From 33c107f427884be7241ee8509e4460a10d1639e5 Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Mon, 13 Apr 2026 18:10:41 -0700
Subject: [PATCH 1/4] fix(infra): attach docker-compose.infra.yml services to
 molecule-monorepo-net
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes partially #15 (network-split side of the same incident class).

Running `docker compose -f docker-compose.infra.yml up -d` puts postgres,
redis, clickhouse, langfuse (and the new temporal service) on a fresh
`molecule-monorepo_default` bridge network, while the platform container
lives on `molecule-monorepo-net` (created by the root docker-compose.yml).
Platform then fails DNS on `postgres:5432` and crashes until the
operator manually `docker network connect`s each service.

Declare `molecule-monorepo-net` as the external default network for the
infra compose file so new services join it automatically.

Also adds temporal + temporal-ui services (closes the 'Temporal unavailable'
noise that every agent logs at startup) and exposes the UI on :8233.

Incident: 2026-04-13 — running `up -d temporal` recreated postgres into
the wrong network and took the platform + all 12 workspace agents offline
until networks were manually reconnected.
---
 docker-compose.infra.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/docker-compose.infra.yml b/docker-compose.infra.yml
index e83c3316..ced9e3b9 100644
--- a/docker-compose.infra.yml
+++ b/docker-compose.infra.yml
@@ -65,6 +65,37 @@ services:
       timeout: 5s
       retries: 10
 
+  temporal:
+    image: temporalio/auto-setup:1.25
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      DB: postgres12
+      DB_PORT: 5432
+      POSTGRES_USER: ${POSTGRES_USER:-dev}
+      POSTGRES_PWD: ${POSTGRES_PASSWORD:-dev}
+      POSTGRES_SEEDS: postgres
+      DBNAME: temporal
+      VISIBILITY_DBNAME: temporal_visibility
+    ports:
+      - "7233:7233"
+    healthcheck:
+      test: ["CMD", "tctl", "--address", "temporal:7233", "cluster", "health"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+  temporal-ui:
+    image: temporalio/ui:2.31.2
+    depends_on:
+      - temporal
+    environment:
+      TEMPORAL_ADDRESS: temporal:7233
+      TEMPORAL_CORS_ORIGINS: http://localhost:8233
+    ports:
+      - "8233:8080"
+
   langfuse-web:
     image: langfuse/langfuse:2
     depends_on:
@@ -84,6 +115,11 @@ services:
     ports:
       - "3001:3000"
 
+networks:
+  default:
+    name: molecule-monorepo-net
+    external: true
+
 volumes:
   pgdata:
   redisdata:

From 2b32e0b3031dac21ed1922d606621d124f717f27 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Mon, 13 Apr 2026 21:37:03 -0700
Subject: [PATCH 2/4] fix(gate-4): create molecule-monorepo-net idempotently in
 setup.sh

---
 infra/scripts/setup.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/infra/scripts/setup.sh b/infra/scripts/setup.sh
index 6a67d4fc..babcc6ee 100755
--- a/infra/scripts/setup.sh
+++ b/infra/scripts/setup.sh
@@ -4,6 +4,9 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ROOT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
+echo "==> Ensuring shared docker network exists..."
+docker network create molecule-monorepo-net 2>/dev/null || true
+
 echo "==> Starting infrastructure..."
 docker compose -f "$ROOT_DIR/docker-compose.infra.yml" up -d
 

From 870faabceddf82d40c5395f5350401900e03f243 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Mon, 13 Apr 2026 21:38:25 -0700
Subject: [PATCH 3/4] docs(gate-5): document Temporal dependency in
 CLAUDE.md/PLAN.md

---
 CLAUDE.md       |  8 +++++++-
 PLAN.md         | 10 ++++++++++
 README.md       |  4 ++++
 README.zh-CN.md |  4 ++++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 70da5948..cc1565e7 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -35,10 +35,16 @@ Four main components:
 
