Molecule AI Backend Engineer 3e1e68004d fix(security): add AdminAuth to /admin/workspaces/:id/test-token route ... Without middleware, any caller on a non-production instance could mint a bearer token for any workspace UUID with no authentication. AdminAuth is defence-in-depth: on a fresh install (no tokens yet) it is fail-open so the bootstrap path still works; once the first workspace enrolls a token all callers must present a valid bearer. Adds two router-level tests confirming the gate: - TestTestTokenRoute_RequiresAdminAuth_WhenTokensExist → 401 with no header - TestTestTokenRoute_FailOpenOnFreshInstall → 200 (bootstrap path intact) Env-var gating inside GetTestToken is retained as a second layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-04-17 02:48:00 +00:00
..
cmd/server	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
internal	fix(security): add AdminAuth to /admin/workspaces/:id/test-token route	2026-04-17 02:48:00 +00:00
migrations	feat(channels): Lark / Feishu adapter (outbound webhook + Events API inbound)	2026-04-16 07:10:58 -07:00
pkg/provisionhook	feat(platform): provision-time env mutator hook for plugins	2026-04-16 06:47:09 -07:00
Dockerfile	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
Dockerfile.tenant	fix: address all code review findings + remove exposed secrets	2026-04-16 05:05:49 -07:00
entrypoint-tenant.sh	feat(platform): auto-detect SaaS tenant → control plane provisioner	2026-04-16 11:50:52 -07:00
go.mod	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00
go.sum	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00