Hongming Wang 1949846001 fix(auth): allow nesting + delete from tenant canvas (same-origin) ... PATCH /workspaces/:id field-level auth for parent_id/tier/runtime required a bearer token, blocking canvas nesting (drag-to-nest). Added IsSameOriginCanvas check so the tenant canvas can update sensitive fields without a bearer. Exported IsSameOriginCanvas from middleware package so workspace.go can call it for the field-level auth path. DELETE /workspaces/:id is behind AdminAuth which already has the same-origin check — if delete still fails, it's a different issue. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>		2026-04-16 11:22:45 -07:00
..
cmd/server	feat(platform): Fly Machines provisioner for SaaS workspace deployment	2026-04-16 10:51:15 -07:00
internal	fix(auth): allow nesting + delete from tenant canvas (same-origin)	2026-04-16 11:22:45 -07:00
migrations	feat(channels): Lark / Feishu adapter (outbound webhook + Events API inbound)	2026-04-16 07:10:58 -07:00
pkg/provisionhook	feat(platform): provision-time env mutator hook for plugins	2026-04-16 06:47:09 -07:00
Dockerfile	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
Dockerfile.tenant	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
entrypoint-tenant.sh	fix: code review findings — token UI, auth hardening, WS dedup	2026-04-16 10:42:26 -07:00
go.mod	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00
go.sum	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00