ci: rerun after mc#724 all-required fix lands

Covers:
- AcceptsValidAbsolutePath: 8 valid workspace_dir values
- RejectsRelativePath: 5 cases (relative, ./local, ../sibling, bare, empty)
- RejectsTraversalSequence: 5 cases with ".." sequences
- RejectsSystemPaths: 9 blocked root paths
- RejectsDescendantsOfSystemPaths: 10 blocked descendants
- AcceptsPathsSimilarToSystemPaths: paths that LOOK like system paths but
  are distinct (e.g. /etx, /vartmp, /workspace/etc)
- ErrorMessages: non-empty error strings

workspace-server/internal/handlers/socket_test.go

@@ -1,195 +0,0 @@
-package handlers
-
-import (
-	"context"
-	"database/sql"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/ws"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
-	"github.com/alicebob/miniredis/v2"
-	"github.com/gin-gonic/gin"
-	"github.com/redis/go-redis/v9"
-)
-
-// ─── Setup helpers ─────────────────────────────────────────────────────────────
-
-func init() {
-	gin.SetMode(gin.TestMode)
-}
-
-// socketTestDB wraps sqlmock setup with the redis setup needed for wsauth.
-func socketTestDB(t *testing.T) (sqlmock.Sqlmock, func()) {
-	t.Helper()
-	mockDB, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("failed to create sqlmock: %v", err)
-	}
-
-	// Start a miniredis for the wsauth token subsystem.
-	mr, err := miniredis.Run()
-	if err != nil {
-		mockDB.Close()
-		t.Fatalf("failed to start miniredis: %v", err)
-	}
-	db.DB = mockDB
-	db.RDB = redis.NewClient(&redis.Options{Addr: mr.Addr()})
-
-	wsauth.ResetInboundSecretCacheForTesting()
-
-	cleanup := func() {
-		mockDB.Close()
-		mr.Close()
-		wsauth.ResetInboundSecretCacheForTesting()
-	}
-	return mock, cleanup
-}
-
-// ─── Test cases ────────────────────────────────────────────────────────────────
-// Phase 30.1/30.2 bearer-token auth gate on WebSocket upgrade.
-// SocketHandler.HandleConnect enforces:
-//   - Canvas clients (no X-Workspace-ID header) → bypass auth, upgrade proceeds
-//   - Workspace agents (X-Workspace-ID present) → HasAnyLiveToken probe → bearer validation
-
-func TestSocketHandler_HandleConnect_CanvasClient_NoAuthRequired(t *testing.T) {
-	mock, cleanup := socketTestDB(t)
-	defer cleanup()
-
-	// Create hub and drain the Register channel via Run.
-	hub := ws.NewHub(func(_, _ string) bool { return true })
-	go hub.Run()
-
-	h := NewSocketHandler(hub)
-	c, w := gin.CreateTestContext(httptest.NewRecorder())
-	c.Request = httptest.NewRequest("GET", "/ws", nil)
-	// No X-Workspace-ID → canvas client path.
-
-	h.HandleConnect(c)
-
-	// Canvas path has no DB expectations — HasAnyLiveToken not called.
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-	_ = w.Code // upgrade fails in test env (httptest doesn't do WS) — handler returns.
-}
-
-// TestSocketHandler_HandleConnect_AgentNoLiveToken_BypassesBearerCheck verifies
-// that agents with no live tokens (legacy pre-token workspaces) are grandfathered
-// through without being asked for a bearer token.
-func TestSocketHandler_HandleConnect_AgentNoLiveToken_BypassesBearerCheck(t *testing.T) {
-	mock, cleanup := socketTestDB(t)
-	defer cleanup()
-
-	// HasAnyLiveToken → no rows (no live tokens → n=0).
