core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
9aed7595c9
molecule-core/docs
History
Hongming Wang 3d7244ab94 feat(auth): org tokens reach /workspaces/:id/* subroutes + docs 
Extends WorkspaceAuth to accept org API tokens as a valid
credential for any workspace sub-route in the org. Previously a
user minting an org token could hit admin-surface endpoints
(/workspaces, /org/import, etc.) but couldn't reach per-workspace
routes like /workspaces/:id/channels — those were gated by
WorkspaceAuth which only knew about workspace-scoped tokens.

Scope matches the explicit product spec: one org API key can
manipulate every workspace in the org. AI agents given a key can
read/write channels, tokens, schedules, secrets, tasks across all
workspaces.

## WorkspaceAuth tier order

  1. ADMIN_TOKEN exact match (break-glass / bootstrap)
  2. Org API token (Validate against org_api_tokens)           NEW
  3. Workspace-scoped token (ValidateToken with :id binding)
  4. Same-origin canvas referer

Org token tier sits above the per-workspace check so a presenter
of an org key doesn't hit the narrower ValidateToken failure path
first. Checked with isSameOriginCanvas path unchanged.

## End-to-end verified

Minted test token via ADMIN_TOKEN, then with that org token:
  - GET /workspaces             → 200 (list all)
  - GET /workspaces/<id>        → 200 (detail, admin-only route)
  - GET /workspaces/<id>/channels → 200 (workspace sub-route)
  - GET /workspaces/<id>/tokens   → 200 (workspace tokens list)
  - GET /workspaces/<bad-uuid>    → 404 workspace not found
                                    (routing still scoped correctly)

## Documentation

  - docs/architecture/org-api-keys.md — design, data model, threat
    model, security properties
  - docs/architecture/org-api-keys-followups.md — 10 tracked
    follow-ups prioritized (role scoping P1, per-workspace binding
    P1, expiry P2, usage metrics P2, WorkOS user_id capture P2,
    rotation webhooks P3, mint-rate limit P3, audit log P2, CLI
    P3, migrate ADMIN_TOKEN to the same table P4)
  - docs/guides/org-api-keys.md — end-user guide (mint via UI,
    use in curl/Python/TS/AI agents, session-vs-key comparison)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 14:11:45 -07:00
..
adapters chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
adr chore: move platform/docs/adr/ to root docs/adr/ — single docs location 2026-04-18 00:12:47 -07:00
agent-runtime chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
api-protocol chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
architecture feat(auth): org tokens reach /workspaces/:id/* subroutes + docs 2026-04-20 14:11:45 -07:00
assets/branding chore: replace brand icon and add HANDOFF.md 2026-04-13 13:03:40 -07:00
blog/2026-04-17-deploy-anywhere docs(blog): deploy anywhere — Fly Machines + control plane provisioners 2026-04-17 00:38:06 +00:00
development fix(docs): update cd commands for workspace-server/ and workspace/ renames 2026-04-18 01:24:09 -07:00
frontend initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
guides feat(auth): org tokens reach /workspaces/:id/* subroutes + docs 2026-04-20 14:11:45 -07:00
integrations docs(opencode): RFC 2119 — 'should not' → 'must not' for SAFE-T1201 warning (closes #861) 2026-04-18 12:04:49 -07:00
plugins chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
tutorials Merge pull request #578 from Molecule-AI/docs/devrel-feat-525 2026-04-16 18:47:17 -07:00
.gitignore initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
api-reference.md fix(docs): update architecture + API reference paths for workspace-server rename 2026-04-18 01:25:21 -07:00
glossary.md docs(glossary): add GitHub Awesome Copilot disambiguation section 2026-04-17 16:27:41 +00:00
index.md initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
quickstart.md fix(docs): update cd commands for workspace-server/ and workspace/ renames 2026-04-18 01:24:09 -07:00
README.md chore: structural cleanup — dead dirs, moves, gitignore 2026-04-13 14:06:52 -07:00
workspace-runtime-package.md chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00

README.md

docs/

This directory serves two purposes:

  1. Markdown content — everything under architecture/, agent-runtime/, api-protocol/, development/, frontend/, plugins/, product/, etc. This is what agents and humans read.
  2. VitePress site.vitepress/config.ts, package.json, package-lock.json. These drive the rendered documentation site.

Local preview

cd docs
npm install
npm run dev      # preview on http://localhost:5173
npm run build    # static build to docs/.vitepress/dist/

Conventions

  • New top-level docs must be linked from PLAN.md, README.md, and CLAUDE.md — otherwise agents can't find them (see .claude/ memory feedback_cross_reference_docs.md).
  • edit-history/YYYY-MM-DD.md is append-only log of significant changes; don't rewrite history.
  • archive/ holds one-shot analyses and retired docs — kept for context but not maintained.

Why site tooling lives here (not in docs-site/)

VitePress expects its config at <root>/.vitepress/config.ts where <root> is also the content directory. Splitting tooling into a sibling docs-site/ would require a non-trivial srcDir shim and break relative links in .vitepress/config.ts. Keeping both together is the pragmatic choice; this README is the tradeoff ledger.