molecule-ai/molecule-core
51
0
Fork 2
Code Issues 163 Pull Requests 161 Actions 6 Packages Projects Releases Wiki Activity
Files
fix/python-open-encoding
molecule-core/workspace-server/internal/audit/hash.go
T
infra-sre 7c751ef675
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s
Details
CI / Detect changes (pull_request) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 6s
Details
E2E Chat / detect-changes (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 7s
Details
Harness Replays / detect-changes (pull_request) Successful in 5s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 5s
Details
CI / Platform (Go) (pull_request) Failing after 2m33s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 3s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 3s
Details
CI / all-required (pull_request) Failing after 50s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 27s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 8s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 25s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 9s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
gate-check-v3 / gate-check (pull_request) Successful in 5s
Details
qa-review / approved (pull_request) Failing after 4s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request) Successful in 4s
Details
security-review / approved (pull_request) Failing after 4s
Details
sop-tier-check / tier-check (pull_request) Successful in 4s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m21s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m25s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m25s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 16s
Details
Harness Replays / Harness Replays (pull_request) Successful in 4s
Details
CI / Canvas (Next.js) (pull_request) Successful in 6m9s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 52s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 1m27s
Details
CI / Python Lint & Test (pull_request) Successful in 7m11s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E Chat / E2E Chat (pull_request) Failing after 6m11s
Details
audit: phase 1 structured audit-log — emit pkg + secrets wire-in 
Add internal/audit with single Emit(ctx, event_type, fields) entrypoint
that ships JSON-encoded records via two transports:

  1. audit:-prefixed stdout line — tenant Vector docker-logs source
     already ships this to Loki. No obs-stack change required.
  2. Best-effort append to /var/log/molecule-audit.jsonl — durable
     forensic copy, target for the dedicated Vector file source in
     Phase 2.

Schema is stable v1 (ts, event_type, workspace_id, user_id, actor_kind,
correlation_id, fields). Cardinality budget keeps workspace_id +
user_id + correlation_id OUT of Loki labels (JSON body only) — fleet
active-stream count ~200, well within Loki headroom.

Phase 1 wires secret.set and secret.delete on the workspace-scoped
(POST/PUT/DELETE /workspaces/:id/secrets) and admin-scoped (POST/DELETE
/admin/secrets, /settings/secrets) handlers. value_hash is the first 8
hex chars of sha256(value) — never the raw value.

Tests cover: stdout emit, JSONL append, file-failure fallback,
concurrent integrity, hash bounds, raw-value-never-emitted contract.
Vet + handler-secret tests pass.

See: rfc internal/rfcs/audit-log-to-loki.md
2026-05-19 12:22:35 -07:00

16 lines
404 B
Go
Raw Permalink Blame History

package audit
import (
"crypto/sha256"
"encoding/hex"
)
// sha256Hex returns the lowercase hex digest of s. Kept in its own
// file so the import of crypto/sha256 is co-located with its only
// caller (HashValuePrefix in emit.go) — easier to audit when reviewing
// changes to secret handling.
func sha256Hex(s string) string {
sum := sha256.Sum256([]byte(s))
return hex.EncodeToString(sum[:])
}
Reference in New Issue View Git Blame Copy Permalink