forked from molecule-ai/molecule-core
9ad803a802
Reproducing the README's quickstart on a clean clone surfaced seven independent bugs between `git clone` and seeing the Canvas in a browser. Each fix is minimal and local-dev-only — the SaaS/EC2 provisioner path (issue #1822) is untouched. Bugs fixed: 1. `infra/scripts/setup.sh` applied migrations via raw psql, bypassing the platform's `schema_migrations` tracker. The platform then re-ran every migration on first boot and crashed on non-idempotent ALTER TABLE statements (e.g. `036_org_api_tokens_org_id.up.sql`). Dropped the migration block — `workspace-server/internal/db/postgres.go:53` already tracks and skips applied files. 2. `.env.example` shipped `DATABASE_URL=postgres://USER:PASS@postgres:...` with literal `USER:PASS` placeholders and the Docker-internal hostname `postgres`. A `cp .env.example .env` followed by `go run ./cmd/server` on the host failed with `dial tcp: lookup postgres: no such host`. Replaced with working `dev:dev@localhost:5432` defaults that match `docker-compose.infra.yml`. 3. `docker-compose.infra.yml` and `docker-compose.yml` set `CLICKHOUSE_URL: clickhouse://...:9000/...`. Langfuse v2 rejects anything other than `http://` or `https://`, so the container crash-looped and returned HTTP 500. Switched to `http://...:8123` (HTTP interface) and added `CLICKHOUSE_MIGRATION_URL` for the migration-time native-protocol connection. Also removed `LANGFUSE_AUTO_CLICKHOUSE_MIGRATION_DISABLED` so migrations actually run. 4. `canvas/package.json` dev script crashed with `EADDRINUSE :::8080` when `.env` was sourced before `npm run dev` — Next.js reads `PORT` from env and the platform owns 8080. Pinned `dev` to `-p 3000` so sourced env can't hijack it. `start` left as-is because production `node server.js` (Dockerfile CMD) must respect `PORT` from the orchestrator. 5. README/CONTRIBUTING told users to clone `Molecule-AI/molecule-monorepo` — that repo 404s; the actual name is `molecule-core`. The Railway and Render deploy buttons had the same broken URL. Replaced in both English and Chinese READMEs and in CONTRIBUTING. Internal identifiers (Go module path, Docker network `molecule-monorepo-net`, Python helper `molecule-monorepo-status`) deliberately left alone — renaming those is an invasive refactor orthogonal to this fix. 6. README quickstart was missing `cp .env.example .env`. Users who went straight from `git clone` to `./infra/scripts/setup.sh` got a script that warned about an unset `ADMIN_TOKEN` (harmless) but then couldn't run the platform without figuring out the env setup on their own. Added the step in both READMEs and CONTRIBUTING. Deliberately NOT generating `ADMIN_TOKEN`/`SECRETS_ENCRYPTION_KEY` here — the e2e-api suite (`tests/e2e/test_api.sh`) assumes AdminAuth fallback mode (no server-side `ADMIN_TOKEN`), which is how CI runs it. 7. CI shellcheck only covered `tests/e2e/*.sh` — `infra/scripts/setup.sh` is in the critical path of every new-user onboarding but was never linted. Extended the `shellcheck` job and the `changes` filter to cover `infra/scripts/`. `scripts/` deliberately excluded until its pre-existing SC3040/SC3043 warnings are cleaned up separately. Verification (fresh nuke-and-rebuild following the updated README): - `docker compose -f docker-compose.infra.yml down -v` + `rm .env` - `cp .env.example .env` → defaults work as-is - `bash infra/scripts/setup.sh` — clean, no migration errors, all 6 infra containers healthy - `cd workspace-server && go run ./cmd/server` — "Applied 41 migrations (0 already applied)", platform on :8080/health 200 - `cd canvas && npm install && npm run dev` — Canvas on :3000/ 200 even with `.env` sourced (PORT=8080 in env) - `bash tests/e2e/test_api.sh` — **61 passed, 0 failed** - `cd canvas && npx vitest run` — **900 tests passed** - `cd canvas && npm run build` — production build clean - `shellcheck --severity=warning infra/scripts/*.sh` — clean - Langfuse `/api/public/health` 200 (was 500) Scope notes: - SaaS/EC2 parity (issue #1822): all files touched here are local-dev surface. Canvas container uses `node server.js` with `ENV PORT=3000` in `canvas/Dockerfile` — the `-p 3000` pin in `package.json` dev script only affects `npm run dev`, not the production CMD. - Test coverage (issue #1821): project policy is tiered coverage floors, not a blanket 100% target. Files touched here are shell scripts, YAML, Markdown, and one package.json script — not classes covered by the coverage matrix. - No overlap with open PRs — searched `setup.sh`, `quickstart`, `langfuse`, `clickhouse`, `migration`, `README`; nothing conflicts. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: molecule-ai[bot] <276602405+molecule-ai[bot]@users.noreply.github.com>