 ### Infrastructure
 ```bash
-./infra/scripts/setup.sh    # Start Postgres, Redis, Langfuse; run migrations
+./infra/scripts/setup.sh    # Start Postgres, Redis, Langfuse, Temporal; run migrations
 ./infra/scripts/nuke.sh     # Tear down everything, remove volumes
 ```
 
+Infra services (via `docker-compose.infra.yml`, all attached to the shared `molecule-monorepo-net` network — `setup.sh` creates it idempotently):
+- **Postgres** `:5432` — primary datastore (also backs Langfuse + Temporal via separate DBs)
+- **Redis** `:6379` — pub/sub, heartbeat TTLs
+- **Langfuse** `:3001` — LLM trace viewer (backed by Clickhouse)
+- **Temporal** `:7233` (gRPC) + `:8233` (Web UI) — durable workflow engine for `workspace-template/builtin_tools/temporal_workflow.py`. **Dev-only posture:** the auto-setup image runs with no auth on `0.0.0.0:7233`; production deployments must gate access via mTLS or an API key / reverse proxy.
+
 ### Platform (Go)
 ```bash
 cd platform
diff --git a/PLAN.md b/PLAN.md
index 885a248a..58fe805a 100644
--- a/PLAN.md
+++ b/PLAN.md
@@ -317,3 +317,13 @@ Deferred, not blocking:
   leaves copied skill dirs behind. Low user impact.
 - **Shared org-template `system-prompt.md` via `_shared/`** — DRY molecule-dev
   and molecule-worker-gemini. Drift risk; revisit at 3+ orgs.
+
+## Infra footnote — Temporal
+
+`docker-compose.infra.yml` now includes Temporal (`:7233` gRPC, `:8233` Web
+UI) backing `workspace-template/builtin_tools/temporal_workflow.py` for
+durable long-running agent workflows. All infra services share the
+`molecule-monorepo-net` Docker network, which `infra/scripts/setup.sh`
+creates idempotently. Temporal currently runs with **no auth** on
+`0.0.0.0:7233` — dev-only; any production deployment must front it with
+mTLS, API keys, or a reverse proxy before exposing the cluster.
diff --git a/README.md b/README.md
index ac310614..477e04f5 100644
--- a/README.md
+++ b/README.md
@@ -253,6 +253,10 @@ git clone https://github.com/Molecule-AI/molecule-monorepo.git
 cd molecule-monorepo
 
 ./infra/scripts/setup.sh
+# Boots Postgres (:5432), Redis (:6379), Langfuse (:3001),
+# and Temporal (:7233 gRPC, :8233 UI) on the shared
+# `molecule-monorepo-net` Docker network. Temporal runs with
+# no auth on localhost — dev-only; production must gate it.
 
 cd platform
 go run ./cmd/server
diff --git a/README.zh-CN.md b/README.zh-CN.md
index 682a11a9..401896cf 100644
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -252,6 +252,10 @@ git clone https://github.com/Molecule-AI/molecule-monorepo.git
 cd molecule-monorepo
 
 ./infra/scripts/setup.sh
+# 启动 Postgres (:5432)、Redis (:6379)、Langfuse (:3001)
+# 以及 Temporal (:7233 gRPC, :8233 UI)，全部挂在共享的
+# `molecule-monorepo-net` Docker 网络上。Temporal 默认无鉴权，
+# 仅用于本地开发；生产环境必须加 mTLS / API Key。
 
 cd platform
 go run ./cmd/server

From 9eadf74230137be1f1bbb009d7307efdd2023d1b Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Mon, 13 Apr 2026 21:38:38 -0700
Subject: [PATCH 4/4] docs(gate-4): note Temporal dev-only no-auth posture

---
 docker-compose.infra.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.infra.yml b/docker-compose.infra.yml
index ced9e3b9..9237ebf2 100644
--- a/docker-compose.infra.yml
+++ b/docker-compose.infra.yml
@@ -65,6 +65,7 @@ services:
       timeout: 5s
       retries: 10
 
+  # dev-only: no-auth on 0.0.0.0:7233; production must gate via mTLS or API key
   temporal:
     image: temporalio/auto-setup:1.25
     depends_on: