Merge pull request #2807 from Molecule-AI/staging

staging → main: auto-promote 0f389ba

workspace-server/internal/handlers/external_connection.go

@@ -259,7 +259,6 @@ pip install 'git+https://github.com/Molecule-AI/hermes-channel-molecule.git'
 export MOLECULE_WORKSPACE_ID={{WORKSPACE_ID}}
 export MOLECULE_PLATFORM_URL={{PLATFORM_URL}}
 export MOLECULE_WORKSPACE_TOKEN="<paste from create response>"
-export MOLECULE_ORG_ID="<your org id>"
 
 # 3. Edit ~/.hermes/config.yaml — under your existing top-level
 #    gateway: block, add a plugin_platforms entry:
@@ -338,7 +337,6 @@ mkdir -p ~/.codex
 # WORKSPACE_ID = "{{WORKSPACE_ID}}"
 # PLATFORM_URL = "{{PLATFORM_URL}}"
 # MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"
-# MOLECULE_ORG_ID = "<your org id>"
 
 # 3. Run codex — the molecule tools are now available to the agent:
 codex
@@ -380,7 +378,6 @@ pip install molecule-ai-workspace-runtime
 # 3. Wire the molecule MCP server. {{WORKSPACE_ID}} + {{PLATFORM_URL}}
 # are stamped server-side; paste the auth token before running.
 WORKSPACE_TOKEN="<paste from create response>"
-MOLECULE_ORG_ID="<your org id>"
 openclaw mcp set molecule "$(cat <<EOF
 {
   "command": "python3",
@@ -388,8 +385,7 @@ openclaw mcp set molecule "$(cat <<EOF
   "env": {
     "WORKSPACE_ID": "{{WORKSPACE_ID}}",
     "PLATFORM_URL": "{{PLATFORM_URL}}",
-    "MOLECULE_WORKSPACE_TOKEN": "$WORKSPACE_TOKEN",
+    "MOLECULE_WORKSPACE_TOKEN": "$WORKSPACE_TOKEN"
-    "MOLECULE_ORG_ID": "$MOLECULE_ORG_ID"
   }
 }
 EOF

workspace-server/internal/handlers/external_connection_test.go

@@ -0,0 +1,40 @@
+package handlers
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestExternalTemplates_NoMoleculeOrgIDPlaceholder pins the invariant
+// that operator-facing connection snippets do NOT advertise a
+// MOLECULE_ORG_ID env var.
+//
+// Why: MOLECULE_ORG_ID is consumed only by the workspace-server's
+// TenantGuard middleware (server-side, set by control plane via
+// user-data on tenant boxes). The molecule_runtime MCP subprocess
+// that codex/openclaw/hermes-channel spawns authenticates the client
+// using Origin + Bearer token + X-Workspace-ID — it never reads
+// MOLECULE_ORG_ID. Including the placeholder leaves operators with a
+// "<your org id>" they can't fill, and external agents (codex CLI in
+// particular) flag it as an unresolved setup blocker.
+//
+// The universal_mcp snippet is the reference: it calls into the same
+// molecule_runtime and intentionally omits MOLECULE_ORG_ID.
+func TestExternalTemplates_NoMoleculeOrgIDPlaceholder(t *testing.T) {
+	templates := map[string]string{
+		"externalCurlTemplate":            externalCurlTemplate,
+		"externalUniversalMcpTemplate":    externalUniversalMcpTemplate,
+		"externalPythonTemplate":          externalPythonTemplate,
+		"externalHermesChannelTemplate":   externalHermesChannelTemplate,
+		"externalCodexTemplate":           externalCodexTemplate,
+		"externalOpenClawTemplate":        externalOpenClawTemplate,
+	}
+	for name, body := range templates {
+		if strings.Contains(body, "MOLECULE_ORG_ID") {
+			t.Errorf("%s contains MOLECULE_ORG_ID — operator-facing templates must not advertise this env var (TenantGuard reads it server-side from the tenant's own env, not the client)", name)
+		}
+		if strings.Contains(body, "<your org id>") {
+			t.Errorf("%s contains \"<your org id>\" placeholder — operators have no value to substitute, drop the line", name)
+		}
+	}
+}