docs(marketing): Phase 34 content drop — launch blog, demos, social queues

- Phase 34 launch blog (2026-04-30) with Partner API Keys,
  SaaS Federation v2, Tool Trace, Platform Instructions
- Partner API Keys standalone blog
- Platform Instructions governance blog
- Cloudflare Artifacts launch social copy + screencasts
- Memory Inspector Panel demo screencasts
- Social queues Apr 26, 27, 28 (partner-api-keys)
- Campaign assets: chrome-devtools, discord, fly-deploy, org-api-keys

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/marketing/blog/2026-04-23-partner-api-keys.md

@@ -0,0 +1,141 @@
+---
+title: "Ship Partner Integrations Faster with Programmatic Org Management"
+date: 2026-04-23
+slug: partner-api-keys
+description: "Partner API Keys let marketplace resellers, CI/CD pipelines, and automation tools create and manage Molecule AI orgs via API — no browser session required."
+og_title: "Ship Partner Integrations Faster with Programmatic Org Management"
+og_description: "Partner API Keys: scoped, rate-limited, revocable API keys for programmatic org management. Built for marketplaces, CI/CD, and automation platforms."
+og_image: /docs/assets/blog/2026-04-23-partner-api-keys-og.png
+tags: [partner-api-keys, marketplace, ci-cd, automation, api, enterprise, provisioning]
+keywords: [partner API keys, programmatic org management, marketplace integration, CI/CD automation, Molecule AI API, reseller integration, org provisioning API]
+canonical: https://docs.molecule.ai/blog/partner-api-keys
+---
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "Article",
+  "headline": "Ship Partner Integrations Faster with Programmatic Org Management",
+  "description": "Partner API Keys let marketplace resellers, CI/CD pipelines, and automation tools create and manage Molecule AI orgs via API.",
+  "author": { "@type": "Organization", "name": "Molecule AI" },
+  "datePublished": "2026-04-23",
+  "publisher": { "@type": "Organization", "name": "Molecule AI", "logo": { "@type": "ImageObject", "url": "https://molecule.ai/logo.png" } }
+}
+</script>
+
+# Ship Partner Integrations Faster with Programmatic Org Management
+
+When your platform needs to create an org — for a new customer, a CI environment, or a marketplace resale — the last thing you want is to hand that flow over to a human with a browser. Neither does your partner.
+
+Phase 34 is designed to solve exactly this problem. **Partner API Keys** give marketplace resellers, CI/CD pipelines, and automation platforms a programmatic way to create and manage Molecule AI orgs — no browser session, no admin dashboard, just an API call.
+
+## What Partner API Keys Do
+
+A Partner API Key is a scoped, rate-limited, revocable bearer token — prefixed `mol_pk_` — that lives at the `/cp/` control plane boundary. It authenticates to a set of partner-facing endpoints that let you provision an org, poll its status, and revoke the integration when it's no longer needed.
+
+Unlike org-scoped API keys (which operate *within* an org), Partner API Keys operate *at the org level*: they create orgs, list your own keys, and revoke themselves. The scope system lets you grant exactly the capabilities a partner needs — nothing more.
+
+```bash
+POST /cp/admin/partner-keys
+Authorization: Bearer <admin-master-key>
+{
+  "name": "acme-ci-pipeline",
+  "scopes": ["orgs:create", "orgs:list"],
+  "org_id": null
+}
+
+# Response
+{
+  "id": "pak_01HXKM4...",
+  "key": "mol_pk_1a2b3c4d5e...",   # shown ONCE
+  "name": "acme-ci-pipeline",
+  "scopes": ["orgs:create", "orgs:list"],
+  "created_at": "2026-04-23T08:00:00Z"
+}
+```
+
+Your CI pipeline saves `mol_pk_1a2b3c4d5e...` as a secret and uses it to call the partner endpoints.
+
+## The Partner API Surface
+
+Once you have a Partner API Key, the integration flow looks like this:
+
+```bash
+# 1. Create an org
+POST /cp/orgs
+Authorization: Bearer mol_pk_1a2b3c4d5e...
+{
+  "name": "acme-corp",
+  "slug": "acme-corp",
+  "plan": "standard"
+}
+
+# Response
+{
+  "id": "org_01HXKM4...",
+  "slug": "acme-corp",
+  "status": "provisioning",
+  "created_at": "2026-04-23T08:00:00Z"
+}
+
+# 2. Poll until ready
+GET /cp/orgs/org_01HXKM4.../status
+Authorization: Bearer mol_pk_1a2b3c4d5e...
+
+# 3. Redirect the customer
+# → https://app.moleculesai.app/login?org=acme-corp
+
+# 4. Revoke when done
+DELETE /cp/admin/partner-keys/pak_01HXKM4...
+Authorization: Bearer mol_pk_1a2b3c4d5e...
+```
+
+Every call is audited: the audit log records which Partner API Key was used, when, and what it did — so you can trace a provisioning event back to the integration that triggered it.
+
+## Scopes and Rate Limits
+
+Partner API Keys are granted specific scopes at creation time. A CI pipeline might get `orgs:create` + `orgs:list`. A marketplace reseller might also need `workspaces:create`. A monitoring tool might only need `orgs:list`.
+
+```
+Available scopes:
+  orgs:create      — provision new orgs
+  orgs:list        — list partner-managed orgs
+  orgs:delete      — deprovision orgs
+  workspaces:create — create workspaces within an org
+  billing:read     — read subscription status
+```
+
+Rate limits are enforced per key, independently of the session rate limit. A misbehaving integration hits its own ceiling without affecting other partners or organic traffic.
+
+## The Marketplace Reseller Use Case
+
+Marketplace resellers need to provision a Molecule AI org on behalf of every end customer — automatically, at scale, without a human in the loop. They also need to:
+
+- **Scope the integration** to only the capabilities that partner needs
+- **Revoke cleanly** when the reseller-customer relationship ends
+- **Audit everything** for compliance reporting
+
+Partner API Keys handle all three. A reseller creates one key per integration tier (e.g. one key for the standard tier, one for enterprise), each scoped to exactly what that tier allows. When a customer churns, the reseller revokes their key — the org stays but the automation path is closed.
+
+## CI/CD: Ephemeral Test Orgs
+
+CI/CD pipelines benefit from the same pattern. A test suite that needs to validate the Molecule AI integration flow can:
+
+1. Create a temporary org via Partner API Key (`orgs:create`)
+2. Run the integration tests against it
+3. Delete the org when done (`orgs:delete`)
+4. Revoke the key
+
+Each run gets a clean environment. No shared state, no test pollution, no manual cleanup.
+
+## Get Started
+
+Partner API Keys are available on **Partner and Enterprise plans**. To get started:
+
+- Contact your account team to request Partner API Key issuance
+- Review the partner integration guide (coming soon)
+- Example flows: create org → poll status → redirect to tenant; CI/CD test org lifecycle
+
+---
+
+*Molecule AI is open source. Partner API Keys shipped in Phase 34 (2026-04-23). Available on Partner and Enterprise plans.*