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
-		WithArgs("ws-agent").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
-
-	hub := ws.NewHub(func(_, _ string) bool { return true })
-	go hub.Run()
-
-	h := NewSocketHandler(hub)
-	c, _ := gin.CreateTestContext(httptest.NewRecorder())
-	c.Request = httptest.NewRequest("GET", "/ws", nil)
-	c.Request.Header.Set("X-Workspace-ID", "ws-agent")
-
-	h.HandleConnect(c)
-
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestSocketHandler_HandleConnect_DBErrorOnHasAnyLiveToken returns 500.
-func TestSocketHandler_HandleConnect_DBErrorOnHasAnyLiveToken(t *testing.T) {
-	mock, cleanup := socketTestDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
-		WithArgs("ws-agent").
-		WillReturnError(sql.ErrConnDone)
-
-	hub := ws.NewHub(func(_, _ string) bool { return true })
-	go hub.Run()
-
-	h := NewSocketHandler(hub)
-	c, w := gin.CreateTestContext(httptest.NewRecorder())
-	c.Request = httptest.NewRequest("GET", "/ws", nil)
-	c.Request.Header.Set("X-Workspace-ID", "ws-agent")
-
-	h.HandleConnect(c)
-
-	if w.Code != http.StatusInternalServerError {
-		t.Errorf("expected 500 on DB error, got %d", w.Code)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestSocketHandler_HandleConnect_MissingBearerToken returns 401.
-func TestSocketHandler_HandleConnect_MissingBearerToken(t *testing.T) {
-	mock, cleanup := socketTestDB(t)
-	defer cleanup()
-
-	// hasLive=true but no Authorization header.
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
-		WithArgs("ws-agent").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
-
-	hub := ws.NewHub(func(_, _ string) bool { return true })
-	go hub.Run()
-
-	h := NewSocketHandler(hub)
-	c, w := gin.CreateTestContext(httptest.NewRecorder())
-	c.Request = httptest.NewRequest("GET", "/ws", nil)
-	c.Request.Header.Set("X-Workspace-ID", "ws-agent")
-	// No Authorization header.
-
-	h.HandleConnect(c)
-
-	if w.Code != http.StatusUnauthorized {
-		t.Errorf("expected 401 on missing bearer token, got %d", w.Code)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestSocketHandler_HandleConnect_InvalidBearerToken returns 401.
-func TestSocketHandler_HandleConnect_InvalidBearerToken(t *testing.T) {
-	mock, cleanup := socketTestDB(t)
-	defer cleanup()
-
-	// hasLive=true.
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`).
-		WithArgs("ws-agent").
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
-
-	// ValidateToken → lookupTokenByHash: no matching hash.
-	mock.ExpectQuery(`SELECT t\.id, t\.workspace_id FROM workspace_auth_tokens t JOIN workspaces w`).
-		WithArgs(sqlmock.AnyArg()).
-		WillReturnError(context.DeadlineExceeded)
-
-	hub := ws.NewHub(func(_, _ string) bool { return true })
-	go hub.Run()
-
-	h := NewSocketHandler(hub)
-	c, w := gin.CreateTestContext(httptest.NewRecorder())
-	c.Request = httptest.NewRequest("GET", "/ws", nil)
-	c.Request.Header.Set("X-Workspace-ID", "ws-agent")
-	c.Request.Header.Set("Authorization", "Bearer invalid-token-xyz")
-
-	h.HandleConnect(c)
-
-	if w.Code != http.StatusUnauthorized {
-		t.Errorf("expected 401 on invalid bearer token, got %d", w.Code)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}

