molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
2f7a979ee6
molecule-core/platform/internal
History
Molecule AI Backend Engineer 3895e02e01 fix(security): address Security Auditor findings on audit-ledger (#651) 
- Replace == HMAC comparisons with hmac.compare_digest (Python) and
  hmac.Equal (Go) in ledger.py, verify.py, and audit.go to prevent
  timing oracle attacks (Fixes 1-6)
- Increase PBKDF2 iterations from 100K to 210K in both ledger.py and
  audit.go — must match for cross-language verification (Fix 7)
- Return chain_valid: null when offset > 0 (paginated views cannot
  verify a truncated chain; null means "not computed") (Fix 8)
- Remove module-level AUDIT_LEDGER_SALT attribute from ledger.py; read
  the secret exclusively from os.environ inside _get_hmac_key() so the
  salt is not exposed in the module namespace (Fix 9)
- Update tests: use monkeypatch.setenv/delenv instead of setattr on the
  removed AUDIT_LEDGER_SALT attribute; update testAuditKey helper to
  use 210K iterations; add TestAuditQuery_PaginatedOffsetReturnsNullChainValid
- Fix migration 028: workspace_id column type TEXT → UUID to match
  workspaces.id UUID primary key

All tests pass: 1043 pytest + 0 Go test failures.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 07:30:10 +00:00
..
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels feat(channels): Lark / Feishu adapter (outbound webhook + Events API inbound) 2026-04-16 07:10:58 -07:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db fix(liveness): raise workspace TTL 60s → 180s to survive Opus synthesis (#386) 2026-04-16 00:05:45 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events feat(platform): AG-UI compatible SSE endpoint for streaming agent events (#590) 2026-04-17 05:16:51 +00:00
handlers fix(security): address Security Auditor findings on audit-ledger (#651) 2026-04-17 07:30:10 +00:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware Merge pull request #629 from Molecule-AI/fix/issue-614-security-headers 2026-04-17 06:18:25 +00:00
models fix(gate-1): resolve merge conflicts with main 2026-04-17 06:27:14 +00:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner fix: restore cp_provisioner.go updated for EC2 backend 2026-04-16 14:25:43 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router feat: molecule-audit-ledger — HMAC-SHA256 immutable agent event log (#594) 2026-04-17 06:55:36 +00:00
scheduler fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): close WorkspaceAuth fail-open on non-existent workspace IDs (#318) 2026-04-15 21:02:29 -07:00