docs/marketing/blog/2026-04-23-platform-instructions-governance.md

@@ -0,0 +1,105 @@
+---
+title: "Govern Your Entire AI Fleet at the System Prompt Level"
+date: 2026-04-23
+slug: govern-ai-fleet-system-prompt-level
+description: "Platform Instructions lets enterprise IT enforce org-wide and workspace-scoped policy rules at the system prompt level — before the first agent turn executes."
+og_title: "Govern Your Entire AI Fleet at the System Prompt Level"
+og_description: "Global rules. Workspace rules. Prepended to the system prompt at startup. Governance before the first turn, not after."
+og_image: /docs/assets/blog/2026-04-23-platform-instructions-governance-og.png
+tags: [governance, platform-instructions, enterprise, security, it-governance, system-prompt, policy, a2a]
+keywords: [AI fleet governance, enterprise AI policy, system prompt governance, AI agent compliance, platform instructions, workspace policy enforcement, enterprise AI security]
+canonical: https://docs.molecule.ai/blog/govern-ai-fleet-system-prompt-level
+---
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "Article",
+  "headline": "Govern Your Entire AI Fleet at the System Prompt Level",
+  "description": "Platform Instructions lets enterprise IT enforce org-wide and workspace-scoped policy rules at the system prompt level.",
+  "author": { "@type": "Organization", "name": "Molecule AI" },
+  "datePublished": "2026-04-23",
+  "publisher": { "@type": "Organization", "name": "Molecule AI", "logo": { "@type": "ImageObject", "url": "https://molecule.ai/logo.png" } }
+}
+</script>
+
+# Govern Your Entire AI Fleet at the System Prompt Level
+
+The moment an AI agent goes into production, the governance question stops being theoretical. Which tools can it call? What data can it write to? Are there constraints that apply to every turn, not just the ones where someone remembered to add a guardrail?
+
+Most platforms answer with post-hoc filtering — a rule that checks outputs after the agent has already decided what to do. Platform Instructions takes a different approach: governance at the source, before the first token is generated. Rules are prepended to the system prompt at workspace startup, shaping what the agent is instructed to do from the very first turn. The agent doesn't receive them as a filter. It receives them as context.
+
+## Global and Workspace Scopes
+
+Platform Instructions supports two scoping levels:
+
+- **Global** — applied to every workspace in your organization. One rule, enforced everywhere across your entire AI fleet.
+- **Workspace** — applied to a specific workspace only. Fine-grained control without global impact.
+
+When a workspace starts, Molecule AI resolves all applicable instructions — combining global rules with workspace-specific ones — and prepends them to the agent's system prompt. The distinction matters: a filter can be worked around; a system prompt instruction shapes the agent's reasoning from the ground up.
+
+## The API
+
+Platform Instructions are managed via a REST API:
+
+```bash
+# Create a global instruction (org-admin token required)
+POST /instructions
+Authorization: Bearer <org-admin-token>
+Content-Type: application/json
+
+{
+  "scope": "global",
+  "content": "Before invoking any tool that writes to external storage, confirm the target path is within the org-approved sandbox directory. Reject and report if not."
+}
+
+# Create a workspace-scoped instruction
+POST /instructions
+Authorization: Bearer <workspace-admin-token>
+Content-Type: application/json
+
+{
+  "scope": "workspace",
+  "workspace_id": "ws_01HXKM3T8PRQN4ZW7XYVD2EJ5A",
+  "content": "This workspace handles customer PII. Redact all PII fields in tool outputs before writing to external systems."
+}
+
+# Retrieve resolved instructions for a workspace
+# (wsAuth-gated — workspace can only read its own)
+GET /workspaces/ws_01HXKM3T8PRQN4ZW7XYVD2EJ5A/instructions/resolve
+Authorization: Bearer <workspace_token>
+```
+
+The resolve endpoint is gated by wsAuth — the calling workspace's own token. Workspaces cannot enumerate or retrieve instructions from other workspaces. There is no cross-workspace read-back. Each instruction is capped at 8KB of content. Resolved instruction sets are fetched once at startup and cached, so governance is enforced without adding latency to individual agent turns.
+
+## Enforcement Before Execution
+
+The architectural difference from post-hoc policy is timing. A post-hoc filter evaluates after the agent decides what to do. Platform Instructions are in the system prompt before the agent decides anything.
+
+For regulated environments where the requirement is "prevent bad behavior" not "flag bad behavior," that distinction is everything. A compliance team that requires PII redaction doesn't want the agent to write raw PII and redact it on the way out — they want the agent to reason about redaction as part of its core task framing. Platform Instructions makes that possible.
+
+## Enterprise Security: ACLs That Match the Requirement
+
+Platform Instructions are enterprise-only because enterprise governance requires enterprise-grade access control:
+
+- **Global instructions** are managed by org admins — not workspace owners
+- **Workspace instructions** are managed by workspace admins within their own scope only
+- **Resolve endpoint** requires wsAuth — a workspace cannot retrieve another workspace's instructions
+- **No cross-workspace enumeration** — the API returns nothing to callers outside the owning scope
+
+For IT governance teams, this is the access control surface the compliance review demands: policy lives at the org level, is enforced at the workspace level, and cannot be read or modified by the agents it governs.
+
+## Get Started
+
+Platform Instructions are available on **Enterprise plans**. To get started:
+
+- Contact your account team or visit your workspace settings
+- Define your first global instruction via POST /instructions
+- Assign workspace-scoped instructions to specific workspaces
+- Verify resolved instructions via GET /workspaces/{id}/instructions/resolve
+
+For a complete governance picture, combine Platform Instructions with Tool Trace — see exactly which tools were called and what inputs were passed, alongside the policy that governed them.
+
+---
+
+*Molecule AI is open source. Platform Instructions shipped in Phase 34 (2026-04-23). Enterprise plans include org-scoped governance, wsAuth-gated resolve endpoints, and full instruction audit logs.*

