ci: re-trigger after runner stall (infra#241)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace-server/internal/handlers/github_token.go

@@ -49,6 +49,7 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/Molecule-AI/molecule-monorepo/platform/pkg/provisionhook"
@@ -98,7 +99,17 @@ func (h *GitHubTokenHandler) GetInstallationToken(c *gin.Context) {
 		token, expiresAt, err := generateAppInstallationToken()
 		if err != nil {
 			log.Printf("[github] fallback token generation failed: %v", err)
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "token refresh failed"})
+			// #388: GITHUB_APP_ID/INSTALLATION_ID unset → Gitea-canonical deployment
+			// or suspended org. Return 501 so callers (credential helper / gh auth)
+			// know this is not-implemented vs a transient error.
+			if strings.Contains(err.Error(), "required") {
+				c.JSON(http.StatusNotImplemented, gin.H{
+					"error": "GitHub integration not configured",
+					"scm":   "gitea",
+				})
+			} else {
+				c.JSON(http.StatusInternalServerError, gin.H{"error": "token refresh failed"})
+			}
 			return
 		}
 		c.JSON(http.StatusOK, gin.H{"token": token, "expires_at": expiresAt})

workspace-server/internal/handlers/github_token_test.go

@@ -78,11 +78,12 @@ func TestGitHubToken_NilRegistry(t *testing.T) {
 // Post-#960/#1101 the handler now falls back to direct env-based App
 // token generation (GITHUB_APP_ID / INSTALLATION_ID / PRIVATE_KEY_FILE)
 // when no registered provider matches. In the test environment those
-// env vars are unset, so the fallback fails with 500 "token refresh
-// failed" — a clean retryable signal for the workspace credential
-// helper. Previously this path returned 404; the new 500 matches the
-// ProviderError shape so callers don't have to branch on "missing
-// provider" vs "provider failed".
+// env vars are unset, so the fallback fails with 501 "not implemented"
+// with scm:"gitea" — signals a Gitea-canonical or suspended-org
+// deployment where GitHub integration is not configured (#388).
+// Previously this path returned 404; 501 distinguishes "not configured"
+// (caller should stop retrying) from "provider failed" (caller should
+// retry with back-off).
 func TestGitHubToken_NoTokenProvider(t *testing.T) {
 	reg := provisionhook.NewRegistry()
 	reg.Register(&mockMutatorOnly{name: "other-plugin"})
@@ -91,12 +92,15 @@ func TestGitHubToken_NoTokenProvider(t *testing.T) {
 
 	h.GetInstallationToken(c)
 
-	if w.Code != http.StatusInternalServerError {
-		t.Fatalf("expected 500 (env-based fallback fails with unset GITHUB_APP_* vars), got %d: %s",
+	if w.Code != http.StatusNotImplemented {
+		t.Fatalf("expected 501 (env-based fallback fails with unset GITHUB_APP_* vars), got %d: %s",
 			w.Code, w.Body.String())
 	}
-	if !strings.Contains(w.Body.String(), "token refresh failed") {
-		t.Errorf("expected body to contain 'token refresh failed', got: %s", w.Body.String())
+	if !strings.Contains(w.Body.String(), "GitHub integration not configured") {
+		t.Errorf("expected body to contain 'GitHub integration not configured', got: %s", w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), `"scm":"gitea"`) {
+		t.Errorf("expected body to contain 'scm:gitea', got: %s", w.Body.String())
 	}
 }
 

workspace-server/internal/handlers/org_helpers.go

@@ -317,6 +317,12 @@ func mergePlugins(defaultPlugins, wsPlugins []string) []string {
 // Follows Go's standard pattern for SSRF-class path sanitization; using
 // strings.HasPrefix on an absolute-path pair plus the separator guard rejects
 // sibling directories that share a prefix (e.g. "/foo" vs "/foobar").
+//
+// CWE-59 mitigation: filepath.Abs does NOT resolve symlinks, so a path like
+// "workspaces/dev/inner" where "inner" is a symlink to "/etc" would lexically
+// pass the prefix check. We call filepath.EvalSymlinks to canonicalize the
+// path and re-check that it is still inside root. This closes the symlink-
+// based traversal vector (CWE-59, follow-up to #369).
 func resolveInsideRoot(root, userPath string) (string, error) {
 	if userPath == "" {
 		return "", fmt.Errorf("path is empty")
@@ -333,9 +339,18 @@ func resolveInsideRoot(root, userPath string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("joined abs: %w", err)
 	}
+	// CWE-59: resolve symlinks before final prefix check.
+	// If the path contains a symlink pointing outside root, EvalSymlinks
+	// will canonicalize to the external path and fail the guard below.
+	resolved, err := filepath.EvalSymlinks(absJoined)
+	if err != nil {
+		// If EvalSymlinks fails (e.g. broken symlink), fail closed —
+		// broken symlinks should not be used as org files.
+		return "", fmt.Errorf("resolve symlink: %w", err)
+	}
 	// Allow exact-root match (rare but valid) and any descendant.
-	if absJoined != absRoot && !strings.HasPrefix(absJoined, absRoot+string(filepath.Separator)) {
+	if resolved != absRoot && !strings.HasPrefix(resolved, absRoot+string(filepath.Separator)) {
 		return "", fmt.Errorf("path escapes root")
 	}
-	return absJoined, nil
+	return absJoined, nil // return the lexical path, not the resolved one
 }

