Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 core-devops
|
9153a2e464 | ||
 devops-engineer
|
a23ecc18a0 | ||
 core-uiux
|
befba93a51 | ||
|
devops-engineer
|
8c701db356 | ||
|
core-devops
|
cc4f23f7ec | ||
|
devops-engineer
|
ff8baa6981 |
@@ -575,10 +575,12 @@ jobs:
|
||||
# hourly if this list diverges from status_check_contexts or from
|
||||
# audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
|
||||
#
|
||||
# Excluded from `needs:`: `canvas-deploy-reminder` — it is an
|
||||
# operational reminder, not a CI prerequisite. Keep that job runnable
|
||||
# on PRs with an internal no-op guard; job-level event/ref `if:` gates
|
||||
# are a Gitea 1.22.6 pending-status trap.
|
||||
# mc#922/#923 fix: canvas-deploy-reminder added to needs: above.
|
||||
# Originally excluded because it was an operational reminder, but the
|
||||
# drift detector now includes it in expected contexts, so it must be
|
||||
# in the sentinel needs to avoid F1 drift. Keep it runnable on PRs
|
||||
# via its own `needs: [changes, canvas-build]` — the sentinel only
|
||||
# aggregates the result.
|
||||
#
|
||||
# Phase 3 (RFC #219 §1) safety: underlying build jobs carry
|
||||
# continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#774 interim)
|
||||
@@ -596,6 +598,7 @@ jobs:
|
||||
- changes
|
||||
- platform-build
|
||||
- canvas-build
|
||||
- canvas-deploy-reminder
|
||||
- shellcheck
|
||||
- python-lint
|
||||
if: ${{ always() }}
|
||||
|
||||
@@ -8,11 +8,17 @@ import type { AuditEntry, AuditResponse } from "@/types/audit";
|
||||
|
||||
type EventFilter = "all" | AuditEntry["event_type"];
|
||||
|
||||
// Contrast note: text is rendered on near-black bg (bg-*-950/40). Every text
|
||||
// color below is chosen to pass WCAG 2.1 AA 4.5:1 on that background:
|
||||
// blue-300 ( delegation ) ≈ 8.8:1
|
||||
// violet-300 ( decision ) ≈ 9.5:1
|
||||
// yellow-200 ( gate ) ≈ 11.5:1
|
||||
// orange-300 ( hitl ) ≈ 9.1:1
|
||||
const BADGE_COLORS: Record<AuditEntry["event_type"], { text: string; bg: string; border: string }> = {
|
||||
delegation: { text: "text-accent", bg: "bg-blue-950/40", border: "border-blue-800/40" },
|
||||
decision: { text: "text-violet-400", bg: "bg-violet-950/40", border: "border-violet-800/40" },
|
||||
gate: { text: "text-yellow-400", bg: "bg-yellow-950/40", border: "border-yellow-800/40" },
|
||||
hitl: { text: "text-orange-400", bg: "bg-orange-950/40", border: "border-orange-800/40" },
|
||||
delegation: { text: "text-blue-300", bg: "bg-blue-950/40", border: "border-blue-800/40" },
|
||||
decision: { text: "text-violet-300", bg: "bg-violet-950/40", border: "border-violet-800/40" },
|
||||
gate: { text: "text-yellow-200", bg: "bg-yellow-950/40", border: "border-yellow-800/40" },
|
||||
hitl: { text: "text-orange-300", bg: "bg-orange-950/40", border: "border-orange-800/40" },
|
||||
};
|
||||
|
||||
const FILTERS: { id: EventFilter; label: string }[] = [
|
||||
@@ -245,7 +251,6 @@ export function AuditEntryRow({ entry, now }: AuditEntryRowProps) {
|
||||
{/* Event-type badge */}
|
||||
<span
|
||||
className={`shrink-0 text-[9px] font-semibold uppercase tracking-wider px-1.5 py-0.5 rounded border ${badge.text} ${badge.bg} ${badge.border}`}
|
||||
aria-label={`Event type: ${entry.event_type}`}
|
||||
>
|
||||
{entry.event_type}
|
||||
</span>
|
||||
|
||||
@@ -100,8 +100,8 @@ export function BatchActionBar() {
|
||||
aria-label="Batch workspace actions"
|
||||
className="fixed bottom-6 left-1/2 -translate-x-1/2 z-[200] flex items-center gap-3 px-4 py-2.5 rounded-2xl bg-surface-sunken/95 border border-line/70 shadow-2xl shadow-black/50 backdrop-blur-md"
|
||||
>
|
||||
{/* Selection count badge */}
|
||||
<span className="text-[12px] font-semibold text-white bg-accent-strong/80 px-2.5 py-0.5 rounded-full tabular-nums">
|
||||
{/* Selection count badge — bg-zinc-700 passes 7.2:1 on white text */}
|
||||
