core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
84de543378
molecule-core/workspace-template
History
Hongming Wang 84de543378 fix(a2a): add missing Authorization header to delegation and message calls (#401) 
* fix(a2a): add missing Authorization header to delegation and message calls

Three A2A client functions were missing the Bearer token on their HTTP calls
after the Phase 30.1 workspace-auth enforcement rollout:

1. send_a2a_message (a2a_client.py): POST to target workspace's /message/send
   used WorkspaceAuth middleware that fails-closed on missing auth header.
   Fix: headers=auth_headers() — auth_headers() already imported.

2. tool_delegate_task_async (a2a_tools.py): POST to platform /delegate endpoint
   requires the caller's workspace bearer token since Phase 30.1.
   Fix: headers=_auth_headers_for_heartbeat()

3. tool_check_task_status (a2a_tools.py): GET /delegations endpoint, same issue.
   Fix: headers=_auth_headers_for_heartbeat()

tool_list_peers already uses _auth_headers_for_heartbeat() correctly —
that's why list_peers works while delegation returns 401/[A2A_ERROR].

Root cause of the multi-session A2A outage. PR #386 (TTL fix) addressed
the workspace-restart cascade; this fixes the underlying 401 on each call.

Closes #391
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(a2a): add missing auth headers to /activity and /notify endpoints

Two more Phase 30.1 regressions in a2a_tools.py found during send_message_to_user
debugging (it was returning 401):

- tool_report_activity: POST /workspaces/:id/activity missing headers
- tool_send_message_to_user: POST /workspaces/:id/notify missing headers

Both now use headers=_auth_headers_for_heartbeat() matching the pattern used
by commit_memory, recall_memory, and the heartbeat POST in the same file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: PM (Molecule AI) <pm@molecule-ai.internal>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 00:53:18 -07:00
..
adapters feat(adapters): add gemini-cli runtime adapter (closes #332) (#379) 2026-04-15 23:30:00 -07:00
builtin_tools fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
plugins_registry feat(plugins): split guardrails into 12 modular plugins 2026-04-14 12:20:04 -07:00
policies initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
skill_loader fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
tests feat(adapters): add gemini-cli runtime adapter (closes #332) (#379) 2026-04-15 23:30:00 -07:00
a2a_cli.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
a2a_client.py fix(a2a): add missing Authorization header to delegation and message calls (#401) 2026-04-16 00:53:18 -07:00
a2a_executor.py fix(a2a): cancel() event, stateTransitionHistory capability, wire push store (#173 #174 #175) 2026-04-15 17:58:10 +00:00
a2a_mcp_server.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
a2a_tools.py fix(a2a): add missing Authorization header to delegation and message calls (#401) 2026-04-16 00:53:18 -07:00
agent.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
build-all.sh initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
claude_sdk_executor.py fix(claude-sdk): #160 — probe CLI directly when SDK swallowed the real stderr 2026-04-15 11:50:55 -07:00
cli_executor.py feat(adapters): add gemini-cli runtime adapter (closes #332) (#379) 2026-04-15 23:30:00 -07:00
config.py fix(security): hitl task-id ownership + wire fail_open_if_no_scanner in loader (closes #265, #268) 2026-04-15 21:18:52 -07:00
consolidation.py fix(security): N1 — add auth headers to all platform calls in Python callers 2026-04-14 08:37:50 +00:00
coordinator.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
Dockerfile initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
entrypoint.sh fix(workspace): recursive chown when /workspace bind mount is root-owned (#13) 2026-04-14 07:29:30 -07:00
events.py fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
executor_helpers.py fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
heartbeat.py fix(security): N1 — add auth headers to all platform calls in Python callers 2026-04-14 08:37:50 +00:00
initial_prompt.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
main.py fix(security): /transcript endpoint fails closed when auth token missing (#328) 2026-04-15 21:17:37 -07:00
molecule_ai_status.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
platform_auth.py fix(security): H3 github_pat_ redaction + M4 atomic token write (audit cycle 10) 2026-04-14 09:34:27 +00:00
plugins.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
preflight.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
prompt.py initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
pytest.ini initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
requirements.txt initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
transcript_auth.py fix(security): /transcript endpoint fails closed when auth token missing (#328) 2026-04-15 21:17:37 -07:00
watcher.py fix(security): H1 — replace MD5 with SHA-256 in config/skill watchers 2026-04-14 07:52:07 +00:00