workspace-server/internal/handlers/org_path_test.go

@@ -78,6 +78,48 @@ func TestResolveInsideRoot_RejectsPrefixSibling(t *testing.T) {
 	}
 }
 
+// TestResolveInsideRoot_RejectsSymlinkTraversal is a regression test for
+// CWE-59 (symlink-based path traversal). An attacker plants a symlink inside
+// the allowed directory that points outside; the function must reject it.
+func TestResolveInsideRoot_RejectsSymlinkTraversal(t *testing.T) {
+	tmp := t.TempDir()
+	// Create a subdirectory inside root.
+	inner := filepath.Join(tmp, "workspaces", "dev")
+	if err := os.MkdirAll(inner, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	// Plant a symlink that resolves outside root.
+	sym := filepath.Join(inner, "leaked")
+	if err := os.Symlink("/etc", sym); err != nil {
+		t.Fatal(err)
+	}
+
+	// Lexically, "workspaces/dev/leaked" is inside tmp — but after symlink
+	// resolution it points to /etc and must be rejected.
+	if _, err := resolveInsideRoot(tmp, filepath.Join("workspaces", "dev", "leaked")); err == nil {
+		t.Error("symlink pointing outside root must be rejected (CWE-59)")
+	}
+
+	// Symlink that stays inside root is fine.
+	safe := filepath.Join(inner, "safe")
+	if err := os.Symlink(filepath.Join(tmp, "other"), safe); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := resolveInsideRoot(tmp, filepath.Join("workspaces", "dev", "safe")); err != nil {
+		t.Errorf("symlink staying inside root must be allowed: %v", err)
+	}
+
+	// Broken symlink (target does not exist) must also be rejected — broken
+	// symlinks cannot be valid org files.
+	broken := filepath.Join(inner, "broken")
+	if err := os.Symlink("/nonexistent/broken", broken); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := resolveInsideRoot(tmp, filepath.Join("workspaces", "dev", "broken")); err == nil {
+		t.Error("broken symlink must be rejected")
+	}
+}
+
 func TestResolveInsideRoot_DeepSubpath(t *testing.T) {
 	tmp := t.TempDir()
 	deep := filepath.Join(tmp, "a", "b", "c")

workspace/a2a_tools_delegation.py

@@ -47,6 +47,7 @@ from a2a_client import (
     send_a2a_message,
 )
 from a2a_tools_rbac import auth_headers_for_heartbeat as _auth_headers_for_heartbeat
+from _sanitize_a2a import sanitize_a2a_result
 
 
 # RFC #2829 PR-5 cutover constants. The poll cadence + timeout are
@@ -413,7 +414,11 @@ async def tool_check_task_status(
                 # Filter by delegation_id
                 matching = [d for d in delegations if d.get("delegation_id") == task_id]
                 if matching:
-                    return json.dumps(matching[0])
+                    # OFFSEC-003: sanitize peer-supplied fields
+                    d = matching[0]
+                    d["summary"] = sanitize_a2a_result(d.get("summary", ""))
+                    d["response_preview"] = sanitize_a2a_result(d.get("response_preview", ""))
+                    return json.dumps(d)
                 return json.dumps({"status": "not_found", "delegation_id": task_id})
             # Return all recent delegations
             summary = []
@@ -422,8 +427,9 @@ async def tool_check_task_status(
                     "delegation_id": d.get("delegation_id", ""),
                     "target_id": d.get("target_id", ""),
                     "status": d.get("status", ""),
-                    "summary": d.get("summary", ""),
-                    "response_preview": d.get("response_preview", ""),
+                    # OFFSEC-003: sanitize peer-supplied fields before embedding in JSON
+                    "summary": sanitize_a2a_result(d.get("summary", "")),
+                    "response_preview": sanitize_a2a_result(d.get("response_preview", "")),
                 })
             return json.dumps({"delegations": summary, "count": len(delegations)})
     except Exception as e:

workspace/main.py

@@ -668,6 +668,31 @@ async def main():  # pragma: no cover
                 if heartbeat.active_tasks > 0:
                     continue
 