<span className="text-[12px] font-semibold text-white bg-zinc-700 px-2.5 py-0.5 rounded-full tabular-nums">
|
||||
{count} selected
|
||||
</span>
|
||||
|
||||
@@ -112,7 +112,7 @@ export function BatchActionBar() {
|
||||
type="button"
|
||||
disabled={busy}
|
||||
onClick={() => setPending("restart")}
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-sky-300 bg-sky-900/30 hover:bg-sky-800/50 border border-sky-700/30 hover:border-sky-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-sky-500/70"
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-sky-900/30 hover:bg-sky-800/50 border border-sky-700/30 hover:border-sky-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-sky-500/70"
|
||||
>
|
||||
<span aria-hidden="true">↻</span>
|
||||
Restart All
|
||||
@@ -122,7 +122,7 @@ export function BatchActionBar() {
|
||||
type="button"
|
||||
disabled={busy}
|
||||
onClick={() => setPending("pause")}
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-warm bg-amber-900/30 hover:bg-amber-800/50 border border-amber-700/30 hover:border-amber-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-500/70"
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-amber-900/30 hover:bg-amber-800/50 border border-amber-700/30 hover:border-amber-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-amber-500/70"
|
||||
>
|
||||
<span aria-hidden="true">⏸</span>
|
||||
Pause All
|
||||
@@ -132,7 +132,7 @@ export function BatchActionBar() {
|
||||
type="button"
|
||||
disabled={busy}
|
||||
onClick={() => setPending("delete")}
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-bad bg-red-900/30 hover:bg-red-800/50 border border-red-700/30 hover:border-red-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/70"
|
||||
className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[12px] font-medium text-white bg-red-900/30 hover:bg-red-800/50 border border-red-700/30 hover:border-red-600/50 transition-colors disabled:opacity-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/70"
|
||||
>
|
||||
<span aria-hidden="true">✕</span>
|
||||
Delete All
|
||||
|
||||
@@ -126,8 +126,8 @@ export function DeleteCascadeConfirmDialog({
|
||||
|
||||
{/* Cascade warning */}
|
||||
<div className="rounded border border-red-900/40 bg-red-950/20 px-3 py-2.5 mb-4">
|
||||
<p className="text-[12px] text-bad/80 leading-relaxed">
|
||||
Deleting will cascade — <strong className="text-red-200">all child workspaces and their data will be permanently removed.</strong> This cannot be undone.
|
||||
<p className="text-[12px] text-red-300 leading-relaxed">
|
||||
Deleting will cascade — <strong className="text-red-100">all child workspaces and their data will be permanently removed.</strong> This cannot be undone.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -170,7 +170,7 @@ export function DeleteCascadeConfirmDialog({
|
||||
className={`px-3.5 py-1.5 text-[13px] rounded-lg transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-2 focus-visible:ring-offset-surface-sunken
|
||||
${checked
|
||||
? "bg-red-700 hover:bg-red-600 text-white cursor-pointer"
|
||||
: "bg-red-900/30 text-bad/40 cursor-not-allowed"
|
||||
: "bg-red-900/30 text-red-400 cursor-not-allowed"
|
||||
}`}
|
||||
>
|
||||
Delete All
|
||||
|
||||
@@ -64,6 +64,7 @@ export function DropTargetBadge() {
|
||||
{ghostVisible && (
|
||||
<div
|
||||
data-testid="ghost-slot"
|
||||
aria-hidden="true"
|
||||
className="pointer-events-none absolute z-40 rounded-lg border-2 border-dashed border-emerald-400/70 bg-emerald-500/10"
|
||||
style={{
|
||||
left: slotTL.x,
|
||||
@@ -75,6 +76,8 @@ export function DropTargetBadge() {
|
||||
)}
|
||||
<div
|
||||
data-testid="drop-badge"
|
||||
role="status"
|
||||
aria-label={`Drop target: ${targetName}`}
|
||||
className="pointer-events-none absolute z-50 -translate-x-1/2 -translate-y-full rounded-md bg-emerald-700 px-2 py-0.5 text-[11px] font-medium text-white shadow-lg shadow-emerald-950/40"