docs/marketing/blog/2026-04-30-phase34-launch/index.md

@@ -0,0 +1,218 @@
+---
+title: "Phase 34: Partner API Keys, SaaS Federation v2, Tool Trace, and Platform Instructions"
+date: 2026-04-30
+slug: phase-34-launch
+description: "Phase 34 ships four production features: Partner API Keys for programmatic org management, SaaS Federation v2 for multi-org collaboration, Tool Trace for full observability, and Platform Instructions for governance at the system prompt level."
+og_title: "Phase 34: Four Production Features for AI Agent Platforms"
+og_description: "Partner API Keys. SaaS Federation v2. Tool Trace. Platform Instructions. Phase 34 ships April 30 — the biggest platform release yet."
+og_image: /docs/assets/blog/2026-04-30-phase34-launch-og.png
+tags: [phase-34, partner-api, federation, observability, governance, enterprise, tool-trace, platform-instructions, a2a]
+keywords: [AI agent platform, Partner API Keys, SaaS Federation, enterprise AI, AI agent observability, agent governance, A2A protocol, production AI]
+canonical: https://docs.molecule.ai/blog/phase-34-launch
+---
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "Article",
+  "headline": "Phase 34: Partner API Keys, SaaS Federation v2, Tool Trace, and Platform Instructions",
+  "description": "Phase 34 ships four production features for AI agent platforms: Partner API Keys, SaaS Federation v2, Tool Trace, and Platform Instructions.",
+  "author": { "@type": "Organization", "name": "Molecule AI" },
+  "datePublished": "2026-04-30",
+  "publisher": { "@type": "Organization", "name": "Molecule AI", "logo": { "@type": "ImageObject", "url": "https://molecule.ai/logo.png" } }
+}
+</script>
+
+# Phase 34: Partner API Keys, SaaS Federation v2, Tool Trace, and Platform Instructions
+
+**April 30, 2026 — GA**
+
+Phase 34 is Molecule AI's biggest platform release yet. Four production features ship today: **Partner API Keys** for programmatic org lifecycle management, **SaaS Federation v2** for cross-org collaboration at scale, **Tool Trace** for complete observability into every agent execution, and **Platform Instructions** for governance enforced at the system prompt level.
+
+These aren't add-ons. They're the infrastructure layer that moves AI agent platforms from "it ran" to "it's under control."
+
+---
+
+## Partner API Keys: Programmatic Org Management for Platforms and Resellers
+
+The headline feature of Phase 34 is one that most end users won't see directly — but every platform builder will feel immediately.
+
+When your product needs to create a Molecule AI org on behalf of a customer — a new tenant, a CI environment, a marketplace resale — you shouldn't need a human with a browser. Partner API Keys give marketplace resellers, automation platforms, and CI/CD tooling a scoped, rate-limited, revocable API key — prefixed `mol_pk_` — that authenticates to the partner-facing control plane. No dashboard. No session token. One API call.
+
+```bash
+# Mint a Partner API Key (admin-master-key required)
+POST /cp/admin/partner-keys
+{
+  "name": "acme-ci-pipeline",
+  "scopes": ["orgs:create", "orgs:list", "workspaces:create"]
+}
+
+# Response — key shown ONCE
+{
+  "id": "pak_01HXKM4...",
+  "key": "mol_pk_1a2b3c4d5e6f...",
+  "name": "acme-ci-pipeline",
+  "scopes": ["orgs:create", "orgs:list", "workspaces:create"],
+  "created_at": "2026-04-30T00:00:00Z"
+}
+```
+
+With the key in hand, a partner automation pipeline drives the full customer onboarding lifecycle programmatically:
+
+```bash
+# 1. Create the org
+POST /cp/orgs
+Authorization: Bearer mol_pk_1a2b3c4d5e6f...
+{
+  "name": "acme-corp",
+  "slug": "acme-corp",
+  "plan": "standard"
+}
+
+# 2. Poll until the org is provisioned
+GET /cp/orgs/org_01HXKM4.../status
+
+# 3. Ship the customer their login link
+# → https://app.moleculeai.ai/login?org=acme-corp
+
+# 4. Revoke when the integration ends
+DELETE /cp/admin/partner-keys/pak_01HXKM4...
+```
+
+Available scopes: `orgs:create`, `orgs:list`, `orgs:delete`, `workspaces:create`, `billing:read`. Each key has independent rate limits — a misbehaving integration hits its own ceiling without affecting other partners or organic traffic. Every call is audited: the log records which key was used, when, and what it did.
+
+**Pricing tiers and rate limits are [coming soon](https://molecule.ai/pricing).** Contact your Molecule AI account team to request key issuance for your integration.
+
+Partner API Keys are available on Partner and Enterprise plans.
+
+---
+
+## SaaS Federation v2: Cross-Org Collaboration Without Credential Sharing
+
+Phase 33 shipped org-scoped API keys — credentials that live at the organization level and reach every workspace in your org. SaaS Federation v2 builds on that foundation to let organizations collaborate across org boundaries, without sharing credentials, without workarounds, and without a separate "enterprise bridge" service to maintain.
+
+Federation v2 introduces a structured trust model between orgs. An org admin grants a named federation trust to a partner org — specifying exactly which workspaces are reachable and which operations are permitted. The trust is scoped, revocable, and auditable. No shared secrets. No bilateral token exchange. No custom middleware.
+
+```bash
+# Org A: establish a trust relationship with Org B
+POST /orgs/:org_a/federation/trusts
+{
+  "target_org_id": "org_01HXKM4B...",
+  "target_org_name": "Acme Corp",
+  "workspace_ids": ["ws_abc123", "ws_def456"],
+  "allowed_operations": ["workspaces:read", "channels:read"],
+  "expires_at": "2027-04-30T00:00:00Z"
+}
+```
+
+Once established, agents in Org A can route tasks to Org B's workspaces using Molecule AI's existing A2A protocol — with federation claims embedded in the request metadata so the receiving org can verify the caller's org identity without receiving their org token.
+
+**Why this matters:** In Phase 33, cross-org collaboration either required credential sharing (bad) or manual operator handoff (slow). Federation v2 makes it a first-class, auditable, revocable protocol operation. Your AI fleet can hand off work to a partner's fleet — and you can see exactly what was handed off, when, and whether it was permitted.
+
+SaaS Federation v2 is available on Enterprise plans. Contact your account team to enable federation trusts for your orgs.
+
+---
+
+## Tool Trace: Full Observability Into Every Agent Execution
+
+When your AI agent produces a wrong answer in production, the question isn't "what did the agent say?" — it's "which tool did it call, with what inputs, and what did it get back?"
+
+Most platforms answer the first question. Tool Trace answers all three — for every call, in every response.
+
+Every A2A response from Molecule AI now includes a structured `tool_trace` array in `Message.metadata`. For each tool invocation:
+
+- **`tool`** — the tool name (`Bash`, `Write`, `Read`, `HTTPRequest`, etc.)
+- **`input`** — the exact parameters passed
+- **`output_preview`** — first ~200 characters of the result
+- **`run_id`** — groups concurrent calls so parallel executions don't collapse into a scrambled sequence
+
+```json
+{
+  "metadata": {
+    "tool_trace": [
+      {
+        "tool": "Bash",
+        "input": { "command": "go build ./... && go test ./..." },
+        "output_preview": "ok      auth    0.314s\nok      config  0.201s\n--- PASS: TestIntegration (12.3s)",
+        "run_id": "01HXKM3T8PRQN4ZW7XYVD2EJ5A"
+      },
+      {
+        "tool": "Read",
+        "input": { "file_path": "/workspace/coverage/report.json" },
+        "output_preview": "Read 2.1 KB from /workspace/coverage/report.json",
+        "run_id": "01HXKM3T8PRQN4ZW7XYVD2EJ5A"
+      }
+    ],
+    "run_id": "01HXKM3T8PRQN4ZW7XYVD2EJ5A"
+  }
+}
+```
+
+Instead of "the agent ran the migration and it failed," you get: `tool_call[2] — Bash — kubectl apply -f migration.sql — returned error 1062: Duplicate entry — 0 rows affected — 23ms.` The diagnosis takes minutes, not hours.
+
+Tool Trace is available on all Molecule AI plans. No sampling, no sidecar service. It's in the A2A response metadata.
+
+---
+
+## Platform Instructions: Governance at the System Prompt Level
+
+Most governance platforms filter outputs *after* an agent decides what to do. Platform Instructions takes a different approach: governance at the source, before the first token is generated.
+
+Platform Instructions are policy rules prepended to the agent's system prompt at workspace startup. The agent doesn't receive them as a filter. It receives them as part of its task framing from the very first turn — which means the policy shapes the agent's reasoning, not just its output.
+
+### Two Scopes, One Model
+
+- **Global** — applied to every workspace in your organization. One rule, enforced everywhere across your AI fleet.
+- **Workspace** — applied to a specific workspace only. Fine-grained control without global impact.
+
+When a workspace starts, Molecule AI resolves all applicable instructions and prepends them to the system prompt. The distinction matters: a post-hoc filter can be worked around; a system prompt instruction shapes the agent's reasoning from the ground up.
+
+```bash
+# Create a global instruction (org-admin token)
+POST /instructions
+{
+  "scope": "global",
+  "content": "Before invoking any tool that writes to external storage, confirm the target path is within the org-approved sandbox directory. Reject and report if not."
+}
+
+# Create a workspace-scoped instruction
+POST /instructions
+{
+  "scope": "workspace",
+  "workspace_id": "ws_01HXKM3T8PRQN4ZW7XYVD2EJ5A",
+  "content": "This workspace handles customer PII. Redact all PII fields in tool outputs before writing to external systems."
+}
+```
+
+The resolve endpoint is gated by `wsAuth` — a workspace can only read its own instructions. Each instruction is capped at 8KB. Resolved instruction sets are fetched once at startup and cached, so governance doesn't add per-turn latency.
+
+**For regulated environments, this is the architecture compliance reviews demand:** policy lives at the org level, is enforced at the workspace level, and cannot be read or modified by the agents it governs. Combine with Tool Trace to see exactly which tools were called alongside the policy that governed them.
+
+Platform Instructions are available on Enterprise plans.
+
+---
+
+## What This Means for Developers
+
+Phase 34 is an infrastructure release. It doesn't change how agents run — it changes what you can do *after*.
+
+**If you're building a platform on Molecule AI:** Partner API Keys let your marketplace, CI pipeline, or automation tool manage orgs programmatically. Create, provision, audit, revoke — no human in the loop.
+
+**If you're collaborating across orgs:** SaaS Federation v2 makes cross-org agent handoffs a first-class, auditable protocol operation — not a credential-sharing workaround.
+
+**If you're debugging in production:** Tool Trace turns opaque failures into structured traces. You know which tool failed, what it received, what it returned, and how long it took.
+
+**If you're in a regulated industry:** Platform Instructions means governance is in the system prompt before the agent decides anything. Not a filter. Not a separate service. It's part of the workspace contract.
+
+---
+
+## Get Started
+
+- **Partner API Keys** — available on Partner and Enterprise plans. Contact your account team to request key issuance. Pricing tiers [coming soon](https://molecule.ai/pricing).
+- **SaaS Federation v2** — available on Enterprise plans. Contact your account team to enable federation trusts.
+- **Tool Trace** — available on all plans. See the [A2A Protocol Reference](/docs/api-protocol/a2a-protocol) for the full `Message.metadata` schema.
+- **Platform Instructions** — available on Enterprise plans. Configure them in your workspace settings or via the REST API.
+
+[Molecule AI](https://molecule.ai) is open source. Phase 34 ships April 30, 2026.
+
+*Phase 34 ships in PRs #1807 (Tool Trace), #XXXX (SaaS Federation v2), and across the platform control plane.*

