From 2dd0430dbe37d9ed40b614c0a05fcaf5b8847b99 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Sat, 23 May 2026 07:26:29 +0000
Subject: [PATCH 1/2] fix(server): add ReadHeaderTimeout to http.Server

Mitigates slowloris-style DoS by limiting the time a client can
spend sending request headers. Aligns with the same 5 s setting
already used in cmd/memory-plugin-postgres/main.go.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 workspace-server/cmd/server/main.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/workspace-server/cmd/server/main.go b/workspace-server/cmd/server/main.go
index d93f13255..f333c708f 100644
--- a/workspace-server/cmd/server/main.go
+++ b/workspace-server/cmd/server/main.go
@@ -370,8 +370,9 @@ func main() {
 	// See molecule-core#7.
 	bindHost := resolveBindHost()
 	srv := &http.Server{
-		Addr:    fmt.Sprintf("%s:%s", bindHost, port),
-		Handler: r,
+		Addr:              fmt.Sprintf("%s:%s", bindHost, port),
+		Handler:           r,
+		ReadHeaderTimeout: 5 * time.Second,
 	}
 
 	// Start server in goroutine
-- 
2.52.0


From 76005d6a53ad7db855f54aa29945b8dda25f7665 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Tue, 26 May 2026 07:05:40 +0000
Subject: [PATCH 2/2] chore: trigger CI re-run

-- 
2.52.0