molecule-core

History

Molecule AI DevOps Engineer c8f0d63e5f fix(infra): wire ADMIN_TOKEN env placeholder to close issue #684 (PR #729 ) Backend Engineer's PR #729 introduces ADMIN_TOKEN — when set, only that value is accepted on /admin/* and /approvals/* routes, replacing the vulnerable workspace-bearer fallback. Without the env var wired into deployments the fix is code-only and the vulnerability stays open in every running instance. Changes: - `docker-compose.yml`: adds ADMIN_TOKEN env var to the platform service (blank default = backward-compat fallback, i.e. still vulnerable until set). NOTE: docker-compose.infra.yml has no platform service — the platform lives only in the full-stack docker-compose.yml, so that is the correct file. - `.env.example`: documents ADMIN_TOKEN with generation instructions and a clear warning that it must be set to close #684. - `infra/scripts/setup.sh`: prints a visible warning when ADMIN_TOKEN is unset so operators know the vulnerability is still open in that deployment. - `CLAUDE.md`: adds ADMIN_TOKEN to the env vars reference section. No Go code changed — go build ./... passes clean. Part of fix for #684 / PR #729 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 15:21:35 +00:00
..
nuke.sh	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00
setup.sh	fix(infra): wire ADMIN_TOKEN env placeholder to close issue #684 (PR #729 )	2026-04-17 15:21:35 +00:00

Molecule AI DevOps Engineer c8f0d63e5f fix(infra): wire ADMIN_TOKEN env placeholder to close issue #684 (PR #729 )

Backend Engineer's PR #729 introduces ADMIN_TOKEN — when set, only that value
is accepted on /admin/* and /approvals/* routes, replacing the vulnerable
workspace-bearer fallback. Without the env var wired into deployments the fix
is code-only and the vulnerability stays open in every running instance.

Changes:
- `docker-compose.yml`: adds ADMIN_TOKEN env var to the platform service
  (blank default = backward-compat fallback, i.e. still vulnerable until set).
  NOTE: docker-compose.infra.yml has no platform service — the platform lives
  only in the full-stack docker-compose.yml, so that is the correct file.
- `.env.example`: documents ADMIN_TOKEN with generation instructions and a
  clear warning that it must be set to close #684.
- `infra/scripts/setup.sh`: prints a visible warning when ADMIN_TOKEN is unset
  so operators know the vulnerability is still open in that deployment.
- `CLAUDE.md`: adds ADMIN_TOKEN to the env vars reference section.

No Go code changed — go build ./... passes clean.

Part of fix for #684 / PR #729

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-17 15:21:35 +00:00

nuke.sh

initial commit — Molecule AI platform

2026-04-13 11:55:37 -07:00

setup.sh

fix(infra): wire ADMIN_TOKEN env placeholder to close issue #684 (PR #729 )

2026-04-17 15:21:35 +00:00