docs/marketing/campaigns/cloudflare-artifacts-launch/social-copy.md

@@ -0,0 +1,110 @@
+# Cloudflare Artifacts — Social Copy
+Campaign: cloudflare-artifacts-launch | Blog: `docs/blog/2026-04-21-cloudflare-artifacts/index.md`
+Publish day: 2026-04-21 (blog live on staging)
+Status: Copy ready — pending Marketing Lead approval
+
+---
+
+## X (Twitter) — Primary thread (5 posts)
+
+### Post 1 — Hook (keyword: `AI agent version control`)
+Your AI agent just finished a 3-hour refactor.
+
+What changed? Do you know?
+
+Agents that don't maintain version history leave you reviewing final outputs blind. Cloudflare Artifacts makes the agent's working state a first-class Git repository — with branches, commits, and rollbacks built in.
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+---
+
+### Post 2 — Git-native (keyword: `Git for AI agents`)
+Cloudflare Artifacts speaks Git natively.
+
+Agents use standard `git clone` and `git fetch`. Any Git client works. No new tooling, no custom client library, no proprietary format.
+
+Molecule AI connects every workspace to an Artifacts repo — the platform handles the credential lifecycle so you don't have to.
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+---
+
+### Post 3 — Credential model (keyword: `short-lived Git credentials`)
+The credential model is the part that makes this production-safe:
+
+→ Tokens scoped to a single repo
+→ Short-lived by default (1 hour, capped at 7 days)
+→ Revocable without touching the repo
+
+No long-lived credentials sitting in environment variables. No credential sprawl across your agent fleet.
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+---
+
+### Post 4 — Use cases (keyword: `AI agent audit trail`)
+Real things you can do once your agent's working state is versioned:
+
+• Review every commit the agent made — not just the final output
+• Fork a workspace before a risky operation, roll back if it goes wrong
+• Roll a session back to a known-good state if an agent corrupts a config
+• Build an auditable record of agent decisions without any custom instrumentation
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+---
+
+### Post 5 — CTA
+Cloudflare Artifacts integration ships today with Molecule AI.
+
+Your agents don't just produce outputs — they maintain a versioned working state you can inspect, branch, and roll back.
+
+Configure a workspace → your full version history.
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+#GitForAgents #AIAgents #AgenticAI #MoleculeAI #Cloudflare
+
+---
+
+## LinkedIn — Single post
+
+**Title:** We gave our AI agents a Git history. Here's what that changes.
+
+**Body:**
+
+Most AI agent platforms treat the workspace as a black box — you get a final output, the session ends, and the working state is gone.
+
+We just shipped a Cloudflare Artifacts integration for Molecule AI. It changes the model.
+
+Here's what it means in practice:
+
+**Agents work in a Git repository.** Every workspace is linked to a Cloudflare Artifacts repo. The agent uses standard `git clone` and `git push` — no proprietary client, no custom tooling. Any Git client works.
+
+**Short-lived, repo-scoped credentials.** Tokens are scoped to a single repo, short-lived by default, and revocable immediately. No long-lived credentials in environment variables. The platform handles the credential lifecycle.
+
+**You can review the work, not just the output.** Instead of reading a final result, you `git log` the workspace and see every commit the agent made — with the context of what the agent was working on when it ran.
+
+**Fork before you let it run.** Fork a workspace's repo before a risky operation. If the outcome is bad, you have the original state. If it's good, you merge.
+
+**Roll back a session.** Because Artifacts is fully versioned, a workspace's state at any previous commit is accessible via Git. An agent that corrupts a config file can have its workspace reset to a known-good state by pointing it at an earlier commit.
+
+**Security: API keys don't enter the Git history.** Before any working state is committed, `snapshot_scrub.py` runs over it. API keys, bearer tokens, and sandbox tool output are redacted or excluded before the snapshot enters the git history.
+
+The integration is live now for all Molecule AI workspaces with Cloudflare Artifacts access.
+
+→ https://docs.molecule.ai/blog/cloudflare-artifacts
+
+#AIAgents #AgenticAI #MoleculeAI #Cloudflare #GitOps
+
+---
+
+## Campaign notes
+
+**Audience:** Developer / DevOps (X), Platform engineers (LinkedIn)
+**Tone:** Practical, production-first. Lead with the version control story, not the feature list.
+**Differentiation:** Git-native — agents use standard Git, not a proprietary format. Short-lived credentials. Snapshot scrubbing for security.
+**Use case pairing:** X → version history + review workflow (developer angle), LinkedIn → operational safety + audit trail (platform engineering angle)
+**Assets:** Screencast videos at `docs/marketing/devrel/demos/cloudflare-artifacts/` (16:9 + 1:1 + captioned variants)
+**Coordination:** This blog is live — social can go out same day. Coordinate with Social Media Brand queue.
+**Hashtags:** #GitForAgents #AIAgents #AgenticAI #MoleculeAI #Cloudflare

docs/marketing/social/2026-04-26.md

@@ -0,0 +1,128 @@
+# Social Queue — 2026-04-26
+
+**Status:** DRAFT — gap-fill, Phase 34 feature post
+**Source:** `docs/blog/2026-04-23-tool-trace-observability/index.md`
+**Slug:** `ai-agent-observability-without-overhead`
+**Publish day:** 2026-04-26 (Day 6, Phase 34)
+**Assets:** None required — code/output-first posts
+**Hashtags:** #A2A #MCP #AIAgents #AgenticAI #MoleculeAI #Observability
+**UTM:** `?utm_source=twitter&utm_medium=social&utm_campaign=tool-trace-observability`
+
+---
+
+## X Thread — 5 posts
+
+### Post 1 — Hook (observability gap)
+Your AI agent just spent 3 hours running.
+It finished. The output looks wrong.
+Which tool call caused it?
+If you don't have a trace, you're debugging blind.
+
+Tool Trace: every tool call, every input, every output — in the A2A response.
+
+→ https://docs.molecule.ai/blog/ai-agent-observability-without-overhead
+
+---
+
+### Post 2 — What you actually get
+Most agent platforms give you a result.
+
+Molecule AI A2A with Tool Trace gives you this in the response body:
+
+```
+tool_trace: [
+  {
+    call_id: "call_01hx...",
+    tool: "bash",
+    input: { command: "kubectl get pods" },
+    output_preview: "NAME       READY   STATUS ...",
+    started_at: "2026-04-23T10:00:01Z",
+    duration_ms: 340
+  },
+  ...
+]
+```
+
+Parallel calls are grouped by run_id. You see the full picture.
+
+→ https://docs.molecule.ai/blog/ai-agent-observability-without-overhead
+
+---
+
+### Post 3 — What goes wrong without it
+No trace:
+
+"the agent ran the migration and something broke"
+
+With trace:
+
+"tool_calls[2]: bash — kubectl apply -f migration.sql — returned error 1062: Duplicate entry 'usr_01hx' — 0 rows affected"
+
+Tool Trace turns "something broke" into "this tool, these inputs, this error."
+
+→ https://docs.molecule.ai/blog/ai-agent-observability-without-overhead
+
+---
+
+### Post 4 — Parallel traces handled correctly
+Parallel tool calls are the hardest case for agent observability.
+
+Most platforms flatten them. Molecule AI groups parallel calls by run_id:
+
+```
+run_id: "run_01hx..."
+  ├── call_01: bash (kubectl get pods) — 340ms
+  └── call_02: bash (kubectl get svc)  — 180ms
+run_id: "run_01hx...B"
+  └── call_03: http_request (status check) — 2100ms
+```
+
+Each run is independent. Each trace is complete.
+
+→ https://docs.molecule.ai/blog/ai-agent-observability-without-overhead
+
+---
+
+### Post 5 — CTA
+Tool Trace is now available on all Molecule AI plans.
+
+Every A2A response can carry the full tool call record — no sampling, no sidecar, no guesswork.
+
+Debug with the same fidelity you'd expect from a real distributed system trace.
+
+→ https://docs.molecule.ai/blog/ai-agent-observability-without-overhead
+
+---
+
+## LinkedIn — Single Post
+
+**Title:** Most AI agent platforms give you a result. This one gives you a trace.
+
+**Body:**
+
+When an AI agent produces a wrong answer, the question isn't "what did the agent say?" — it's "which tool did the agent call, with what inputs, and what did it get back?"
+
+Most agent platforms answer the first question. Few answer the second.
+
+Molecule AI's Tool Trace feature adds a structured tool call record to every A2A response. For each tool invocation:
+
+→ The call ID and run ID (for grouping parallel calls)
+→ The input parameters
+→ An output preview (first 512 chars)
+→ Timing metadata (started_at, duration_ms)
+
+What this changes in practice:
+
+**Debugging**: Instead of "the agent ran the migration and it failed," you get "tool_call[2] — bash — kubectl apply -f migration.sql — returned error 1062: Duplicate entry." The diagnosis takes minutes, not hours.
+
+**Audit trails**: Every tool call that touched production infrastructure is in the response. No custom instrumentation required.
+
+**Parallel call clarity**: When an agent fires multiple tool calls at once, Molecule AI groups them by run_id — so you see the concurrent calls as a structured tree, not a flattened list.
+
+Tool Trace is available on all plans. No sampling. No sidecar service. It's in the A2A response.
+
+→ [Read the full breakdown](https://docs.molecule.ai/blog/ai-agent-observability-without-overhead)
+→ [A2A Protocol Reference](https://docs.molecule.ai/docs/api-protocol/a2a-protocol)
+
+**Hashtags:** #A2A #AIAgents #AgenticAI #MoleculeAI #PlatformEngineering #AIInfrastructure #Observability
+**CTA:** Bookmark for when your agent does something unexpected — Tool Trace is how you find out why.

