molecule-core

History

rabbitblood 3609b7ab8c feat(platform): wire github-app-auth plugin for per-installation tokens Integrates github.com/Molecule-AI/molecule-ai-plugin-github-app-auth. When GITHUB_APP_ID is set, the platform constructs a plugin Authenticator at boot and registers it as an EnvMutator on the WorkspaceHandler. Every workspace provision then gets a fresh GITHUB_TOKEN / GH_TOKEN injected from the App's installation token (rotates ~hourly, refresh 5 min before expiry). Verified live this turn: - Platform boot log: `github-app-auth: registered, 1 mutator(s) in chain` - `docker exec ws-<id> gh auth status` → `Logged in as molecule-ai[bot] (GH_TOKEN)` - `gh issue list --repo Molecule-AI/molecule-core` returns real data (Hermes #498/#499/#500 visible from inside a workspace container) ## Changes - platform/go.mod + go.sum: new dep on the plugin - platform/cmd/server/main.go: import + conditional registration (soft-skip when GITHUB_APP_ID is unset for self-hosted/dev) - docker-compose.yml: pass GITHUB_APP_* env + bind-mount private key ## Drive-by .gitignore: exclude /org-templates /plugins /workspace-configs-templates — these dirs are populated locally by clone-manifest.sh from the standalone repos, should never be committed to core. Without this rule my previous git add -A staged 33 embedded git dirs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 12:52:20 -07:00
..
main.go	feat(platform): wire github-app-auth plugin for per-installation tokens	2026-04-16 12:52:20 -07:00

rabbitblood 3609b7ab8c feat(platform): wire github-app-auth plugin for per-installation tokens

Integrates github.com/Molecule-AI/molecule-ai-plugin-github-app-auth.
When GITHUB_APP_ID is set, the platform constructs a plugin
Authenticator at boot and registers it as an EnvMutator on the
WorkspaceHandler. Every workspace provision then gets a fresh
GITHUB_TOKEN / GH_TOKEN injected from the App's installation token
(rotates ~hourly, refresh 5 min before expiry).

Verified live this turn:
- Platform boot log: `github-app-auth: registered, 1 mutator(s) in chain`
- `docker exec ws-<id> gh auth status` → `Logged in as molecule-ai[bot] (GH_TOKEN)`
- `gh issue list --repo Molecule-AI/molecule-core` returns real data
  (Hermes #498/#499/#500 visible from inside a workspace container)

## Changes
- platform/go.mod + go.sum: new dep on the plugin
- platform/cmd/server/main.go: import + conditional registration
  (soft-skip when GITHUB_APP_ID is unset for self-hosted/dev)
- docker-compose.yml: pass GITHUB_APP_* env + bind-mount private key

## Drive-by
.gitignore: exclude /org-templates /plugins /workspace-configs-templates
— these dirs are populated locally by clone-manifest.sh from the
standalone repos, should never be committed to core. Without this rule
my previous git add -A staged 33 embedded git dirs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-16 12:52:20 -07:00

main.go

feat(platform): wire github-app-auth plugin for per-installation tokens

2026-04-16 12:52:20 -07:00