Merge branch 'main' into docs/contributing-md-2026-05-06

2026-05-07 11:21:41 +00:00 · 2026-05-07 11:21:41 +00:00 · a7a11ed6c8
commit a7a11ed6c8
parent 4b532ac0a6 1cb18db901
5 changed files with 194 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,27 @@
-# .github
+# `Molecule-AI/.github`

-Org profile (README rendered on org page) + shared workflow templates
+Org-level community files + the org-profile README rendered on the org page.
+
+## Layout
+
+```
+.github/
+├── README.md            # this file (repo entry point, not user-visible on the org page)
+└── profile/
+    ├── README.md        # rendered on github.com/Molecule-AI when GitHub access is restored
+    └── assets/
+        ├── molecule-icon.svg
+        └── molecule-logo.svg
+```
+
+## Convention
+
+GitHub renders `<org>/.github/profile/README.md` as the org's public landing page. We mirror the same path on Gitea so once GitHub access is restored and repo-sync starts pushing, the file lands in the right place automatically.
+
+## Adding more cross-org defaults
+
+GitHub also picks up `<org>/.github/CONTRIBUTING.md`, `SECURITY.md`, `SUPPORT.md`, issue / PR templates under `.github/`, and workflow templates under `.github/workflow-templates/`. Add as needed — keep them generic; per-repo overrides win.
+
+## Editing
+
+PR against `main`; org-profile content is user-visible, so pair-review even trivial edits.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,53 @@
+# Security Policy
+
+Thanks for taking the time to disclose responsibly. This file is the org-wide default for any repo under [`Molecule-AI`](https://git.moleculesai.app/molecule-ai) that doesn't ship its own `SECURITY.md`.
+
+## Reporting a vulnerability
+
+**Email**: `security@moleculesai.app`
+
+> Reviewer note: this address is a placeholder. Confirm the live mailbox / forwarding rule is in place before merging this file.
+
+Please include, where possible:
+
+- the affected repo + commit SHA (or the deployed surface)
+- a minimal reproduction
+- the impact you're worried about (data exposure, RCE, auth bypass, …)
+- whether you've shared the report with anyone else
+
+Do **not** file public issues for security reports — the issue tracker is publicly readable. If email isn't an option, ask via a non-public channel and we'll set one up.
+
+## What to expect
+
+- **Acknowledgement within 48 hours** of your initial email (business days; weekends and US holidays may add 1–2 days).
+- A first triage with severity assessment within **5 business days**.
+- A coordinated-disclosure window of **up to 90 days** from initial report — we aim to ship a fix sooner, and will keep you in the loop on the timeline.
+- A credit in the fix's release notes if you'd like one (and a no-credit option if you don't).
+
+## Scope
+
+**In scope:**
+
+- The platform repos: [`molecule-core`](https://git.moleculesai.app/molecule-ai/molecule-core), [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane).
+- The hosted product at [`moleculesai.app`](https://moleculesai.app), including any `*.moleculesai.app` tenant subdomain.
+- The official adapter packages: [`molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel), [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime), and the `molecule-ai-workspace-template-*` repos.
+
+**Out of scope:**
+
+- Vulnerabilities in third-party dependencies that have already been disclosed upstream — file with the upstream project; we'll consume the fix.
+- Self-XSS, CSRF on unauthenticated read-only endpoints, missing security headers without a demonstrated impact, automated-scanner output without a working PoC.
+- Issues that require physical access to a user's device, social engineering of our team, or a fully-compromised browser/OS.
+- Denial of service via volume / rate (we have load-shedding; report something exploitable, not "I sent a million requests").
+
+## What we do NOT offer
+
+- **No bug bounty program.** Reports are still very welcome — we'll credit and (when warranted) send swag, but there's no monetary reward.
+- **No safe-harbour legal language beyond what this file states.** Good-faith research conducted in line with this policy will not be the basis of action by us; we cannot speak for third-party infrastructure.