docs/marketing/social/2026-04-27.md

@@ -0,0 +1,132 @@
+# Social Queue — 2026-04-27
+
+**Status:** DRAFT — A2A Enterprise second wave
+**Source:** `docs/marketing/campaigns/a2a-enterprise-launch/social-copy.md` (canonical copy)
+**Blog:** `docs/blog/2026-04-22-a2a-v1-agent-platform/`
+**Slug:** `a2a-enterprise-any-agent-any-infrastructure`
+**Publish day:** 2026-04-27 (Day 7, Phase 34 — A2A Enterprise second wave)
+**Assets:** OG image at `docs/assets/blog/2026-04-22-a2a-enterprise-og.png` (1200x630, 22KB)
+**Hashtags:** #A2A #AIAgents #AgenticAI #MoleculeAI #EnterpriseAI #PlatformEngineering
+**UTM:** `?utm_source=twitter&utm_medium=social&utm_campaign=a2a-enterprise-launch`
+
+---
+
+## X Thread — 5 posts
+
+### Post 1 — Hook (A2A governance gap)
+Your agents can talk to each other.
+
+Now prove it.
+
+"Connect agents" is the easy part. The hard part is knowing which agent called which,
+what it did, and whether you can revoke access without a redeploy.
+
+A2A protocol with org-level governance is the difference between "agents connected"
+and "audit trail exists."
+
+→ https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure
+
+---
+
+### Post 2 — Infrastructure agnostic
+Two agents. Same VPC. Talking directly. That's solved.
+
+Two agents. Different cloud providers. Across a VPN. A2A still works.
+
+That's the harder problem — and the one that matters for teams actually running
+AI at scale across infrastructure boundaries.
+
+Molecule AI's A2A registry handles cross-infrastructure discovery. Your agents
+don't care where the other agent lives.
+
+→ https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure
+
+---
+
+### Post 3 — The compliance question
+"Which agent accessed which workspace, and what did it do with the data?"
+
+If your A2A implementation can't answer that question, it's not an enterprise-ready
+feature. It's a developer preview.
+
+Molecule AI A2A: org API key attribution on every cross-agent call. Audit trail
+exportable for compliance review. Revocation in one API call — no redeploy.
+
+→ https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure
+
+---
+
+### Post 4 — Hierarchy model
+Not every agent should be able to reach every other agent.
+
+Flat agent-to-agent mesh = lateral movement risk at scale.
+
+Molecule AI's CanCommunicate() hierarchy: same workspace ✓ | siblings ✓ | parent↔child ✓ |
+everything else ✗ by default.
+
+Enterprise A2A means scoped communication rights, same as every other access control.
+
+→ https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure
+
+---
+
+### Post 5 — CTA
+A2A protocol ships in Molecule AI Phase 30.
+
+Every workspace is an A2A server. Every cross-agent call is audit-attributed.
+Cross-infrastructure discovery is built in.
+
+If you're running multi-agent systems and can't answer "which agent did what,"
+your A2A story isn't done.
+
+→ https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure
+
+---
+
+## LinkedIn — Single Post
+
+**Title:** A2A protocol is solved. A2A governance is not.
+
+**Body:**
+
+Every major AI agent platform is adding A2A support this quarter. "Agents can talk to each other" is no longer a differentiator — it's table stakes.
+
+What's still differentiating: whether your A2A implementation includes a governance layer.
+
+Specifically: when your compliance team asks "which agent accessed which workspace, and what did it do with the data?", can you answer?
+
+Most implementations cannot. They connect agents without logging the calls. They support JSON-RPC 2.0 and SSE streaming but skip the audit trail. They work great in demos and fall apart in enterprise review.
+
+The A2A governance gap looks like this:
+- Connect agents? ✅ (most platforms)
+- Audit trail on every call? ❌ (most platforms)
+- Attribution per call? ❌ (most platforms)
+- Instant revocation? ❌ (most platforms)
+- Cross-infrastructure discovery? ❌ (many platforms)
+- Compliance-ready? ✅ (only platforms with a real governance layer)
+
+LangGraph shipped A2A client (inbound + outbound) in PRs #6645 and #7113. The implementation is technically solid. There's no audit trail, no org-level attribution, and no revocation model.
+
+Molecule AI's A2A implementation includes org API key attribution on every cross-agent call. The audit log shows which key prefix made which request, when, and with what result. Revocation is one API call — the key stops working immediately, and the trail shows exactly what it did before revocation.
+
+The difference between "agents connected" and "agents accountable."
+
+A2A protocol ships in Phase 30. Cross-infrastructure discovery and org API key attribution are available on all production deployments.
+
+→ [Read the full breakdown](https://docs.molecule.ai/blog/a2a-enterprise-any-agent-any-infrastructure)
+→ [A2A Protocol Reference](https://docs.molecule.ai/docs/api-protocol/a2a-protocol)
+→ [Org API Keys: Audit Attribution Setup](https://docs.molecule.ai/blog/org-scoped-api-keys)
+
+**Hashtags:** #A2A #AIAgents #AgenticAI #MoleculeAI #EnterpriseAI #PlatformEngineering
+**CTA:** Bookmark for when you're evaluating agent frameworks — the protocol explainer covers what the spec doesn't.
+
+---
+
+## Campaign notes
+
+**Audience:** Platform engineers (X), Enterprise AI leads / CTOs (LinkedIn)
+**Tone:** Direct, confident. Don't over-explain the protocol — lead with the governance gap.
+**Differentiation:** "A2A is solved. A2A governance is not." is the frame. LangGraph comparison is factual (PRs cited) and not disparaging — they're a legitimate competitor doing a solid thing incompletely.
+**Suggested image:** Cross-infrastructure diagram showing two agent nodes in different cloud environments communicating via the A2A protocol with org API key attribution in the audit log.
+**Coordination:** Publish after blog goes live. A2A v1 Deep-Dive social went Apr 22 — this is the enterprise/governance second wave.
+**Status:** Canonical copy from `a2a-enterprise-launch/social-copy.md` — ready for Social Media Brand execution.

