forked from molecule-ai/molecule-core
core-be
fd545a332b
Tenant workspace containers run agent-controlled code and must never receive a Git SCM write credential — agents structurally lacking merge/approve creds is why the two-eyes review gate is self-bypass-proof against forged-approval injection. Latent path: handlers.loadPersonaEnvFile() merges a per-role persona GITEA_TOKEN into cfg.EnvVars when MOLECULE_PERSONA_ROOT is set on a tenant host; it then flowed unfiltered through buildContainerEnv() (local Docker) and CPProvisioner.Start() (tenant EC2). Inert today (persona dirs are operator-host-only) but unguarded — and the pre-existing TestBuildContainerEnv_CustomEnvVarsAppended test actually asserted GITHUB_TOKEN passed through verbatim. Adds a narrow, auditable exact-match denylist (isSCMWriteTokenKey: GITEA/GITHUB/GH/GITLAB/GL/BITBUCKET _TOKEN) applied by construction in both env paths, plus negative-assertion tests covering the normal path and a persona-file-merge simulation. Non-credential persona identity (GITEA_USER, GITEA_USER_EMAIL) is intentionally preserved. No provisioner refactor. Tracking: molecule-ai/internal#438 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>