+
+## Non-security issues
+
+For bugs, feature requests, and general questions, file at [`git.moleculesai.app/molecule-ai/internal/issues`](https://git.moleculesai.app/molecule-ai/internal/issues) (or on the specific repo if it's repo-scoped). The GitHub mirror at [`github.com/Molecule-AI`](https://github.com/Molecule-AI) is read-only for the open-source surface as of 2026-05-06.
+
+---
+
+Last updated: 2026-05-06.
--- a/profile/README.md
+++ b/profile/README.md
@ -0,0 +1,70 @@
+<div align="center">
+
+<p>
+  <img src="./assets/molecule-icon.svg" alt="Molecule AI" width="160" />
+</p>
+
+<h1>Molecule AI</h1>
+
+<h3>The Org-Native Control Plane for Heterogeneous AI Agent Teams</h3>
+
+<p>
+  Molecule AI is the operating system for AI agent organizations. One control plane, eight runtimes, organization-aware memory, real ops surfaces — built for teams that want to move past the demo.
+</p>
+
+<p>
+  <a href="https://moleculesai.app"><strong>moleculesai.app</strong></a> ·
+  <a href="https://github.com/Molecule-AI/molecule-core"><strong>molecule-core</strong></a> ·
+  <a href="https://github.com/Molecule-AI/molecule-mcp-claude-channel"><strong>Claude Code plugin</strong></a> ·
+  <a href="https://github.com/Molecule-AI/molecule-core/blob/main/docs/index.md"><strong>Docs</strong></a>
+</p>
+
+</div>
+
+---
+
+## What we ship
+
+- **Org-native workspace abstraction** — every node is a role with persistent identity, memory boundary, hierarchy position, and A2A interface. Workspaces grow into teams without breaking external integrations.
+- **Eight production agent runtimes** behind one workspace contract — Claude Code, Hermes 4, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw. Mix them across teams without giving up shared governance.
+- **Memory v2** with pgvector semantic recall, scoped to organizational boundaries (`LOCAL` / `TEAM` / `GLOBAL`). Memories promote into hot-loadable skills as workflows mature.
+- **A real operational plane** — Canvas v4 (warm-paper themed), live activity streams, restart/pause/resume, terminal + files into running workspaces, Langfuse traces, the whole picture.
+
+## Where to start
+
+| If you want to … | Go to |
+|---|---|
+| Read the pitch + run it locally | [`molecule-core`](https://github.com/Molecule-AI/molecule-core) — Apache 2.0-converting BSL 1.1, Quick Start in 5 commands |
+| Try the hosted SaaS | [moleculesai.app](https://moleculesai.app) — multi-tenant, EC2 + Cloudflare Tunnels, WorkOS auth, Stripe billing |
+| Bridge a Claude Code session into a Molecule workspace | [`molecule-mcp-claude-channel`](https://github.com/Molecule-AI/molecule-mcp-claude-channel) — `/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` |
+| Browse the architecture | [docs/architecture/architecture.md](https://github.com/Molecule-AI/molecule-core/blob/main/docs/architecture/architecture.md) |
+| See the memory model | [docs/architecture/memory.md](https://github.com/Molecule-AI/molecule-core/blob/main/docs/architecture/memory.md) |
+| Add a new runtime / template | [`molecule-ai-workspace-runtime`](https://github.com/Molecule-AI/molecule-ai-workspace-runtime) (mirror of `workspace/`) + the `molecule-ai-workspace-template-*` repos |
+
+## Repos in this org
+
+### Product
+
+- **[`molecule-core`](https://github.com/Molecule-AI/molecule-core)** — the platform. Go control plane + Next.js Canvas + Python workspace runtime. Open source under BSL 1.1 (converts to Apache 2.0 on 2029-01-01).
+- **`molecule-controlplane`** — SaaS multi-tenant orchestration on top of `molecule-core`. Private; backs [moleculesai.app](https://moleculesai.app).