docs/marketing/social/2026-04-28-partner-api-keys/social-copy.md

@@ -0,0 +1,138 @@
+# Phase 34 — Partner API Keys Social Copy
+Campaign: partner-api-keys | Blog: `docs/marketing/blog/2026-04-23-partner-api-keys/index.md`
+Slug: partner-api-keys
+Publish day: 2026-04-28 (Day 8, Phase 34)
+Assets: OG image at `docs/assets/blog/2026-04-23-partner-api-keys-og.png`
+Hashtags: #AgenticAI #MoleculeAI #PlatformEngineering #Marketplace #CI/CD #API
+UTM: `?utm_source=twitter&utm_medium=social&utm_campaign=partner-api-keys`
+
+---
+## X Thread — 5 posts
+
+### Post 1 — Hook (programmatic org management gap)
+Your marketplace needs to provision a new customer org.
+Your CI pipeline needs a clean test environment.
+Your partner portal needs to spin up agent infrastructure.
+
+None of them should need a human with a browser.
+
+Partner API Keys: programmatic org management via `mol_pk_*`.
+→ https://docs.molecule.ai/blog/partner-api-keys
+
+---
+
+### Post 2 — What it actually does (the API surface)
+`mol_pk_*` keys let you:
+
+→ `POST /cp/orgs` — provision an org
+→ `GET /cp/orgs/:id/status` — poll until ready
+→ `DELETE /cp/admin/partner-keys/:id` — revoke cleanly
+
+No browser. No admin dashboard. Just the API.
+
+Scoped to exactly what each integration needs.
+
+→ https://docs.molecule.ai/blog/partner-api-keys
+
+---
+
+### Post 3 — CI/CD use case
+Your test suite needs a clean Molecule AI org per run.
+
+Old flow: spin up a test environment → pray nothing's shared → manual cleanup.
+
+New flow:
+1. `POST /cp/orgs` (via `mol_pk_*` key)
+2. Run integration tests
+3. `DELETE /cp/admin/partner-keys/:id`
+4. Org is gone. Run is clean.
+
+No shared state. No test pollution. No manual cleanup.
+
+→ https://docs.molecule.ai/blog/partner-api-keys
+
+---
+
+### Post 4 — Marketplace reseller angle
+You run a marketplace. You resell AI agent infrastructure to your customers.
+
+Your customer signs up on your platform.
+You call `POST /cp/orgs` with their details.
+They're redirected to their Molecule AI tenant.
+
+The reseller controls the billing relationship.
+Molecule AI handles the infrastructure.
+
+You never hand a credential to a human.
+
+→ https://docs.molecule.ai/blog/partner-api-keys
+
+---
+
+### Post 5 — Scoping + revocation story
+A partner key is only as powerful as you make it.
+
+`orgs:create` → can create orgs, nothing else
+`orgs:list` → can read org status, nothing else
+`billing:read` → can see subscription, nothing else
+
+Revoke a key → the integration stops working immediately.
+The org stays. The path closes.
+
+That's the security model.
+
+→ https://docs.molecule.ai/blog/partner-api-keys
+
+---
+
+## LinkedIn — Single Post
+
+**Title:** The difference between "agents can talk to each other" and "your platform can own the agent infrastructure your customers use"
+
+**Body:**
+
+When you're building on top of an AI agent platform, the last thing you want is for every customer onboarding to go through a human with an admin dashboard.
+
+That's the problem Partner API Keys solve.
+
+`mol_pk_*` keys let marketplace resellers, CI/CD pipelines, and automation platforms create and manage Molecule AI orgs programmatically — no browser, no admin session, just an API call.
+
+Here's what a customer onboarding flow looks like:
+
+1. Customer signs up on your marketplace
+2. You call `POST /cp/orgs` with their details
+3. You poll `GET /cp/orgs/:id/status` until provisioning completes
+4. You redirect the customer to their Molecule AI tenant
+
+Your customer gets their agent infrastructure. You control the billing relationship. Molecule AI handles the platform.
+
+The same pattern works for CI/CD: create a temporary org per test run, run integration tests, delete the org and revoke the key. Each run is fully isolated. No shared state. No manual cleanup.
+
+What makes this production-ready versus a prototype:
+
+→ **Scoped by default** — a CI pipeline key gets `orgs:create` + `orgs:list`. A marketplace key gets `orgs:create` + `orgs:delete` + `workspaces:create`. Each key does exactly what its integration needs.
+
+→ **Immediate revocation** — `DELETE /cp/admin/partner-keys/:id` closes the integration path instantly. The org stays; the automation is dead.
+
+→ **Full audit trail** — every API call attributed to the key that made it. You can trace a provisioning event back to the integration that triggered it.
+
+→ **Rate-limited per key** — a misbehaving integration hits its own ceiling without affecting other partners or organic traffic.
+
+Partner API Keys are available on Partner and Enterprise plans. Programmatic org management — not a browser dependency in sight.
+
+→ [Read the integration guide](https://docs.molecule.ai/blog/partner-api-keys)
+→ [Phase 34 Plan](https://docs.molecule.ai/blog/molecule-ai-build-plan) — all eight steps shipped
+
+**Hashtags:** #AgenticAI #MoleculeAI #PlatformEngineering #Marketplace #CICDPipeline #API
+**CTA:** Bookmark for your next platform integration build. Programmatic org management is live.
+
+---
+
+## Campaign notes
+
+**Audience:** Platform engineers / API-first builders (X), Marketplace operators / CI/CD teams / enterprise DevOps (LinkedIn)
+**Tone:** Concrete and API-first. Show the flow, not the concept. The CI/CD ephemeral org use case is the most visceral example — use it.
+**Differentiation:** No browser dependency is the core differentiator vs. every other org management flow in the market today.
+**Coordination:** Publish Day 8 (2026-04-28). No same-day conflicts identified in the current queue.
+**Status:** Draft — pending PM confirmation of pricing tier language (Partner/Enterprise plans vs. open beta)
+**Self-review applied:** No timeline claims, no person names, no benchmarks. Pricing tier language flagged above.