171 lines
12 KiB
Plaintext
171 lines
12 KiB
Plaintext
# Postgres
|
|
# These defaults match docker-compose.infra.yml, which is the stack
|
|
# launched by `./infra/scripts/setup.sh`. Override for production.
|
|
POSTGRES_USER=dev
|
|
POSTGRES_PASSWORD=dev
|
|
POSTGRES_DB=molecule
|
|
# DATABASE_URL points at the host-published Postgres port so that
|
|
# `go run ./cmd/server` on the host (the README quickstart path) can
|
|
# connect. When running the platform *inside* docker-compose.yml, the
|
|
# compose file builds a DATABASE_URL with host `postgres` automatically
|
|
# from POSTGRES_USER/PASSWORD/DB above — that path ignores this value.
|
|
DATABASE_URL=postgres://dev:dev@localhost:5432/molecule?sslmode=disable
|
|
|
|
# Redis — same host-vs-container story as DATABASE_URL above.
|
|
REDIS_URL=redis://localhost:6379
|
|
|
|
# Platform
|
|
# PORT only applies to the Go platform (workspace-server). The Canvas pins
|
|
# itself to 3000 in canvas/package.json, so sourcing this file before
|
|
# `npm run dev` won't accidentally make Next.js try to bind 8080.
|
|
PORT=8080
|
|
# ---- Admin credential — REQUIRED to close issue #684 (AdminAuth bearer bypass) ----
|
|
# When ADMIN_TOKEN is set, only this value is accepted on /admin/* and /approvals/* routes.
|
|
# Without it, any valid workspace bearer token can call admin endpoints (backward compat
|
|
# fallback, still vulnerable). Set this in every environment, rotate when compromised.
|
|
# Generate: openssl rand -base64 32
|
|
# Store in fly secrets / deployment env — NEVER commit the actual value here.
|
|
ADMIN_TOKEN=
|
|
SECRETS_ENCRYPTION_KEY= # 32-byte key (raw or base64). Leave empty for plaintext (dev only).
|
|
CONFIGS_DIR= # Path to workspace-configs-templates/ (auto-discovered if empty)
|
|
PLUGINS_DIR= # Path to plugins/ directory (default: /plugins in container)
|
|
# PLATFORM_URL=http://host.docker.internal:8080 # URL agent containers use to reach the platform; injected into workspace env. Default derives from PORT.
|
|
# MOLECULE_URL=http://localhost:8080 # Canonical MCP-client URL (mirrors PLATFORM_URL inside containers). Read by the MCP server (mcp-server/) and Molecule MCP tooling.
|
|
# MOLECULE_MCP_ALLOW_SEND_MESSAGE= # Set to "true" to include send_message_to_user in the MCP bridge tool list (issue #810). Excluded by default to prevent unintended WebSocket pushes from CLI sessions.
|
|
# MOLECULE_MCP_URL=http://localhost:8080 # Platform URL for opencode MCP config (opencode.json). Same as PLATFORM_URL; separate var so opencode configs can reference it without ambiguity.
