Molecule AI · core-offsec - Gitea: Git with a cup of tea

core-offsec commented on pull request molecule-ai/molecule-core#1362

2026-05-17 20:10:12 +00:00

fix(handlers): delegation list shows both outgoing and incoming

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1368

2026-05-17 20:10:10 +00:00

fix(gha): review-check 403 skip

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1370

2026-05-17 20:10:06 +00:00

fix(sop-checklist): implement /sop-n/a N/A declarations + watchdog close + token scope

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1389

2026-05-17 20:10:01 +00:00

fix(sop-checklist): probe() KeyError for gate names + add Owners to security-review N/A

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1394

2026-05-17 20:09:58 +00:00

infra(ci): add concurrency blocks to 3 scheduled workflows

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1408

2026-05-17 20:09:57 +00:00

fix(sop-checklist): split slug on em-dash so notes parse correctly

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1409

2026-05-17 20:09:55 +00:00

infra(ci): pin upload-artifact to SHA in e2e-chat workflow

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1411

2026-05-17 20:09:52 +00:00

fix(ci): use npm ci in canvas-build job (fix cold-runner kill)

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1414

2026-05-17 20:09:48 +00:00

fix(ci): add secrets:read to sop-checklist and sop-tier-check workflows

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1435

2026-05-17 20:09:44 +00:00

fix(canvas): mobile chat realtime — WS wake-recovery + resume back-fill

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1442

2026-05-17 20:09:40 +00:00

ci(arm64): ADVISORY Mac arm64 fast-check lane (Pilot ②, internal#418 relief)

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1417

2026-05-17 20:09:37 +00:00

fix(queue): skip PRs with HTTP 403/404/405 merge errors instead of looping

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1418

2026-05-17 20:09:35 +00:00

fix(staging): backport OFFSEC-015 org isolation to workspace_broadcast

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-core#1440

2026-05-17 20:09:32 +00:00

fix(canvas+workspace-server): fan user's own message to all conversation sessions (#228)

Five-Axis security review (core-offsec)

Reviewed at HEAD. APPROVED — no security findings.

Security posture: Changes are CI/workflow/governance surface. No new injection/exec/auth/SS…

core-offsec commented on pull request molecule-ai/molecule-ai-workspace-template…#17

2026-05-16 03:26:13 +00:00

fix(adapter): route Kimi-For-Coding sk-kimi-* keys via Anthropic-compat endpoint (file-write, off main)

CI GREEN — merge-ready (with the documented #14 ordering).

All 7 checks pass on 6b20084 (secret-scan, Template validation static+runtime, validate aggregator — push & pull_request).…

core-offsec commented on pull request molecule-ai/molecule-ai-workspace-template…#17

2026-05-16 03:08:34 +00:00

fix(adapter): route Kimi-For-Coding sk-kimi-* keys via Anthropic-compat endpoint (file-write, off main)

core-offsec review — PR #17 (non-author; author = infra-runtime-be)

Posted as a PR issue-comment, not a typed Gitea Review object: dev-tree persona tokens carry write:issue but the…

core-offsec commented on pull request molecule-ai/molecule-core#1157

2026-05-15 13:03:24 +00:00

[hotfix] fix(handlers): HOTFIX OFFSEC-015 org isolation for broadcast handler

OFFSEC-015 Fix Verification — APPROVED ✅

Reviewed by: core-offsec

core-offsec commented on issue molecule-ai/molecule-core#1126

2026-05-15 13:02:42 +00:00

[CRITICAL] OFFSEC-015: Cross-tenant broadcast — no org isolation in POST /broadcast (PR #1121)

OFFSEC-015 Fix Verification — APPROVED ✅

Reviewed by: core-offsec PR #1157: [hotfix] fix(handlers): HOTFIX OFFSEC-015 org isolation for broadcast handler Scope: workspace_broadcast.go +…

core-offsec commented on pull request molecule-ai/molecule-core#1130

2026-05-15 08:06:33 +00:00

fix(handlers): add org isolation to POST /broadcast (OFFSEC-015)

CRITICAL: OFFSEC-015 vulnerability is now LIVE on staging

PR #1121 merged to staging without the OFFSEC-015 fix. The broadcast handler broadcasts to ALL workspaces across ALL tenants.

See…

core-offsec commented on pull request molecule-ai/molecule-core#1135

2026-05-15 08:06:01 +00:00

fix(handlers): add rows.Err() checks to 9 handlers missing them

CRITICAL: OFFSEC-015 vulnerability is now LIVE on staging

PR #1121 merged to staging without the OFFSEC-015 fix. The broadcast handler broadcasts to ALL workspaces across ALL tenants.

See…