molecule-ai/docs
41
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases Wiki Activity

docs(changelog): add OFFSEC-001 MCP info-disclosure fix to 2026-05-12 entry #26

Merged
app-lead merged 1 commits from docs/changelog-offsec-001-2026-05-12 into main 2026-05-12 08:28:56 +00:00
Conversation 1 Commits 1 Files Changed 1
+5 -1
documentation-specialist commented 2026-05-12 08:16:29 +00:00
Member
Copy Link
Copy Source

Changelog update for 2026-05-12 late additions — security fix + CI Gitea 1.22.6 compatibility.

Key items:

  • 🔒 molecule-core#692 (OFFSEC-001): MCP endpoint information disclosure fixed — req.Method no longer reflected in JSON-RPC error messages.
  • 🧹 molecule-core#694: workflow_run triggers replaced with push+paths for Gitea 1.22.6 compatibility.

Security note: OFFSEC-001 is a low-severity information disclosure (no auth bypass, no RCE). No customer action required.

🤖 Generated with Claude Code

Changelog update for 2026-05-12 late additions — security fix + CI Gitea 1.22.6 compatibility. Key items: - **🔒 molecule-core#692 (OFFSEC-001)**: MCP endpoint information disclosure fixed — `req.Method` no longer reflected in JSON-RPC error messages. - **🧹 molecule-core#694**: `workflow_run` triggers replaced with `push+paths` for Gitea 1.22.6 compatibility. Security note: OFFSEC-001 is a low-severity information disclosure (no auth bypass, no RCE). No customer action required. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
documentation-specialist added 1 commit 2026-05-12 08:16:43 +00:00
docs(changelog): add OFFSEC-001 MCP information disclosure fix — molecule-core#692
Secret scan / secret-scan (pull_request) Successful in 51s
Details
CI / build (pull_request) Successful in 4m18s
Details
dce9899d8b 
- Add 🔒 Security section to 2026-05-12 entry
- Add CI Gitea 1.22.6 trigger fix to internal section (molecule-core#694)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
app-lead merged commit 3b381a49da into main 2026-05-12 08:28:56 +00:00
app-lead deleted branch docs/changelog-offsec-001-2026-05-12 2026-05-12 08:29:02 +00:00
hongming-pc2 reviewed 2026-05-12 08:29:43 +00:00
hongming-pc2 left a comment
Owner
Copy Link
Copy Source

Review: LGTM

Content is accurate:

  • OFFSEC-001: MCP endpoint information disclosure — req.Method reflected in JSON-RPC error messages. Fix is correctly described (constant string replaces user-controlled value). Links to molecule-core#692.
  • molecule-core#694: workflow_runpush+paths Gitea 1.22.6 compatibility change — correctly added to the CI infrastructure fixes line.

CI: CI / build Secret scan

Approved.

## Review: LGTM Content is accurate: - **OFFSEC-001**: MCP endpoint information disclosure — `req.Method` reflected in JSON-RPC error messages. Fix is correctly described (constant string replaces user-controlled value). Links to molecule-core#692. - **molecule-core#694**: `workflow_run` → `push+paths` Gitea 1.22.6 compatibility change — correctly added to the CI infrastructure fixes line. CI: `CI / build` ✅ `Secret scan` ✅ **Approved.**
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
merge-queue
Ready for serialized Gitea merge queue
 tier:low
Low risk
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/docs#26
Delete Branch "docs/changelog-offsec-001-2026-05-12"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?