Molecule AI Core-DevOps 4474ddc189 fix(workspace): add SSRF validation before writing external workspace URL ... Issue #212: POST /workspaces with runtime=external and a URL wrote the URL directly to the DB without validateAgentURL checking (the same check that registry.go:324 applies to the heartbeat path). An attacker with AdminAuth could register a workspace URL at a cloud metadata endpoint (169.254.169.254) and exfiltrate IAM credentials when the platform fires pre-restart drain signals. Changes: - workspace.go: add validateAgentURL(payload.URL) guard before the UPDATE at line 386. 400 on unsafe URL, no DB write occurs. - workspace_test.go: add 3 regression tests: - TestWorkspaceCreate_ExternalURL_SSRFSafe: safe public URL → 201 - TestWorkspaceCreate_ExternalURL_SSRFMetadataBlocked: 169.254.169.254 → 400 - TestWorkspaceCreate_ExternalURL_SSRFLoopbackBlocked: 127.0.0.1 → 400 Both unsafe tests assert zero DB calls (the handler rejects before any transaction). Ref: issue #212. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>		2026-05-10 02:30:18 +00:00
..
artifacts	chore: sync staging to main — 1188 commits, 5 conflicts resolved (#1743)	2026-04-23 18:30:18 +00:00
buildinfo	feat(deploy): verify each tenant /buildinfo matches published SHA after redeploy	2026-04-30 10:55:08 -07:00
bundle	refactor(events): migrate 18 files to typed EventType constants (RFC #2945 PR-B-1)	2026-05-05 19:05:03 -07:00
channels	refactor(events): migrate 18 files to typed EventType constants (RFC #2945 PR-B-1)	2026-05-05 19:05:03 -07:00
crypto	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
db	fix(bundle): markFailed sets last_sample_error + AST gate	2026-05-04 21:08:08 -07:00
envx	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
events	feat(events): typed EventType registry — single source of truth for WS event names (RFC #2945 PR-B)	2026-05-05 16:25:38 -07:00
handlers	fix(workspace): add SSRF validation before writing external workspace URL	2026-05-10 02:30:18 +00:00
imagewatch	feat(workspace-server): GHCR digest watcher closes runtime CD chain (#2114)	2026-04-26 13:36:26 -07:00
memory	fix(textutil): SSOT for rune-safe string truncation, fix 3 audit-gap bugs	2026-05-05 23:01:21 -07:00
messagestore	feat(canvas/chat-server): canvas consumes /chat-history + server-side row-aware reverse (RFC #2945 PR-C-2)	2026-05-06 16:55:00 -07:00
metrics	feat(rfc): poll-mode chat upload — phase 3 GC sweep + observability	2026-05-05 05:00:13 -07:00
middleware	docs(ratelimit): tighten dev-mode comment after keyFor refactor	2026-05-07 14:57:21 -07:00
models	refactor(models): consolidate per-runtime model defaults to SSOT (RFC #2873 iter 1)	2026-05-05 04:12:37 -07:00
orgtoken	fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes	2026-04-24 07:16:54 +00:00
pendinguploads	fix(test): poll error counter to 0 before asserting in RecordsMetricsOnSuccess	2026-05-09 23:27:19 +00:00
plugins	feat(plugins): plugin drift detector + queue + admin apply endpoint (#123)	2026-05-10 00:39:50 +00:00
provisioner	tech-debt: rename molecule-monorepo-net -> molecule-core-net	2026-05-09 20:51:48 +00:00
provlog	feat(workspace-server): structured logging at provisioning boundaries	2026-05-05 12:30:11 -07:00
registry	chore: reconcile main → staging post-suspension divergence	2026-05-07 14:24:37 -07:00
router	feat(plugins): plugin drift detector + queue + admin apply endpoint (#123)	2026-05-10 00:39:50 +00:00
scheduler	fix(textutil): SSOT for rune-safe string truncation, fix 3 audit-gap bugs	2026-05-05 23:01:21 -07:00
supervised	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
textutil	fix(textutil): SSOT for rune-safe string truncation, fix 3 audit-gap bugs	2026-05-05 23:01:21 -07:00
ws	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
wsauth	perf(wsauth): in-process cache for platform_inbound_secret reads	2026-05-03 00:04:38 -07:00