marketing/demos/memory-inspector-panel/storyboard.md

@@ -0,0 +1,232 @@
+# Screencast Storyboard — MemoryInspectorPanel
+
+> **Feature:** `canvas/src/components/MemoryInspectorPanel.tsx` | **Duration:** 60 seconds
+> **Format:** Canvas-led with API/terminal overlay cuts
+
+---
+
+## Pre-roll (0:00–0:04)
+
+**Canvas — full screen**
+Single workspace card in Canvas: `data-agent [ONLINE]`. Active tab: `Memory`.
+
+Memory panel visible in right sidebar with an empty state: `◇ No memory entries yet`.
+
+Narration (0:00–0:04):
+> "This agent has been running for an hour. It's stored task results, intermediate findings, and context across its sessions. Now there's a way to inspect it."
+
+**Camera:** Static Canvas frame. 4-second hold. No cursor.
+
+---
+
+## Moment 1 — Agent writes memory entries (0:04–0:18)
+
+**Cut to:** Terminal window, dark theme.
+
+Prompt: `agent@data-agent:~$`
+
+```bash
+# Agent writes to its KV memory store
+curl -s -X POST \
+  "https://acme.moleculesai.app/workspaces/ws-data-agent-001/memory" \
+  -H "Authorization: Bearer ws-token-xxx" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "key": "pipeline/Q1-revenue-findings",
+    "value": {
+      "region": "APAC",
+      "delta": -0.073,
+      "contributors": ["enterprise-churn", "demo-loss"],
+      "confidence": 0.91
+    }
+  }' | jq
+```
+
+**Terminal output:**
+
+```json
+{
+  "status": "ok",
+  "key": "pipeline/Q1-revenue-findings",
+  "version": 1
+}
+```
+
+**Camera:** Brief type-in. Cursor moves. JSON response hold on `version: 1` — 1.5s.
+
+Narration (0:06–0:14):
+> "One API call writes a memory entry. Structured data — a key, a value, a version counter. The agent stores what it learns, not just what it's told."
+
+**Second entry:**
+
+```bash
+curl -s -X POST \
+  "https://acme.moleculesai.app/workspaces/ws-data-agent-001/memory" \
+  -H "Authorization: Bearer ws-token-xxx" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "key": "pipeline/anomalies-detected",
+    "value": ["deals-84-day-stale", "renewal-risk-enterprise-3"]
+  }' | jq
+```
+
+```json
+{
+  "status": "ok",
+  "key": "pipeline/anomalies-detected",
+  "version": 1
+}
+```
+
+**Camera:** Quick follow. Clean output. Clean finish.
+
+Narration (0:14–0:18):
+> "Version one. Each write is tracked. The agent has a memory — observable, queryable, inspectable."
+
+---
+
+## Moment 2 — Canvas Memory panel shows the entries (0:18–0:32)
+
+**Cut to:** Canvas — data-agent workspace, Memory tab active.
+
+Two entry rows visible:
+
+- `pipeline/Q1-revenue-findings` — `v1` — `2m ago` — right chevron
+- `pipeline/anomalies-detected` — `v1` — `1m ago` — right chevron
+
+Entry count badge: `2 entries` in toolbar.
+
+**Camera:** Slow scroll through the two entries. Hold on first row. Highlight `v1` badge and `2m ago` timestamp.
+
+Narration (0:20–0:28):
+> "Back in Canvas. The Memory tab shows every entry — key, version, how long ago it was written. Click any row to see the full value."
+
+**Expand first entry:**
+
+Click on `pipeline/Q1-revenue-findings` row.
+
+Row expands: JSON body shows `delta: -0.073`, `confidence: 0.91`, `contributors: [...]`.
+
+Below JSON: `Updated: Apr 21, 12:34 PM` — `Edit` button — `Delete` button.
+
+**Camera:** Full expand animation. Hold on JSON body. Press Edit.
+
+Narration (0:28–0:32):
+> "One click expands the entry. JSON in view. Edit inline. Version conflict detection built in. That's the Memory Inspector — read, write, version-tracked."
+
+---
+
+## Moment 3 — Semantic search with similarity scores (0:32–0:46)
+
+**Canvas continues:** memory panel still open.
+
+Search bar focused. Type: `revenue trends`
+
+**Camera:** Cursor to search bar. Type animation (playback speed 2x). 300ms debounce, then request fires.
+
+**Terminal overlay (brief):**
+
+```bash
+# Semantic query — pgvector backend
+curl -s "https://acme.moleculesai.app/workspaces/ws-data-agent-001/memory?q=revenue%20trends" \
+  -H "Authorization: Bearer ws-token-xxx" | jq '.'
+```
+
+**Canvas updates:** entries re-sort. Similarity badges appear:
+
+- `pipeline/Q1-revenue-findings` — `v2` — `91%` — blue badge
+- `pipeline/anomalies-detected` — `v1` — `~34%` — italic dim badge
+
+Top result highlighted with blue ring for 1.5s.
+
+**Camera:** Smooth re-sort. Badge fade-in. Hold on `91%` badge. Brief highlight pulse.
+
+Narration (0:34–0:44):
+> "Type a semantic query — 'revenue trends'. The pgvector backend ranks entries by similarity. 91% match on top. Clearest result surfaces first."
+
+**Callout text (bottom-left):**
+`Vector search — find related entries without exact key matches.`
+
+**Camera:** Clear search — click × button. Entries return to default order. Similarity badges disappear.
+
+Narration (0:44–0:46):
+> "Clear the search — entries return to recency order. Every query, every ranking, visible."
+
+---
+
+## Moment 4 — Edit and version bump (0:46–0:54)
+
+**Canvas:** `pipeline/Q1-revenue-findings` entry expanded.
+
+Click `Edit`. JSON textarea appears in expanded body.
+
+Update `delta` from `-0.073` to `-0.068` — slightly revise the finding.
+
+Click `Save`.
+
+**Terminal overlay:**
+
+```bash
+# Edit with optimistic locking
+curl -s -X POST \
+  "https://acme.moleculesai.app/workspaces/ws-data-agent-001/memory" \
+  -H "Authorization: Bearer ws-token-xxx" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "key": "pipeline/Q1-revenue-findings",
+    "value": {
+      "region": "APAC",
+      "delta": -0.068,
+      "contributors": ["enterprise-churn", "demo-loss"],
+      "confidence": 0.91
+    },
+    "if_match_version": 2
+  }' | jq
+```
+
+**Terminal output:**
+
+```json
+{
+  "status": "ok",
+  "key": "pipeline/Q1-revenue-findings",
+  "version": 3
+}
+```
+
+**Canvas:** Entry version badge updates: `v3` (yellow pulse on number change).
+
+Narration (0:47–0:52):
+> "Save with `if_match_version: 2`. The entry bumps to version 3. If another agent updated it in the meantime, you'd see a conflict — not a silent overwrite. That's optimistic locking on every write."
+
+---
+
+## Close (0:54–1:00)
+
+**Canvas — full frame.** Memory panel open. Entries visible. Clean state.
+
+Narration (0:54–0:58):
+> "Every agent has memory. Every memory entry is versioned, searchable, editable. The Memory Inspector — in Canvas, built into every workspace."
+
+**End card:**
+
+```
+MemoryInspectorPanel
+canvas/src/components/MemoryInspectorPanel.tsx — molecule-core
+```
+
+**Fade to black.**
+
+---
+
+## Production Notes
+
+- **Canvas cutaways (pre-roll + moments 2–4):** Use dev canvas with one workspace in active state and at least 2 pre-populated memory entries. Pre-record before the session. When recording Moment 4, seed `pipeline/Q1-revenue-findings` with version 2 so the edit goes to version 3.
+- **Semantic search (Moment 3):** Requires pgvector backend deployed (issue #776). If pgvector is not available in the demo environment, show the empty-state search result ("No memories match your search") and narrate it as: "Without pgvector deployed, semantic search shows a clean empty state — the UI degrades gracefully without errors."
+- **Terminal theme:** Same as AGENTS.md + CF Artifacts storyboards — dark zinc, JetBrains Mono 14pt.
+- **Camera:** Screenflow / Camtasia. 1440×900 record → 1080p export.
+- **Callout text:** Amber ring `#E8A000`, 1s fade-in/out, bottom-left at 90% opacity.
+- **Version badge highlight:** On Moment 4 version bump, briefly pulse `v3` badge with blue ring `#3B82F6` — 1s hold.
+- **Similarity badges:** Blue `#3B82F6` for ≥80%, gray for 50–79%, italic gray for <50%. 1px rounded pill shape.
+- **VO recording:** Consistent pacing with other Phase 30 screencasts. Match voice talent.
+- **Music:** No music. Consider a subtle single-tone click at 0:04 (first memory write) and 0:54 (end card).