+                # Issue #381 fix: skip the idle prompt if there are unconsumed
+                # delegation results waiting. The heartbeat sends a self-message
+                # for every new result batch, so sending the idle prompt here would
+                # race: the agent would compose a stale tick BEFORE processing the
+                # results notification, producing repeated identical asks (peer sends
+                # correction, we respond with stale state, peer asks again).
+                # By skipping the idle prompt when results are pending, we let the
+                # heartbeat's own self-message wake the agent after results are
+                # written. The agent then sees the results in _prepare_prompt()
+                # and processes them before composing.
+                from heartbeat import DELEGATION_RESULTS_FILE as _DRF
+                try:
+                    with open(_DRF) as _rf:
+                        _rf.seek(0)
+                        _content = _rf.read().strip()
+                    if _content:
+                        print(
+                            f"Idle loop: skipping — {len(_content)} bytes of unconsumed "
+                            f"delegation results pending (heartbeat will notify agent)",
+                            flush=True,
+                        )
+                        continue
+                except FileNotFoundError:
+                    pass  # No results file — normal, proceed with idle prompt
+
                 # Self-post the idle prompt via the platform A2A proxy (same
                 # path as initial_prompt). The agent's own concurrency control
                 # rejects if the workspace becomes busy between this check and

workspace/tests/test_idle_loop_pending_check.py

@@ -0,0 +1,80 @@
+"""Tests for issue #381: idle loop must not fire when delegation results are pending.
+
+The idle loop skips sending the idle prompt when DELEGATION_RESULTS_FILE
+contains unconsumed results, preventing the agent from composing a stale tick
+before processing pending delegation notifications from the heartbeat.
+
+Source: workspace/main.py:_run_idle_loop() pending-results guard.
+"""
+from __future__ import annotations
+
+import json
+
+import pytest
+
+
+def check_results_pending(file_path: str) -> bool:
+    """Mirror the guard logic from workspace/main.py:_run_idle_loop().
+
+    Returns True if the results file exists and is non-empty,
+    meaning the idle loop should skip this tick.
+    """
+    try:
+        with open(file_path) as rf:
+            rf.seek(0)
+            content = rf.read().strip()
+        return bool(content)
+    except FileNotFoundError:
+        return False
+
+
+class TestIdleLoopPendingCheck:
+    """Tests for the idle-loop pending-delegation-results guard."""
+
+    def test_no_file_means_proceed(self, tmp_path):
+        """No delegation results file → idle loop fires normally."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        assert not check_results_pending(str(results_file))
+
+    def test_empty_file_means_proceed(self, tmp_path):
+        """Empty file → no pending results → idle loop fires."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        results_file.write_text("", encoding="utf-8")
+        assert not check_results_pending(str(results_file))
+
+    def test_whitespace_only_file_means_proceed(self, tmp_path):
+        """File with only whitespace → treated as empty → idle loop fires."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        results_file.write_text("  \n  ", encoding="utf-8")
+        assert not check_results_pending(str(results_file))
+
+    def test_single_result_means_skip(self, tmp_path):
+        """File with one delegation result → skip idle tick."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        results_file.write_text(
+            json.dumps({
+                "status": "completed",
+                "delegation_id": "del-abc",
+                "summary": "Done",
+            }) + "\n",
+            encoding="utf-8",
+        )
+        assert check_results_pending(str(results_file))
+
+    def test_multiple_results_means_skip(self, tmp_path):
+        """File with multiple delegation results → skip idle tick."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        results_file.write_text(
+            json.dumps({"status": "completed", "delegation_id": "del-1", "summary": "A"})
+            + "\n"
+            + json.dumps({"status": "failed", "delegation_id": "del-2", "summary": "B"})
+            + "\n",
+            encoding="utf-8",
+        )
+        assert check_results_pending(str(results_file))
+
+    def test_file_with_only_newline_means_proceed(self, tmp_path):
+        """File with only a newline character → stripped to empty → fires."""
+        results_file = tmp_path / "delegation_results.jsonl"
+        results_file.write_text("\n", encoding="utf-8")
+        assert not check_results_pending(str(results_file))