+
+### Adapters & integrations
+
+- **[`molecule-mcp-claude-channel`](https://github.com/Molecule-AI/molecule-mcp-claude-channel)** — Claude Code MCP plugin: bridges Molecule A2A traffic into a local Claude Code session.
+- **[`molecule-ai-workspace-runtime`](https://github.com/Molecule-AI/molecule-ai-workspace-runtime)** — Python adapter runtime, mirrored from `molecule-core/workspace/`. Published as a PyPI wheel.
+- **`molecule-ai-workspace-template-*`** — one repo per supported runtime template (claude-code, hermes, langgraph, …).
+
+### Marketing & community
+
+- **[`landingpage`](https://github.com/Molecule-AI/landingpage)** — [moleculesai.app](https://moleculesai.app) source.
+- **[`molecule-ai-status`](https://github.com/Molecule-AI/molecule-ai-status)** — public status page.
+
+## License & community
+
+Most user-facing code is open source under the Business Source License 1.1 (converts to Apache 2.0 on 2029-01-01). Personal, internal, and non-commercial use is permitted without restriction; commercial use that competes with the hosted product is what the BSL gates.
+
+Issues, PRs, and design discussions land on the individual repos above. The platform repo's [Docs Home](https://github.com/Molecule-AI/molecule-core/blob/main/docs/index.md) is the canonical entry point for engineering depth.
+
+---
+
+<sub>Org profile last refreshed 2026-05-06.</sub>
--- a/profile/assets/molecule-icon.svg
+++ b/profile/assets/molecule-icon.svg
@ -0,0 +1,28 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64">
+  <style>
+    .bg { fill: #0a1120; }
+    .accent { fill: #7fe8d6; }
+    .accent-stroke { stroke: #7fe8d6; }
+    @media (prefers-color-scheme: light) {
+      .bg { fill: #f5f7fa; }
+      .accent { fill: #1a8a72; }
+      .accent-stroke { stroke: #1a8a72; }
+    }
+  </style>
+  <rect class="bg" width="64" height="64" rx="14"/>
+  <g class="accent-stroke" stroke-width="2.4" stroke-linecap="round" fill="none">
+    <line x1="32" y1="32" x2="12" y2="14"/>
+    <line x1="32" y1="32" x2="52" y2="18"/>
+    <line x1="32" y1="32" x2="10" y2="40"/>
+    <line x1="32" y1="32" x2="54" y2="44"/>
+    <line x1="32" y1="32" x2="32" y2="56"/>
+  </g>
+  <g class="accent">
+    <circle cx="32" cy="32" r="6.5"/>
+    <circle cx="12" cy="14" r="3.5"/>
+    <circle cx="52" cy="18" r="3.5"/>
+    <circle cx="10" cy="40" r="3.5"/>
+    <circle cx="54" cy="44" r="3.5"/>
+    <circle cx="32" cy="56" r="3.5"/>
+  </g>
+</svg>
--- a/profile/assets/molecule-logo.svg
+++ b/profile/assets/molecule-logo.svg
@ -0,0 +1,17 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" role="img" aria-label="Molecule AI">
+  <g stroke="#7fe8d6" stroke-width="2.6" stroke-linecap="round" fill="none">
+    <line x1="32" y1="32" x2="12" y2="14"/>
+    <line x1="32" y1="32" x2="52" y2="18"/>
+    <line x1="32" y1="32" x2="10" y2="40"/>
+    <line x1="32" y1="32" x2="54" y2="44"/>
+    <line x1="32" y1="32" x2="32" y2="56"/>
+  </g>
+  <g fill="#7fe8d6">
+    <circle cx="32" cy="32" r="7"/>
+    <circle cx="12" cy="14" r="3.6"/>
+    <circle cx="52" cy="18" r="3.6"/>
+    <circle cx="10" cy="40" r="3.6"/>
+    <circle cx="54" cy="44" r="3.6"/>
+    <circle cx="32" cy="56" r="3.6"/>
+  </g>
+</svg>