|
|
# WORKSPACE_DIR= # Optional global host path bind-mounted to /workspace in every container. Per-workspace workspace_dir column overrides this; if neither is set each workspace gets an isolated Docker named volume.
|
|
# MOLECULE_ENV=development # Environment label (development/staging/production). Used for log tagging and conditional behaviour.
|
|
# MOLECULE_ENABLE_TEST_TOKENS= # Set to 1 to expose GET /admin/workspaces/:id/test-token (mints a fresh bearer token for E2E scripts). The route is auto-enabled when MOLECULE_ENV != production; this flag is the explicit override. Leave unset/0 in prod — the route 404s unless enabled.
|
|
# MOLECULE_ORG_ID= # SaaS only: org UUID set by control plane on tenant machines. When set, workspace provisioning auto-routes through the control plane API instead of Docker.
|
|
# CP_PROVISION_URL= # Override control plane URL for workspace provisioning (default: https://api.moleculesai.app). Only needed for testing against a non-production control plane.
|
|
|
|
# CORS / rate limiting
|
|
# CORS_ORIGINS=http://localhost:3000,http://localhost:3001 # Comma-separated allowed origins for the HTTP API.
|
|
# RATE_LIMIT=600 # Requests/minute per client (default 600).
|
|
|
|
# Activity retention
|
|
# ACTIVITY_RETENTION_DAYS=7 # Days to keep rows in activity_logs before pruning.
|
|
# ACTIVITY_CLEANUP_INTERVAL_HOURS=6 # How often the background pruner runs.
|
|
|
|
# Container/runtime detection
|
|
# MOLECULE_IN_DOCKER= # Set when running the platform inside Docker (accepts 1/0, true/false). Triggers A2A proxy to rewrite 127.0.0.1:<port> agent URLs to Docker bridge hostnames. Auto-detected via /.dockerenv; only set if detection fails or to force off.
|
|
|
|
# Observability (Awareness)
|
|
# AWARENESS_URL= # If set, injected into workspace containers along with a deterministic AWARENESS_NAMESPACE derived from workspace ID. Enables the cross-session memory MCP server.
|
|
|
|
# GitHub
|
|
# GITHUB_REPO=owner/repo # Target repo for agent initial_prompt clone (e.g. Molecule-AI/molecule-monorepo). Read inside workspace containers.
|
|
# GITHUB_TOKEN= # Personal access token / installation token used by agents that clone private repos. Register as a global secret via POST /admin/secrets for propagation to workspace env. Token is used in-URL during clone and then scrubbed from .git/config via `git remote set-url`.
|
|
|
|
# Webhooks
|
|
# GITHUB_WEBHOOK_SECRET= # HMAC secret used to verify incoming GitHub webhook payloads at /webhooks/github.
|
|
|
|
# CLI clients
|
|
# MOLECLI_URL=http://localhost:8080 # URL the molecli TUI uses to reach the platform.
|
|
|
|
# Plugin install safeguards (POST /workspaces/:id/plugins)
|
|
# All three bound the cost of a single install so a slow/malicious
|
|
# source can't tie up a handler. Defaults are sane for typical use.
|
|
PLUGIN_INSTALL_BODY_MAX_BYTES=65536 # max request body size (default: 64 KiB)
|
|
PLUGIN_INSTALL_FETCH_TIMEOUT=5m # duration string; whole fetch+copy deadline
|
|
PLUGIN_INSTALL_MAX_DIR_BYTES=104857600 # max staged-tree size (default: 100 MiB)
