy
molecule-ai:fix/issue53-admin-token-pair-guard
molecule-ai:fix/org-import-started-event-name
molecule-ai:refactor/delete-uses-cascade-helper
molecule-ai:fix/org-import-reconcile-and-audit
molecule-ai:fix/preserve-model-secret-on-restart
molecule-ai:feat/persona-bind-mount-local-dev
molecule-ai:feat/canary-tier-filter
molecule-ai:feat/plugin-version-subscription
molecule-ai:feat/plugin-hot-reload-classifier
molecule-ai:feat/plugin-atomic-install
molecule-ai:feat/air-hot-reload-dev
molecule-ai:feat/persona-env-injection
molecule-ai:fix/external-resolver-hardening
molecule-ai:fix/issue75-class-D-gh-api-to-gitea-rest
molecule-ai:fix/cherry-3-files-vitest-postgres-e2eapi
molecule-ai:fix/promote-vitest-postgres-fixes
molecule-ai:fix/saas-plugin-install-eic
molecule-ai:fix/issue-94-e2e-api-parallel-safe-class-b
molecule-ai:migrate/issue-71-vanity-imports
molecule-ai:fix/handlers-postgres-port-collision-class-b
molecule-ai:fix/issue-96-canvas-vitest-cold-start-timeout
molecule-ai:fix/hermes-agent-doc-gitea-migration
molecule-ai:fix/196-retarget-main-to-staging-gitea-rest
molecule-ai:fix/gitea-ci-flakes-issue-88
molecule-ai:fix/pin-upload-artifact-v3-gitea
molecule-ai:fix/issue-72-auto-sync-token-canary-v2
molecule-ai:fix/issue75-class-F-gh-run-list-to-statuses
molecule-ai:fix/issue75-class-A-gh-pr-to-gitea-rest
molecule-ai:feat/issue-63-local-build-from-gitea-v2
molecule-ai:fix/195-auto-promote-staging-gitea-rest
molecule-ai:fix/144-branch-protection-check-name-parity-audit
molecule-ai:fix/harness-replays-pre-clone-manifest
molecule-ai:chore/trigger-auto-sync-verification
molecule-ai:fix/codeql-stub-on-gitea-156
molecule-ai:chore/issue173-retrigger-after-ecr-repo-create
molecule-ai:fix/issue173-inline-aws-ecr-login
molecule-ai:fix/issue173-shell-docker-push
molecule-ai:chore/retrigger-harness-replays-post-class-g
molecule-ai:fix/issue173-buildx-driver-and-cache
molecule-ai:fix/post-suspension-clone-manifest
molecule-ai:fix/issue173-followup-platform-dockerfile
molecule-ai:fix/post-suspension-github-urls
molecule-ai:fix/170-goroutine-bleed-test-isolation
molecule-ai:fix/issue173-publish-workspace-server-image
molecule-ai:fix/issue36-a2a-proxy-preflight
molecule-ai:fix/codeql-continue-on-error-156
molecule-ai:feat/demo-mock-3-bigorg-mock-runtime
molecule-ai:feat/demo-mock-1-purchase-success-modal
molecule-ai:fix/publish-path-filter-add-scripts
molecule-ai:fix/clone-manifest-gitea
molecule-ai:chore/touch-publish-workflow-to-trigger
molecule-ai:chore/retrigger-publish-post-aws-secrets
molecule-ai:chore/cherry-pick-pr23-into-main
molecule-ai:chore/backsync-main-into-staging-task-166
molecule-ai:fix/auto-sync-use-devops-token
molecule-ai:chore/retrigger-staging-on-fixed-runner-image
molecule-ai:chore/drop-github-app-auth-and-ecr-swap
molecule-ai:docs/readme-comprehensive-refresh-2026-05-06
molecule-ai:feat/rfc-2945-pr-c-2-canvas-chat-history
molecule-ai:fix/issue10-runtime-aware-plugin-install
molecule-ai:fix/s8-bind-loopback-dev
molecule-ai:fix/14-cascade-gitea-dispatch
molecule-ai:docs/molecule-core-bulk-sed
molecule-ai:chore/pin-artifact-actions-v3
molecule-ai:fix/lowercase-org-slug
molecule-ai:fix/script-ghcr-and-lint-paths
molecule-ai:docs/workspace-runtime-readme-source-edit
molecule-ai:feat/eic-tunnel-pool-core-11
molecule-ai:chore/rfc-2945-pr-c-3-delete-historyhydration
molecule-ai:fix/2872-sqlmock-regex-tightening
molecule-ai:fix/cp-orphan-sweeper-2989
molecule-ai:feat/registry-prefix-env-driven-issue-6
molecule-ai:docs/readme-refresh-2026-05-06
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| 0cecb85a6d |
fix(handlers): restore CWE-78 guard on staging — partial refs like \$HOME/path stay literal
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 36s
CI / Detect changes (pull_request) Successful in 1m16s
Harness Replays / detect-changes (pull_request) Successful in 21s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m28s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m25s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 30s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m36s
gate-check-v3 / gate-check (pull_request) Successful in 24s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m28s
qa-review / approved (pull_request) Successful in 16s
security-review / approved (pull_request) Successful in 19s
sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review
sop-checklist / all-items-acked (pull_request) Successful in 26s
sop-tier-check / tier-check (pull_request) Successful in 25s
CI / Canvas (Next.js) (pull_request) Successful in 8s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s
CI / Python Lint & Test (pull_request) Successful in 8s
Harness Replays / Harness Replays (pull_request) Successful in 12s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 9s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m23s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m13s
CI / Platform (Go) (pull_request) Failing after 8m43s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
audit-force-merge / audit (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 10s
HOTFIX: PR #1059 merged the vulnerable os.Expand-based expandWithEnv to staging. This reverts that and applies the correct byte-parser from main. os.Expand splits $HOME/path into key="HOME" and key="/path". The callback cannot distinguish whole-string from partial prefix — it fell back to os.Getenv for any non-empty key absent from the env map, leaking the host's HOME/PATH/USER env vars into org template values. Fix: character-by-character parser. Only os.Getenv when ref==whole (the matched $VAR/${VAR} IS the entire input). For partial refs like $HOME/path, return the literal "$HOME" — no host env leak. Test coverage: 14 new regression tests in org_helpers_security_test.go covering $HOME/path, ${ROLE}/admin, prefix$ROLE/suffix, mixed partial+whole, etc. Updated TestExpandWithEnv_PartiallyPresent to reflect correct behavior. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