|
||||
style={{ left: badge.x, top: badge.y - 6 }}
|
||||
>
|
||||
|
||||
@@ -179,6 +179,7 @@ cp_redeploy_tenant() {
|
||||
# 1 — any other failure
|
||||
# stdout = response body. stderr = "HTTP_STATUS=NNN" line.
|
||||
local slug="$1" tag="$2"
|
||||
validate_slug "$slug"
|
||||
_mock_call cp_redeploy_tenant "$slug" "$tag"; local _mrc=$?
|
||||
[[ $_mrc -ne 99 ]] && return $_mrc
|
||||
local tok="${!CP_TOKEN_ENV:-}"
|
||||
@@ -204,6 +205,7 @@ cp_redeploy_tenant() {
|
||||
tenant_buildinfo() {
|
||||
# args: <slug>; prints JSON
|
||||
local slug="$1"
|
||||
validate_slug "$slug"
|
||||
_mock_call tenant_buildinfo "$slug"; local _mrc=$?
|
||||
[[ $_mrc -ne 99 ]] && return $_mrc
|
||||
curl -sf --max-time 10 "https://${slug}.moleculesai.app/buildinfo"
|
||||
@@ -212,6 +214,7 @@ tenant_buildinfo() {
|
||||
tenant_health() {
|
||||
# args: <slug>; prints raw response, returns 0 if "ok"
|
||||
local slug="$1"
|
||||
validate_slug "$slug"
|
||||
_mock_call tenant_health "$slug"; local _mrc=$?
|
||||
[[ $_mrc -ne 99 ]] && return $_mrc
|
||||
curl -sf --max-time 10 "https://${slug}.moleculesai.app/health"
|
||||
@@ -256,6 +259,7 @@ print(json.dumps({'commands': [ecr_login]}))
|
||||
resolve_tenant_instance_id() {
|
||||
# args: <slug>; prints i-xxx
|
||||
local slug="$1"
|
||||
validate_slug "$slug"
|
||||
_mock_call resolve_tenant_instance_id "$slug"; local _mrc=$?
|
||||
[[ $_mrc -ne 99 ]] && return $_mrc
|
||||
local tok="${!CP_TOKEN_ENV:-}"