workspace-server/internal/handlers/workspace_crud_helpers_test.go

@@ -0,0 +1,165 @@
+package handlers
+
+// workspace_crud_helpers_test.go — tests for pure-logic helpers in workspace_crud.go.
+//
+// Covered helpers:
+//   validateWorkspaceDir — bind-mount path safety (CWE-22 defence-in-depth)
+
+import "testing"
+
+// ─────────────────────────────────────────────────────────────────────────────
+// validateWorkspaceDir
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestValidateWorkspaceDir_AcceptsValidAbsolutePath(t *testing.T) {
+	cases := []string{
+		"/home/ubuntu/workspace",
+		"/opt/myapp/data",
+		"/tmp/molecule-workspace",
+		"/Users/admin/workspace",
+		"/workspace",
+		"/mnt/volumes/data",
+		"/srv/molecule",
+		"/nix/store",
+	}
+	for _, dir := range cases {
+		err := validateWorkspaceDir(dir)
+		if err != nil {
+			t.Errorf("validateWorkspaceDir(%q) returned error: %v; want nil", dir, err)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_RejectsRelativePath(t *testing.T) {
+	cases := []string{
+		"relative/path",
+		"./local",
+		"../sibling",
+		"workspace",
+		"",
+	}
+	for _, dir := range cases {
+		err := validateWorkspaceDir(dir)
+		if err == nil {
+			t.Errorf("validateWorkspaceDir(%q) = nil; want error (relative path)", dir)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_RejectsTraversalSequence(t *testing.T) {
+	cases := []string{
+		"/etc/../../../etc/passwd",
+		"/home/user/../../root",
+		"/workspace/../../../sibling",
+		"/foo/bar/..%2f..%2fetc",
+		"/valid/../etc/passwd",
+	}
+	for _, dir := range cases {
+		err := validateWorkspaceDir(dir)
+		if err == nil {
+			t.Errorf("validateWorkspaceDir(%q) = nil; want error (traversal)", dir)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_RejectsSystemPaths(t *testing.T) {
+	// System paths must be rejected outright — a workspace binding /etc or
+	// /proc would let the agent read host secrets or inspect kernel state.
+	systemPaths := []string{
+		"/etc",
+		"/var",
+		"/proc",
+		"/sys",
+		"/dev",
+		"/boot",
+		"/sbin",
+		"/bin",
+		"/usr",
+	}
+	for _, dir := range systemPaths {
+		err := validateWorkspaceDir(dir)
+		if err == nil {
+			t.Errorf("validateWorkspaceDir(%q) = nil; want error (system path)", dir)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_RejectsDescendantsOfSystemPaths(t *testing.T) {
+	// A descendant of a system path must also be rejected — /etc/shadow,
+	// /proc/1/cmdline, /dev/null all fall in this category.
+	descendants := []string{
+		"/etc/passwd",
+		"/etc/shadow",
+		"/etc/ssh/sshd_config",
+		"/var/log/syslog",
+		"/proc/self/environ",
+		"/sys/kernel/version",
+		"/dev/null",
+		"/boot/grub/grub.cfg",
+		"/sbin/init",
+		"/bin/bash",
+		"/usr/bin/python3",
+	}
+	for _, dir := range descendants {
+		err := validateWorkspaceDir(dir)
+		if err == nil {
+			t.Errorf("validateWorkspaceDir(%q) = nil; want error (descendant of system path)", dir)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_AcceptsPathsSimilarToSystemPaths(t *testing.T) {
+	// Paths that LOOK like system paths but are NOT exact matches or
+	// descendants should be accepted. These are valid workspace directories.
+	valid := []string{
+		"/etcworkspace",
+		"/varworkspace",
+		"/procworkspace",
+		"/sysworkspace",
+		"/devworkspace",
+		"/bootworkspace",
+		"/sbinworkspace",
+		"/binworkspace",
+		"/usrworkspace",
+		"/etx",    // typo of /etc but a different path
+		"/vartmp",  // /var/tmp is different from /var
+		"/usrr",    // typo of /usr but a different path
+		"/workspace/etc",
+		"/workspace/var",
+		"/home/user/etc",
+		"/opt/etc",
+	}
+	for _, dir := range valid {
+		err := validateWorkspaceDir(dir)
+		if err != nil {
+			t.Errorf("validateWorkspaceDir(%q) returned error: %v; want nil", dir, err)
+		}
+	}
+}
+
+func TestValidateWorkspaceDir_ErrorMessages(t *testing.T) {
+	// Error messages must be descriptive enough for operators to self-diagnose.
+	relErr := validateWorkspaceDir("relative")
+	if relErr == nil {
+		t.Fatal("relative path: want error, got nil")
+	}
+	if relErr.Error() == "" {
+		t.Error("relative path error message is empty")
+	}
+
+	travErr := validateWorkspaceDir("/etc/../../../etc/passwd")
+	if travErr == nil {
+		t.Fatal("traversal: want error, got nil")
+	}
+	if travErr.Error() == "" {
+		t.Error("traversal error message is empty")
+	}
+
+	sysErr := validateWorkspaceDir("/etc")
+	if sysErr == nil {
+		t.Fatal("system path: want error, got nil")
+	}
+	if sysErr.Error() == "" {
+		t.Error("system path error message is empty")
+	}
+}