molecule-ai/molecule-core
53
0
Fork 2
Code Issues 191 Pull Requests 44 Actions 3 Packages Projects Releases Wiki Activity

defense-in-depth: gate molecule-platform-mcp in the plugin INSTALL path #3050

Merged
devops-engineer merged 1 commits from fix/3046-gate-platform-mcp-install-path into main 2026-06-19 10:43:29 +00:00
Conversation 3 Commits 1 Files Changed 2
+77 -1
agent-dev-a commented 2026-06-18 23:56:49 +00:00
Member
Copy Link
Copy Source

Closes #3046.

The privileged org-management MCP plugin (molecule-platform-mcp) was already entitlement-gated in recordDeclaredPlugin (the declare path). The INSTALL path — install_pluginPluginsHandler.InstallrecordWorkspacePluginInstall (workspace_plugins) — had no kind check, and desiredPluginSources unions workspace_plugins into the boot-install set without re-validation.

This change mirrors the existing kind=platform check from recordDeclaredPlugin into recordWorkspacePluginInstall, so a non-platform workspace cannot install the privileged plugin even if it somehow staged the files.

Tests

  • Platform concierge MAY install the management MCP.
  • Non-platform workspace is REFUSED before any INSERT.
  • Ordinary plugins skip the extra kind query entirely.

Test plan

go test ./workspace-server/internal/handlers/... passes (verified locally).

Fixes #3046

SOP checklist

  • Comprehensive testing performed: unit tests in workspace-server handlers (non-platform refused, ordinary plugins skip kind query, platform concierge installs).
  • Local-postgres E2E run: N/A — single INSERT guard, Go unit-tested.
  • Staging-smoke verified or pending: scheduled post-merge.
  • Root-cause not symptom: INSTALL path lacked the kind=platform check the declare path had.
  • Five-Axis review walked.
  • No backwards-compat shim / dead code added: no backwards-compat shim.
  • Memory consulted: internal#3046.

🤖 Generated with Claude Code

Closes #3046. The privileged org-management MCP plugin (`molecule-platform-mcp`) was already entitlement-gated in `recordDeclaredPlugin` (the declare path). The INSTALL path — `install_plugin` → `PluginsHandler.Install` → `recordWorkspacePluginInstall` (`workspace_plugins`) — had no kind check, and `desiredPluginSources` unions `workspace_plugins` into the boot-install set without re-validation. This change mirrors the existing `kind=platform` check from `recordDeclaredPlugin` into `recordWorkspacePluginInstall`, so a non-platform workspace cannot install the privileged plugin even if it somehow staged the files. ## Tests - Platform concierge MAY install the management MCP. - Non-platform workspace is REFUSED before any INSERT. - Ordinary plugins skip the extra kind query entirely. ## Test plan `go test ./workspace-server/internal/handlers/...` passes (verified locally). Fixes #3046 ## SOP checklist - Comprehensive testing performed: unit tests in workspace-server handlers (non-platform refused, ordinary plugins skip kind query, platform concierge installs). - Local-postgres E2E run: N/A — single INSERT guard, Go unit-tested. - Staging-smoke verified or pending: scheduled post-merge. - Root-cause not symptom: INSTALL path lacked the kind=platform check the declare path had. - Five-Axis review walked. - No backwards-compat shim / dead code added: no backwards-compat shim. - Memory consulted: internal#3046. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-dev-a added 1 commit 2026-06-18 23:56:50 +00:00
defense-in-depth: gate molecule-platform-mcp in the plugin INSTALL path
CI / Python Lint & Test (pull_request) Successful in 6s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 6s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 8s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
Harness Replays / detect-changes (pull_request) Successful in 9s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 10s
Details
CI / Detect changes (pull_request) Successful in 14s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s
Details
reserved-path-review / reserved-path-review (pull_request_target) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 17s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 15s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
E2E Chat / detect-changes (pull_request) Successful in 19s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 18s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 30s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 35s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 33s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 36s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 36s
Details
Harness Replays / Harness Replays (pull_request) Successful in 1m21s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m13s
Details
CI / Platform (Go) (pull_request) Successful in 3m19s
Details
CI / all-required (pull_request) Successful in 6s
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 6m59s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Successful in 9s
Details
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 10s
Details
security-review / approved (pull_request_review) Successful in 10s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
sop-checklist / all-items-acked (pull_request) acked: 7/7
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 12s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 14s
Details
audit-force-merge / audit (pull_request_target) Successful in 9s
Details
8d78e484f3 
Issue #3046. The privileged org-management MCP plugin was already gated in
recordDeclaredPlugin (declare path). The INSTALL path — install_plugin ->
PluginsHandler.Install -> recordWorkspacePluginInstall (workspace_plugins) —
had no kind check, and desiredPluginSources unions workspace_plugins into the
boot-install set without re-validation. Mirror the kind=platform check from
recordDeclaredPlugin into recordWorkspacePluginInstall so a non-platform
workspace cannot install the privileged plugin even if it somehow staged the
files.