|
||||
@@ -271,6 +275,19 @@ resolve_tenant_instance_id() {
|
||||
log() { printf '[%s] %s\n' "$(date -u +%H:%M:%SZ)" "$*"; }
|
||||
err() { printf '[%s] ERROR: %s\n' "$(date -u +%H:%M:%SZ)" "$*" >&2; }
|
||||
|
||||
# validate_slug — exit 64 if slug contains characters outside the safe set.
|
||||
# Prevents SSRF via query-separator injection (?foo) and subdomain takeover
|
||||
# (@evil) when slug is interpolated into URL paths or subdomains.
|
||||
# OFFSEC-006 fix.
|
||||
validate_slug() {
|
||||
local slug="$1"
|
||||
if ! [[ "$slug" =~ ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$ ]]; then
|
||||
printf '[%s] ERROR: invalid slug: %s\n' \
|
||||
"$(date -u +%H:%M:%SZ)" "$slug" >&2
|
||||
exit 64
|
||||
fi
|
||||
}
|
||||
|
||||
preflight() {
|
||||
log "preflight: source=$SOURCE_TAG dest=$DEST_TAG repo=$REPO region=$REGION"
|
||||
local src_manifest
|
||||
@@ -339,6 +356,7 @@ promote() {
|
||||
redeploy_tenant() {
|
||||
# args: <slug> — handle the 403→SSM-refresh→retry pattern
|
||||
local slug="$1"
|
||||
validate_slug "$slug"
|
||||
log " redeploy: $slug"
|
||||
if [[ "$DRY_RUN" == "true" ]]; then
|
||||
log " [dry-run] would POST /redeploy slug=$slug"
|
||||
@@ -372,6 +390,7 @@ redeploy_tenant() {
|
||||
|
||||
verify_tenant() {
|
||||
local slug="$1"
|
||||
validate_slug "$slug"
|
||||
log " verify: $slug"
|
||||
if [[ "$DRY_RUN" == "true" ]]; then
|
||||
log " [dry-run] would curl /buildinfo + /health"
|
||||
@@ -398,6 +417,7 @@ rollback() {
|
||||
rm -f "$mfile"
|
||||
IFS=',' read -ra slugs <<<"$TENANTS"
|
||||
for slug in "${slugs[@]}"; do
|
||||
validate_slug "$slug"
|
||||
redeploy_tenant "$slug" || err " rollback redeploy failed for $slug"
|
||||
done
|
||||
log "rollback: complete"
|
||||
@@ -408,6 +428,13 @@ rollback() {
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
main() {
|
||||
# OFFSEC-006: validate slugs before any network I/O.
|
||||
IFS=',' read -ra _slugs <<<"$TENANTS"
|
||||
for _slug in "${_slugs[@]}"; do
|
||||
validate_slug "$_slug"
|
||||
done
|
||||
unset _slugs _slug
|
||||
|
||||
preflight || return 1
|
||||
snapshot_dest_tag || return 2
|
||||
promote || return 2
|
||||
@@ -415,8 +442,15 @@ main() {
|
||||
local promote_rc=0
|
||||
IFS=',' read -ra slugs <<<"$TENANTS"
|
||||
for slug in "${slugs[@]}"; do
|
||||
redeploy_tenant "$slug" || promote_rc=1
|
||||
[[ $promote_rc -eq 0 ]] && { verify_tenant "$slug" || promote_rc=1; }
|
||||
validate_slug "$slug"
|
||||
if ! redeploy_tenant "$slug"; then
|
||||
promote_rc=1
|
||||
fi
|
||||
if [[ $promote_rc -eq 0 ]]; then
|
||||
if ! verify_tenant "$slug"; then
|
||||
promote_rc=1
|
||||
fi
|
||||
fi
|
||||
[[ $promote_rc -ne 0 ]] && break
|
||||
done
|
||||
|
||||
|
||||
@@ -267,7 +267,51 @@ else
|
||||
printf ' ✗ unknown-flag should fail (got %s)\n' "$rc"
|
||||
fi
|
||||
|
||||
printf '\n== Test 9: ROLLBACK_TAG follows YYYYMMDD via NOW_OVERRIDE_DATE ==\n'
|
||||
printf '\n== Test 9: slug validation — invalid slugs rejected with exit 64 (OFFSEC-006) ==\n'
|
||||
# Attack vectors: SSRF via ? (curl query separator), subdomain takeover via @,
|
||||
# path traversal via /, shell metacharacters. Use a newline-delimited temp file
|
||||
# so slugs containing spaces are NOT split by shell word-splitting.
|
||||
_invalid_tmp=$(mktemp)
|
||||
cat > "$_invalid_tmp" <<'INVALID_EOF'
|
||||
a?url=https://evil.com
|
||||
a&url=https://evil.com
|
||||
a@evil.com
|
||||
a/b
|
||||
a\b
|
||||
a b
|
||||
chloe-dong?url=http://evil.com
|
||||
evil.com@legitimate
|
||||
INVALID_EOF
|
||||
while IFS= read -r attack || [[ -n "$attack" ]]; do
|
||||
set +e
|
||||
out=$("$SCRIPT" --source-tag x --dest-tag y --tenants "$attack" 2>&1); rc=$?