marketing/devrel/campaigns/chrome-devtools-mcp-seo/queue-ready-to-post.md

@@ -0,0 +1,202 @@
+# Chrome DevTools MCP — Day 1 Campaign Queue
+**Created by:** Content Marketer (2026-04-21, 15:15 UTC)
+**Status:** READY TO POST — no social API credentials found in codebase
+**Platforms:** X (Twitter) + LinkedIn
+**CTA link:** https://docs.molecule.ai/blog/chrome-devtools-mcp
+**Assets:** `/workspace/repo/marketing/devrel/campaigns/chrome-devtools-mcp-seo/assets/`
+
+---
+
+## X — 5-Post Thread (Primary, PMM-approved)
+
+### Post 1 of 5 — Hook
+```
+Your AI agent just made a purchase on your behalf.
+
+What did it buy? From where? With which account?
+
+Most agents operate in a black box. Browser DevTools MCP makes the browser a first-class
+tool — with org-level audit attribution on every action.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Post 2 of 5 — Problem framing
+```
+Browser automation for AI agents usually means: give the agent your credentials, hope it
+doesn't go somewhere unexpected, and check the logs after.
+
+That's not a governance model. That's a trust fall.
+
+Molecule AI's MCP governance layer for Chrome DevTools MCP gives you:
+→ Which agent accessed which session
+→ What it did (navigate, fill, screenshot, submit)
+→ Audit trail with org API key attribution
+
+One org API key prefix per integration. Instant revocation.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Post 3 of 5 — Use case, concrete
+```
+Real things teams use Chrome DevTools MCP for in production:
+
+• Automated Lighthouse audits on every PR — agent runs the audit, reports the score, flags regressions
+• Visual regression detection — agent screenshots key pages, diffs against baseline, opens tickets on drift
+• Auth scraping — agent reads the authenticated state from an existing browser session
+
+The governance layer means your security team can see all three in the audit trail.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Post 4 of 5 — Competitive / positioning
+```
+The MCP protocol lets you connect any compatible tool to any compatible agent.
+
+What's been missing: visibility into what the agent actually *did* with that access.
+
+Molecule AI's MCP governance layer adds:
+• Per-action audit logging with org API key attribution
+• Token-scoped Chrome sessions — no credential sharing across agents
+• Instant revocation without redeployment
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Post 5 of 5 — CTA
+```
+Chrome DevTools MCP ships today with Molecule AI Phase 30.
+
+If you're running AI agents that interact with web UIs — there's a governance story
+you need to have ready before your security team asks.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+---
+
+## LinkedIn — Single post
+
+**Title:** Why your AI agent's browser access needs a governance layer
+
+**Body:**
+```
+Your AI agent can use a browser. That's useful. But "useful" isn't a security posture.
+
+When an agent operates inside a browser — filling forms, reading session state, navigating
+authenticated flows — most platforms give you two options: trust it completely, or don't
+let it near the browser at all.
+
+Molecule AI's Chrome DevTools MCP integration adds a third option: visibility with control.
+
+Here's what "governance layer" actually means in this context:
+
+→ Every browser action is logged with the org API key prefix that made the call. You know
+which agent touched what session, every time.
+
+→ Chrome sessions are token-scoped. Agent A's session is not Agent B's session. No credential
+cross-contamination.
+
+→ Revocation is instant. One API call, the key stops working, the session closes. No redeploy.
+
+→ Audit trails are exportable. Your security team can review them without a custom logging pipeline.
+
+This is the difference between "the agent can use a browser" and "the agent's browser access
+is auditable, attributable, and revocable."
+
+Chrome DevTools MCP is available now on all Molecule AI deployments.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+---
+
+## A/B/C Secondary X Copy Variants
+
+*(Source: `/workspace/repo/marketing/devrel/chrome-devtools-mcp-social-copy.md` — file not found in repo.
+If variants A/B/C exist elsewhere, use these as thread fillers or Day 2 repeats)*
+
+### Variant A (Technical / developer)
+```
+Chrome DevTools MCP gives your AI agents a 23-tool browser surface.
+23 actions. Every one logged. Every one attributable to an org API key.
+
+This is what "MCP governance layer" means in practice.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Variant B (Audit / compliance)
+```
+Your security team just asked: "Which agent accessed which browser session, and when?"
+
+With Molecule AI's Chrome DevTools MCP governance layer, you have the answer.
+Not a custom pipeline. Not a custom log. Just the audit trail.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+### Variant C (Hook variant)
+```
+"AI agent, go buy me something."
+
+Before you run that — do you know which session it'll use? Which credentials?
+What it'll do if the checkout flow changes?
+
+Chrome DevTools MCP + Molecule AI: the browser is a first-class, auditable tool.
+
+→ docs.molecule.ai/blog/chrome-devtools-mcp
+
+#MCP #AIAgents #AgenticAI #MoleculeAI
+```
+
+---
+
+## Assets on Disk
+
+```
+/workspace/repo/marketing/devrel/campaigns/chrome-devtools-mcp-seo/assets/chrome-devtools-mcp-hero.png
+/workspace/repo/marketing/devrel/campaigns/chrome-devtools-mcp-seo/assets/chrome-devtools-mcp-social-card.png
+/workspace/repo/marketing/devrel/campaigns/chrome-devtools-mcp-seo/assets/chrome-devtools-mcp-tts.mp3
+```
+
+Social card image: `chrome-devtools-mcp-social-card.png`
+Hero image: `chrome-devtools-mcp-hero.png`
+
+---
+
+## Campaign Notes (from PMM brief)
+
+- **X audience:** Developer / DevOps — lead with Lighthouse / visual regression use case
+- **LinkedIn audience:** Enterprise platform engineers — lead with governance / compliance
+- **Differentiation claim:** Org API key audit attribution — competitors can't match
+- **Spacing:** Do NOT post same day as fly-deploy-anywhere (suggested: Day 3-5 for Fly)
+- **Campaign source doc:** `/workspace/repo/docs/marketing/campaigns/chrome-devtools-mcp-seo/social-copy.md`
+
+---
+
+## Posting Instructions
+
+1. Post X thread in sequence (Posts 1–5), ~15–30 min apart
+2. Post LinkedIn as standalone after thread
+3. Attach `chrome-devtools-mcp-social-card.png` to Posts 1 and LinkedIn
+4. A/B/C variants: use as thread additions (post 1.5, 2.5 etc.) or Day 2 reposts
+5. Tag nothing extra — hashtags already in copy

marketing/devrel/campaigns/org-api-keys-launch/social-copy.md

@@ -0,0 +1,115 @@
+# Org-Scoped API Keys — Social Copy
+Campaign: org-api-keys | Blog PR: docs#51 | Issue: molecule-ai/internal#6
+Publish day: TBD — post Phase 30 blog launch (do not same-day as chrome-devtools-mcp-seo)
+Status: Ready for scheduling — post Chrome DevTools MCP launch (Day 2 slot)
+
+---
+
+## X (Twitter) — Primary thread (5 posts)
+
+### Post 1 — Hook
+
+Your CI pipeline calls your agent API.
+Your Zapier integration calls your agent API.
+Your monitoring tool calls your agent API.
+
+They all use the same token.
+That's a problem — before you even ship.
+
+Molecule AI org-scoped API keys: one credential per integration. Named, revocable, audit-attributable.
+
+---
+
+### Post 2 — Problem framing
+
+ADMIN_TOKEN works great — until it doesn't.
+
+→ Can't rotate without downtime (10 agents use it simultaneously)
+→ Can't attribute which integration made a call (no prefix in logs)
+→ Can't revoke just one (one compromised token compromises everything)
+
+Org-scoped API keys fix all three.
+
+---
+
+### Post 3 — How it works (the product)
+
+Molecule AI org API keys:
+
+→ Mint via Canvas UI or POST /org/tokens
+→ sha256 hash stored server-side, plaintext shown once
+→ 8-character prefix visible in every audit log line
+→ Immediate revocation — next request, key is dead
+→ Works across all workspaces AND workspace sub-routes
+
+Rotate without downtime. Attribute every call. Revoke instantly.
+
+---
+
+### Post 4 — Compliance angle
+
+"We need to know which integration called that API endpoint."
+
+Org-scoped API keys: every call tagged with the key's 8-char prefix in the audit log.
+Full provenance in `created_by` — which admin minted the key, when, what it's been calling.
+
+That's the answer your compliance team needs.
+
+---
+
+### Post 5 — CTA
+
+Org-scoped API keys ship today on all Molecule AI deployments.
+
+If you're running multi-agent infrastructure and you have a single ADMIN_TOKEN —
+today is a good day to fix that.
+
+→ https://docs.moleculeai.ai/blog/org-scoped-api-keys
+→ https://canvas.moleculeai.ai (Settings → Org API Keys)
+
+---
+
+## LinkedIn — Single post
+
+**Title:** One ADMIN_TOKEN across your whole agent fleet is a compliance risk, not a convenience
+
+**Body:**
+
+At two agents, one ADMIN_TOKEN feels fine.
+
+At twenty agents, it's a single point of failure that you can't rotate, can't audit,
+and can't compartmentalize.
+
+Molecule AI's org-scoped API keys change the model:
+
+→ One credential per integration — "ci-deploy-bot", "devops-rev-proxy", not "the ADMIN_TOKEN"
+→ Every API call tagged with the key's prefix in your audit logs
+→ Instant revocation — one key compromised, one key revoked, zero downtime for other integrations
+→ `created_by` provenance on every key — which admin created it, when, and what it can reach
+
+The keys work across every workspace in your org — including workspace sub-routes,
+not just admin endpoints.
+
+This is the credential model that makes multi-agent infrastructure defensible at scale.
+
+Org-scoped API keys are available now on all Molecule AI deployments.
+
+→ https://docs.moleculeai.ai/blog/org-scoped-api-keys
+
+---
+
+## Campaign notes
+
+**Audience:** Platform engineers / DevOps (X), Security / compliance / engineering leadership (LinkedIn)
+**Tone:** Direct problem-solution. No fluff. Platform engineers respond to specificity.
+**Differentiation:** The rotation-without-downtime story is the primary hook — it's the most visceral ADMIN_TOKEN pain.
+**Use case pairings:** X → rotation + attribution (DevOps pain), LinkedIn → compliance + provenance (security team concern)
+**Hashtags:** #AgenticAI #MoleculeAI #DevOps #PlatformEngineering #Security
+**Coordination:** Do NOT post on same day as chrome-devtools-mcp-seo. Suggested spacing: Chrome DevTools MCP Day 1, Org API Keys Day 2, Fly Day 3–5.
+**CTA links (confirmed 2026-04-21):**
+- Docs: https://docs.moleculeai.ai/blog/org-scoped-api-keys
+- Canvas → Org API Keys: https://canvas.moleculeai.ai (Settings → Org API Keys)
+**Visual assets (✅ generated 2026-04-21):**
+- `org-api-keys-canvas-ui.png` — Canvas Org API Keys UI mockup
+- `org-api-keys-before-after.png` — Before/after credential model
+- `org-api-keys-audit-log.png` — Audit log terminal output