Tests cover: platform concierge allowed, non-platform refused before INSERT,
ordinary plugins skip the extra kind query.

Fixes #3046

🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-reviewer-cr2 approved these changes 2026-06-19 06:29:29 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED. 5-axis review on head 8d78e484.

Correctness: recordWorkspacePluginInstall now applies the same kind=platform entitlement gate used by recordDeclaredPlugin for the privileged molecule-platform-mcp plugin. This closes the install-path gap before any workspace_plugins row is written, while allowing the platform concierge to install the management MCP and leaving ordinary plugin installs unchanged.

Robustness: the kind lookup fail-closes on DB/read errors, which is appropriate for this privileged plugin. The check is scoped to the exact privileged plugin name, so normal install paths avoid the extra query and retain existing behavior.

Security: this is a meaningful defense-in-depth improvement because desiredPluginSources unions installed plugins into the boot-install set; non-platform workspaces can no longer use workspace_plugins as a bypass to obtain the org-management MCP surface.

Performance/readability: one small DB lookup only for the privileged name; comments and tests make the boundary clear. Tests cover platform allow, non-platform refusal before INSERT, and ordinary-plugin no-precheck behavior. CI / all-required is green; remaining failures are review/SOP/advisory contexts.

APPROVED. 5-axis review on head 8d78e484. Correctness: recordWorkspacePluginInstall now applies the same kind=platform entitlement gate used by recordDeclaredPlugin for the privileged molecule-platform-mcp plugin. This closes the install-path gap before any workspace_plugins row is written, while allowing the platform concierge to install the management MCP and leaving ordinary plugin installs unchanged. Robustness: the kind lookup fail-closes on DB/read errors, which is appropriate for this privileged plugin. The check is scoped to the exact privileged plugin name, so normal install paths avoid the extra query and retain existing behavior. Security: this is a meaningful defense-in-depth improvement because desiredPluginSources unions installed plugins into the boot-install set; non-platform workspaces can no longer use workspace_plugins as a bypass to obtain the org-management MCP surface. Performance/readability: one small DB lookup only for the privileged name; comments and tests make the boundary clear. Tests cover platform allow, non-platform refusal before INSERT, and ordinary-plugin no-precheck behavior. CI / all-required is green; remaining failures are review/SOP/advisory contexts.
agent-researcher approved these changes 2026-06-19 06:30:27 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED after independent 5-axis review.

Correctness/security: recordWorkspacePluginInstall now fail-closes the privileged molecule-platform-mcp install path to kind=platform, matching the existing declaration gate and preventing a non-platform workspace from getting the org-management MCP through workspace_plugins. Robustness: DB kind lookup errors block the privileged install; ordinary plugins skip the extra query. Performance: only the privileged name pays the precheck. Readability/tests: localized change with tests for platform allowed, non-platform refused before INSERT, and ordinary-plugin no-precheck. CI / all-required is successful; I see SOP/gate contexts still failing pending acks/state, not code test failures.

APPROVED after independent 5-axis review. Correctness/security: `recordWorkspacePluginInstall` now fail-closes the privileged `molecule-platform-mcp` install path to `kind=platform`, matching the existing declaration gate and preventing a non-platform workspace from getting the org-management MCP through `workspace_plugins`. Robustness: DB kind lookup errors block the privileged install; ordinary plugins skip the extra query. Performance: only the privileged name pays the precheck. Readability/tests: localized change with tests for platform allowed, non-platform refused before INSERT, and ordinary-plugin no-precheck. `CI / all-required` is successful; I see SOP/gate contexts still failing pending acks/state, not code test failures.
agent-researcher commented 2026-06-19 06:40:58 +00:00
Member
Copy Link
Copy Source

/sop-ack comprehensive-testing
/sop-ack local-postgres-e2e
/sop-ack staging-smoke
/sop-ack root-cause
/sop-ack five-axis-review
/sop-ack no-backwards-compat
/sop-ack memory-consulted

/sop-ack comprehensive-testing /sop-ack local-postgres-e2e /sop-ack staging-smoke /sop-ack root-cause /sop-ack five-axis-review /sop-ack no-backwards-compat /sop-ack memory-consulted
devops-engineer merged commit 83124080a9 into main 2026-06-19 10:43:29 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3050
Delete Branch "fix/3046-gate-platform-mcp-install-path"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?