|
||||
set -e
|
||||
if [[ $rc -eq 64 ]] && printf '%s' "$out" | grep -q 'invalid slug'; then
|
||||
PASS=$((PASS + 1)); printf ' ✓ slug rejected: %s\n' "$(printf '%q' "$attack")"
|
||||
else
|
||||
FAIL=$((FAIL + 1)); FAIL_NAMES+=("slug-reject:$attack")
|
||||
printf ' ✗ slug should be rejected: %s — got exit %s\n' "$(printf '%q' "$attack")" "$rc"
|
||||
fi
|
||||
done < "$_invalid_tmp"
|
||||
rm -f "$_invalid_tmp"
|
||||
|
||||
printf '\n== Test 10: slug validation — valid slugs pass through ==\n'
|
||||
valid_slugs='chloe-dong hongming ab a abc123 my-tenant-42'
|
||||
for slug in $valid_slugs; do
|
||||
set +e
|
||||
out=$("$SCRIPT" --source-tag x --dest-tag y --tenants "$slug" --mock-dir /nonexistent 2>&1); rc=$?
|
||||
set -e
|
||||
# valid slugs: script should fail at preflight (no such mock dir / no real infra),
|
||||
# but NOT at slug validation (exit 64). So we check exit != 64.
|
||||
if [[ $rc -ne 64 ]]; then
|
||||
PASS=$((PASS + 1)); printf ' ✓ valid slug accepted: %s\n' "$slug"
|
||||
else
|
||||
FAIL=$((FAIL + 1)); FAIL_NAMES+=("slug-accept:$slug")
|
||||
printf ' ✗ valid slug rejected: %s (should have passed slug check)\n' "$slug"
|
||||
fi
|
||||
done
|
||||
|
||||
printf '\n== Test 11: ROLLBACK_TAG follows YYYYMMDD via NOW_OVERRIDE_DATE ==\n'
|
||||
m=$(mkmock)
|
||||
mock_set "$m" aws_ecr_get_image '{}' 0
|
||||
mock_set "$m" aws_ecr_describe_image '' 1
|
||||
@@ -289,7 +333,7 @@ fi
|
||||
assert_calls_contain "rollback tag uses NOW_OVERRIDE_DATE (20260603)" "$m" 'aws_ecr_put_image b-prev-20260603'
|
||||
rm -rf "$m"
|
||||
|
||||
printf '\n== Test 10: empty source manifest fails preflight ==\n'
|
||||
printf '\n== Test 12: empty source manifest fails preflight ==\n'
|
||||
m=$(mkmock)
|
||||
mock_set "$m" aws_ecr_get_image '' 0 # rc=0 but empty body (the "None" case)
|
||||
out=$(run_script "$m")
|
||||
@@ -297,7 +341,7 @@ assert_exit "empty source manifest fails preflight" "$out" 1
|
||||
assert_contains "empty manifest message" "$out" 'returned empty manifest'
|
||||
rm -rf "$m"
|
||||
|
||||
printf '\n== Test 11: tenant_buildinfo failure during verify → rollback ==\n'
|
||||
printf '\n== Test 13: tenant_buildinfo failure during verify → rollback ==\n'
|
||||
m=$(mkmock)
|
||||
mock_set "$m" aws_ecr_get_image '{"manifests":[]}' 0
|
||||
mock_set "$m" aws_ecr_describe_image '' 1
|
||||
@@ -311,7 +355,7 @@ assert_contains "logs buildinfo failure" "$out" '/buildinfo failed for chloe-don
|
||||
assert_contains "rollback fired after verify fail" "$out" 'ROLLBACK:'
|
||||
rm -rf "$m"
|
||||
|
||||
printf '\n== Test 12: ssm_refresh_ecr_auth JSON escaping (CWE-78 / OFFSEC-001) ==\n'
|
||||
printf '\n== Test 14: ssm_refresh_ecr_auth JSON escaping (CWE-78 / OFFSEC-001) ==\n'
|
||||
# Verify the python3 snippet in ssm_refresh_ecr_auth produces valid JSON and
|
||||
# correctly escapes shell-injection characters in region + account ID fields.
|
||||
# The fix replaces unquoted shell-printf interpolation with json.dumps.
|
||||
|
||||
Reference in New Issue
Block a user