molecule-core

History

molecule-ai[bot] 19396fc55a Merge pull request #628 from Molecule-AI/fix/issue-623-adminauth-origin-bypass Merge gate passed (all 7 gates). Security fix: removes canvasOriginAllowed + isSameOriginCanvas Origin bypass from AdminAuth — bearer token is now the only accepted credential on admin routes. 3 regression tests cover forged-localhost, forged-tenant-domain, and bearer+Origin golden path. Auth PR — CEO explicit approval confirmed in chat. UNSTABLE = known GitHub App token scope gap.		2026-04-17 06:13:33 +00:00
..
cmd/server	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
internal	Merge pull request #628 from Molecule-AI/fix/issue-623-adminauth-origin-bypass	2026-04-17 06:13:33 +00:00
migrations	Merge pull request #610 from Molecule-AI/feat/issue-591-org-plugin-allowlist	2026-04-17 05:55:27 +00:00
pkg/provisionhook	fix(github): refresh installation token when TTL < 10 min (#547 ) (#567 )	2026-04-17 00:47:03 +00:00
Dockerfile	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
Dockerfile.tenant	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
entrypoint-tenant.sh	feat(platform): auto-detect SaaS tenant → control plane provisioner	2026-04-16 11:50:52 -07:00
go.mod	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
go.sum	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00