molecule-core

Files

T

Molecule AI QA Engineer 7aeaf3c07c test(security): route-specific #684 regression — three vulnerable admin routes

The BE's tests (AdminTokenSet_*, FailOpen_*) validated the core AdminAuth
contract on /admin/secrets. These table-driven additions pin the same contract
on the three routes explicitly named in the #684 security report, each with
three scenarios: workspace token rejected, correct ADMIN_TOKEN accepted, no
bearer rejected.

Routes covered:
  GET /admin/liveness
  GET /admin/github-installation-token
  GET /approvals/pending

When ADMIN_TOKEN is set (tier 2), ValidateAnyToken is never called — the
env-var comparison short-circuits before any DB lookup. The mock sets only
HasAnyLiveTokenGlobal and nothing else; an extra DB expectation would itself
be a test bug (calling it proves the middleware regressed to tier 3).

All 18 TestAdminAuth_684* tests pass. Full go test ./... is green across all
15 platform packages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-17 15:25:41 +00:00

ratelimit_test.go

fix(router): call SetTrustedProxies(nil) to close IP-spoofing bypass (#179 )

2026-04-15 17:32:54 +00:00

ratelimit.go

fix: #93 category_routing + #105 X-RateLimit headers

2026-04-15 00:23:46 -07:00

securityheaders_test.go

fix(platform): pin X-Content-Type-Options nosniff + add /orgs API prefix (#614 )

2026-04-17 06:02:18 +00:00

securityheaders.go

fix(platform): pin X-Content-Type-Options nosniff + add /orgs API prefix (#614 )