|
|
|
|
# ---- Plugin supply chain hardening (issue #768, PR #775) ----
|
|
# Set to 'true' to allow unpinned plugin refs (no #tag/#sha). Local dev only.
|
|
# When unset or 'false' (default), installing a plugin from a source without
|
|
# an explicit ref is rejected — prevents supply chain attacks via floating HEAD.
|
|
# NEVER set in production. Pending: PR #775 must merge before this takes effect.
|
|
PLUGIN_ALLOW_UNPINNED=
|
|
|
|
# Phase 30.7 — remote-agent liveness threshold. Workspaces with
|
|
# runtime='external' are marked offline if their last_heartbeat_at is
|
|
# older than this many seconds. Slightly larger than the 60s Redis TTL
|
|
# so transient WAN hiccups don't flap online/offline. Set to 0 to use
|
|
# the built-in default (90s).
|
|
REMOTE_LIVENESS_STALE_AFTER=90
|
|
|
|
# ---- Workspace hibernation (issue #724, PR #724) ----
|
|
# Workspaces with no active tasks hibernate after this many minutes.
|
|
# Leave empty to disable. Per-workspace override via the hibernation_idle_minutes
|
|
# column (set via PATCH /workspaces/:id or org.yaml). This env var sets the
|
|
# platform-wide default applied to workspaces that have no per-workspace setting.
|
|
# Note: the global-default behaviour (reading this env var) is pending — currently
|
|
# only the per-workspace DB column is active. Setting this has no effect until that
|
|
# code lands.
|
|
HIBERNATION_IDLE_MINUTES=60
|
|
|
|
# Canvas
|
|
NEXT_PUBLIC_PLATFORM_URL=http://localhost:8080
|
|
NEXT_PUBLIC_WS_URL=ws://localhost:8080/ws
|
|
|
|
# Workspace Runtime
|
|
ANTHROPIC_API_KEY= # Anthropic API key (console.anthropic.com). Required for MODEL_PROVIDER=anthropic (default). Also used by workspaces that call the Anthropic SDK directly (e.g. molecule-hitl, hermes runtime). Register as a global secret via POST /settings/secrets so it is auto-propagated to all workspace containers — do NOT set only as a workspace-level secret or SDK-direct workspaces will silently fail with 401. See docs/runbooks/saas-secrets.md#anthropic_api_key.
|
|
OPENROUTER_API_KEY= # OpenRouter API key (openrouter.ai). Use with model: openrouter:anthropic/claude-3.5-haiku. Also acts as the fallback key for the hermes runtime when HERMES_API_KEY is unset.
|
|
HERMES_API_KEY= # Nous Research Portal API key (inference-prod.nousresearch.com). Used by the hermes runtime; falls back to OPENROUTER_API_KEY if unset.
|
|
GROQ_API_KEY= # Groq API key (console.groq.com). Use with model: groq:llama-3.3-70b-versatile
|
|
CEREBRAS_API_KEY= # Cerebras API key (cloud.cerebras.ai). Use with model: cerebras:llama3.1-8b
|
|
GOOGLE_API_KEY= # Google AI API key (aistudio.google.com). Use with model: google_genai:gemini-2.5-flash
|
|
MAX_TOKENS=2048 # Max output tokens for OpenRouter requests (default: 2048)
|
|
LANGGRAPH_RECURSION_LIMIT=500 # LangGraph/DeepAgents max ReAct steps per turn (lib default: 25; raised to 500 — PM fan-out to 6+ reports + synthesis routinely exceeds 100)
|
|
MODEL_PROVIDER=anthropic:claude-opus-4-7 # Format: provider:model. Providers: anthropic, openai, openrouter, groq, cerebras, google_genai, ollama
|
|
|
|
# ---- Workspace tier resource limits (issue #14) ----
|
|
# Per-tier memory/CPU caps applied to each workspace Docker container.
|
|
# CPU_SHARES follows the Docker convention: 1024 shares == 1 CPU.
|
|
# Any value <=0 or malformed falls back to the compiled default shown.
|
|
# Tier 1 is sandboxed (tmpfs, readonly) and is not resource-capped here.
|
|
TIER2_MEMORY_MB=512 # Standard tier memory cap (default 512 MiB)
|
|
TIER2_CPU_SHARES=1024 # Standard tier CPU (default 1024 = 1 CPU)
|
|
TIER3_MEMORY_MB=2048 # Privileged tier memory cap (default 2048 MiB; previously uncapped)
|
|
TIER3_CPU_SHARES=2048 # Privileged tier CPU (default 2048 = 2 CPU; previously uncapped)
|
|
TIER4_MEMORY_MB=4096 # Full-host tier memory cap (default 4096 MiB; previously uncapped)
|
|
TIER4_CPU_SHARES=4096 # Full-host tier CPU (default 4096 = 4 CPU; previously uncapped)
|
|
|
|
# Social Channels (optional — configure per-workspace via API or Canvas)
|
|
TELEGRAM_BOT_TOKEN= # Telegram Bot API token (talk to @BotFather). Used as default for new Telegram channels.
