core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
2a39061635
molecule-core/CONTRIBUTING.md
Hongming Wang 6589929f87 docs: document the two PR auto-merge safety guards 
Adds a section to CONTRIBUTING.md → "Pull Requests" explaining the two
system-level guards that protect against the "I enabled auto-merge then
pushed more commits" race:

1. Repo-wide setting: "Automatically delete head branches" (catches
   pushes to a merged-and-deleted branch — the post-merge orphan case).
2. CI workflow `pr-guards` calling molecule-ci's
   disable-auto-merge-on-push (catches pushes during queue
   processing — disables auto-merge, posts a comment, requires
   explicit re-engage).

Why doc-not-just-memory: my agent-side memory is local. Other
contributors on other machines need this in the repo where they
read it. Cites the 2026-04-27 PR #2174 incident with the
specific commit SHAs that got orphaned.

Companion: molecule-ci README updated separately to document the
reusable workflow under "What each workflow validates" so devs
who land in the molecule-ci repo first can find the contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 06:45:55 -07:00

5.8 KiB
Raw Blame History

Contributing to Molecule AI

Thanks for your interest in contributing to Molecule AI! This guide covers the development workflow, conventions, and how to get your changes merged.

Getting Started

Prerequisites

  • Go 1.25+ — platform backend
  • Node.js 20+ — canvas frontend
  • Python 3.11+ — workspace runtime
  • Docker — infrastructure services (Postgres, Redis)
  • Git — with hooks path set to .githooks
  • jq — parses manifest.json during setup.sh to clone the template/plugin registry. Install via brew install jq (macOS) or apt install jq (Debian). Without it, setup.sh prints a note and leaves the registry dirs empty (recoverable by installing jq and re-running).

Setup

# Clone the repo
git clone https://github.com/Molecule-AI/molecule-core.git
cd molecule-core

# Install git hooks
git config core.hooksPath .githooks

# Copy and edit .env (generate ADMIN_TOKEN + SECRETS_ENCRYPTION_KEY)
cp .env.example .env

# Start infrastructure (Postgres, Redis, Langfuse, Temporal)
./infra/scripts/setup.sh

# Build and run the platform — applies pending migrations on first boot
cd workspace-server
go run ./cmd/server

# In a separate terminal, run the canvas
cd canvas
npm install
npm run dev

Environment Variables

Copy .env.example to .env and fill in your values:

cp .env.example .env

See CLAUDE.md for a full list of environment variables and their purposes.

Development Workflow

Branch Naming

Use prefixed branches:

  • feat/ — new features
  • fix/ — bug fixes
  • chore/ — maintenance, deps, CI
  • docs/ — documentation only

Never push directly to main. All changes go through pull requests.

Commits

Write concise commit messages that focus on the "why":

fix(canvas): prevent infinite re-render on WebSocket reconnect

The useEffect dependency array included the entire nodes object,
causing a render loop when any node position changed.

Pull Requests

  • Keep PRs focused — one concern per PR
  • Include a test plan in the PR description
  • PRs are merged with merge commits (not squash or rebase)

Auto-merge & the "extra commit" trap

Two system guards protect against pushing commits after auto-merge has been enabled. Don't try to work around them — they exist because we shipped a half-merged PR on 2026-04-27 (#2174 merged with only its first commit; the second was orphaned on a branch GitHub had already deleted).

  1. Repo-wide: "Automatically delete head branches" is on. Once a PR merges, the branch is deleted server-side. Any subsequent git push to that branch fails with remote rejected — no such branch.

  2. CI: the pr-guards workflow (calling molecule-ci disable-auto-merge-on-push) fires on every push to an open PR. If auto-merge was already enabled, it's disabled and a comment is posted. You must explicitly re-enable after verifying the new commit.

Workflow rules that follow from the guards:

  • Push all commits before running gh pr merge --auto.
  • If you realize you need another commit after enabling auto-merge: push it, then re-run gh pr merge --auto — the guard will already have disabled it. The disable + re-enable is the verification step.
  • For changes that depend on each other across PRs (e.g. a build-script change + a workflow that consumes it), prefer a stack of PRs (PR-B branched off PR-A's branch, opened only after PR-A is in queue) over amending one in-flight PR.

Running Tests

# Go (platform)
cd workspace-server && go test -race ./...

# Canvas (Next.js)
cd canvas && npm test

# Workspace runtime (Python)
cd workspace && python -m pytest -v

# E2E API tests (requires running platform)
bash tests/e2e/test_api.sh

Pre-commit Hooks

The .githooks/pre-commit hook enforces:

  • 'use client' directive on React hook files
  • Dark theme only (no white/light CSS classes)
  • No SQL injection patterns (fmt.Sprintf with SQL)
  • No leaked secrets (sk-ant-, ghp_, AKIA)

Fix violations before committing — the hook will reject the commit.

CI Pipeline

CI runs on GitHub Actions with a self-hosted runner. External contributors: PRs from forks will not trigger CI automatically. A maintainer will review and run CI manually.

Job What it checks
platform-build Go build + vet + go test -race
canvas-build npm build + vitest
python-lint pytest with coverage
e2e-api Full API test suite (62 tests)
shellcheck Shell script linting

Code Style

Go (Platform)

  • Standard gofmt formatting
  • go vet must pass
  • No fmt.Sprintf in SQL queries (use parameterized queries)
  • Prefer function injection over import cycles

TypeScript (Canvas)

  • Strict mode enabled
  • No any types (use unknown or proper types)
  • Use ConfirmDialog component, never native confirm/alert/prompt
  • Dark theme only — no white/light CSS classes

Python (Workspace Runtime)

  • Type hints on public functions
  • pytest for all tests

Architecture Overview

See CLAUDE.md for detailed architecture documentation, including:

  • Component diagram (Platform, Canvas, Workspace Runtime)
  • Key architectural patterns
  • Database schema and migrations
  • API route reference

Reporting Issues

Use GitHub Issues with a clear title and reproduction steps. Include:

  • What you expected
  • What actually happened
  • Platform/OS version
  • Relevant logs or screenshots

Security

If you discover a security vulnerability, please report it privately via GitHub Security Advisories rather than opening a public issue.

License

By contributing, you agree that your contributions will be licensed under the same Business Source License 1.1 that covers this project.