molecule-ai/molecule-core
36
0
Fork 2
Code Issues 14 Pull Requests 24 Actions 5.0k Packages Projects Releases Wiki Activity
fce0be30fd
molecule-core/platform/internal
History
Molecule AI Backend Engineer fce0be30fd fix(#611): remove budget_limit from PATCH /workspaces/:id and strip financial fields from GET 
Security Auditor findings on PR #611:

Fix 1 (BLOCKING): Remove budget_limit handling from Update() entirely.
PATCH /workspaces/:id uses ValidateAnyToken — any enrolled workspace bearer
could self-clear its own spending ceiling. The dedicated AdminAuth-gated
PATCH /workspaces/:id/budget is the only authorised write path.

Fix 2 (MEDIUM): Strip budget_limit and monthly_spend from Get() response
before c.JSON(). GET /workspaces/:id is on the open router — any caller
with a valid UUID must not read billing data.

Also updates four existing tests in workspace_budget_test.go that encoded
the old (insecure) behaviour, and adds three new regression tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 06:18:41 +00:00
..
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels feat(channels): Lark / Feishu adapter (outbound webhook + Events API inbound) 2026-04-16 07:10:58 -07:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db fix(liveness): raise workspace TTL 60s → 180s to survive Opus synthesis (#386) 2026-04-16 00:05:45 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events feat(platform): AG-UI compatible SSE endpoint for streaming agent events (#590) 2026-04-17 05:16:51 +00:00
handlers fix(#611): remove budget_limit from PATCH /workspaces/:id and strip financial fields from GET 2026-04-17 06:18:41 +00:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware Merge pull request #628 from Molecule-AI/fix/issue-623-adminauth-origin-bypass 2026-04-17 06:13:33 +00:00
models feat(platform): add per-workspace budget_limit field and A2A enforcement (#541) 2026-04-17 06:18:41 +00:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner fix: restore cp_provisioner.go updated for EC2 backend 2026-04-16 14:25:43 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router fix(issue-541): move PATCH /budget to adminAuth — workspace must not self-clear ceiling 2026-04-17 06:18:41 +00:00
scheduler fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): close WorkspaceAuth fail-open on non-existent workspace IDs (#318) 2026-04-15 21:02:29 -07:00