core-be
fd545a332b
E2E API Smoke Test / detect-changes (pull_request) Waiting to run
E2E Chat / detect-changes (pull_request) Waiting to run
Handlers Postgres Integration / detect-changes (pull_request) Waiting to run
Harness Replays / detect-changes (pull_request) Waiting to run
lint-required-no-paths / lint-required-no-paths (pull_request) Waiting to run
Runtime PR-Built Compatibility / detect-changes (pull_request) Waiting to run
Secret scan / Scan diff for credential-shaped strings (pull_request) Waiting to run
gate-check-v3 / gate-check (pull_request) Waiting to run
qa-review / approved (pull_request) Waiting to run
security-review / approved (pull_request) Waiting to run
sop-checklist / all-items-acked (pull_request) Waiting to run
sop-tier-check / tier-check (pull_request) Waiting to run
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 28s
CI / Detect changes (pull_request) Successful in 3m54s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
CI / Python Lint & Test (pull_request) Successful in 8s
CI / Canvas (Next.js) (pull_request) Successful in 24m25s
CI / Platform (Go) (pull_request) Successful in 26m22s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 6s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Has been cancelled
E2E Chat / E2E Chat (pull_request) Has been cancelled
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Has been cancelled
Harness Replays / Harness Replays (pull_request) Has been cancelled
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Has been cancelled
Tenant workspace containers run agent-controlled code and must never receive a Git SCM write credential — agents structurally lacking merge/approve creds is why the two-eyes review gate is self-bypass-proof against forged-approval injection. Latent path: handlers.loadPersonaEnvFile() merges a per-role persona GITEA_TOKEN into cfg.EnvVars when MOLECULE_PERSONA_ROOT is set on a tenant host; it then flowed unfiltered through buildContainerEnv() (local Docker) and CPProvisioner.Start() (tenant EC2). Inert today (persona dirs are operator-host-only) but unguarded — and the pre-existing TestBuildContainerEnv_CustomEnvVarsAppended test actually asserted GITHUB_TOKEN passed through verbatim. Adds a narrow, auditable exact-match denylist (isSCMWriteTokenKey: GITEA/GITHUB/GH/GITLAB/GL/BITBUCKET _TOKEN) applied by construction in both env paths, plus negative-assertion tests covering the normal path and a persona-file-merge simulation. Non-credential persona identity (GITEA_USER, GITEA_USER_EMAIL) is intentionally preserved. No provisioner refactor. Tracking: molecule-ai/internal#438 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>