|
|
DISCORD_WEBHOOK_URL= # Discord Incoming Webhook URL (Server → Channel → Integrations → Webhooks). Used by Community Manager workspace.
|
|
|
|
# CI/CD Slack notifications (issue #624)
|
|
# Add SLACK_CI_WEBHOOK_URL as a GitHub Actions secret (repo Settings → Secrets → Actions).
|
|
# When set, CI failures in platform-build, canvas-build, python-lint, shellcheck,
|
|
# and e2e-api workflows post an alert to the configured #ci-alerts Slack channel.
|
|
# Obtain: Slack App → Incoming Webhooks → Add to channel → copy URL.
|
|
# Leave unset to disable (jobs skip silently — no build failure).
|
|
SLACK_CI_WEBHOOK_URL= # https://hooks.slack.com/services/...
|
|
|
|
# Langfuse (optional observability)
|
|
LANGFUSE_HOST=http://langfuse-web:3000
|
|
LANGFUSE_PUBLIC_KEY=
|
|
LANGFUSE_SECRET_KEY=
|
|
|
|
# ---- EU AI Act Annex III compliance — molecule-audit-ledger (#594) ----
|
|
# Secret salt for PBKDF2 key derivation (HMAC-SHA256 chain verification).
|
|
# When set, GET /workspaces/:id/audit derives the HMAC key and verifies the
|
|
# chain inline, returning "chain_valid": true/false in the response.
|
|
# When unset, "chain_valid": null — use the CLI to verify:
|
|
# python -m molecule_audit.verify --agent-id <id>
|
|
# Must match AUDIT_LEDGER_SALT set in each workspace container.
|
|
# AUDIT_LEDGER_SALT= # 32+ random bytes (base64 or arbitrary string)
|
|
|
|
# ---- Operator identity (for org-templates/reno-stars/, see OPERATOR_NOTES.md) ----
|
|
# These are NOT consumed by the platform itself — they're documented here so
|
|
# operators of the reno-stars template (and any future operator-personalised
|
|
# template) know what to set as global_secrets. The platform injects every
|
|
# global_secret into every workspace container as an env var; the agent
|
|
# system-prompts reference them via ${VAR_NAME}.
|
|
OPERATOR_EMAIL= # e.g. you@example.com
|
|
OPERATOR_PHONE= # e.g. 555-123-4567 (display only, not used for SMS)
|
|
OPERATOR_TELEGRAM_ID= # numeric Telegram user ID (for bot DMs)
|
|
GADS_MCC_ID= # Google Ads MCC (manager) account ID, format 123-456-7890
|
|
GADS_CUSTOMER_ID= # Google Ads child customer ID, format 987-654-3210
|
|
GCP_PROJECT_ID= # Google Cloud project ID (e.g. my-website-123456)
|
|
GSC_SERVICE_ACCOUNT= # Search Console reporter service account email
|
|
|
|
# ---- opencode / remote MCP client auth (see docs/integrations/opencode.md) ----
|
|
# MOLECULE_MCP_URL is the base URL of the Molecule platform's /mcp endpoint.
|
|
# MOLECULE_MCP_TOKEN is a workspace-scoped bearer token issued via
|
|
# POST /workspaces/:id/tokens (scopes: mcp:read, mcp:delegate).
|
|
# Token goes in Authorization: Bearer header — never embed in the URL.
|
|
MOLECULE_MCP_URL= # e.g. https://api.molecule.ai or http://localhost:8080
|
|
MOLECULE_MCP_TOKEN= # workspace-scoped bearer token — NEVER COMMIT
|