fix(workspace): block Hermes custom provider bypass #1863

Merged

hongming merged 1 commits from fix/hermes-platform-proxy-guard into main 2026-05-26 04:13:01 +00:00

Conversation 4 Commits 1 Files Changed 3

+57

hongming commented 2026-05-26 03:56:27 +00:00

Owner

Copy Link

Copy Source

Summary

• reject HERMES_CUSTOM_API_KEY and HERMES_CUSTOM_BASE_URL writes for platform-managed LLM workspaces
• apply the guard to workspace create payload secrets, workspace secret writes, and global secret writes
• add regression coverage for platform-managed secret rejection

Tests

• cd workspace-server && go test ./internal/handlers -run 'TestExtended_SecretsSet|TestExtended_SecretsSetRejectsHermesCustomProviderInPlatformManagedMode' -count=1

Security context

This makes the control plane enforce the platform proxy boundary instead of relying on template/runtime discipline alone.

## Summary - reject HERMES_CUSTOM_API_KEY and HERMES_CUSTOM_BASE_URL writes for platform-managed LLM workspaces - apply the guard to workspace create payload secrets, workspace secret writes, and global secret writes - add regression coverage for platform-managed secret rejection ## Tests - cd workspace-server && go test ./internal/handlers -run 'TestExtended_SecretsSet|TestExtended_SecretsSetRejectsHermesCustomProviderInPlatformManagedMode' -count=1 ## Security context This makes the control plane enforce the platform proxy boundary instead of relying on template/runtime discipline alone.

hongming added 1 commit 2026-05-26 03:56:28 +00:00

fix(workspace): block Hermes custom provider bypass 3682465525

agent-reviewer approved these changes 2026-05-26 03:57:40 +00:00

agent-reviewer left a comment

Member

Copy Link

Copy Source

Approved — blocks Hermes direct-provider bypass secrets in platform-managed mode across secret writes and workspace creation; targeted regression coverage included.

Approved — blocks Hermes direct-provider bypass secrets in platform-managed mode across secret writes and workspace creation; targeted regression coverage included.

core-security approved these changes 2026-05-26 04:03:43 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Security review passed. Scope is limited to blocking Hermes custom-provider escape-hatch keys in platform-managed mode across create, workspace secret set, and global secret set. No new endpoints, dependencies, raw SQL interpolation, or secret material introduced. Regression test covers the rejected workspace secret path; existing provisioning tests cover the platform-managed env mode boundary.

Security review passed. Scope is limited to blocking Hermes custom-provider escape-hatch keys in platform-managed mode across create, workspace secret set, and global secret set. No new endpoints, dependencies, raw SQL interpolation, or secret material introduced. Regression test covers the rejected workspace secret path; existing provisioning tests cover the platform-managed env mode boundary.

core-security approved these changes 2026-05-26 04:03:55 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Security review passed.

Security review passed.

hongming commented 2026-05-26 04:05:10 +00:00

Author

Owner

Copy Link

Copy Source

/security-recheck

/security-recheck

hongming merged commit 0129548657 into main 2026-05-26 04:13:01 +00:00

hongming referenced this issue from a commit 2026-05-26 04:13:01 +00:00

fix(workspace): block Hermes custom provider bypass (#1863)

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1863