The GitHub org Molecule-AI was suspended on 2026-05-06; canonical SCM
is now Gitea at https://git.moleculesai.app/molecule-ai/. Stale
github.com/Molecule-AI/... URLs return 404 and break tooling that
clones / pip-installs / curls them.
This bundles all non-Go-module URL fixes for this repo into a single PR.
Go module path references (in *.go, go.mod, go.sum) are out of scope
here -- tracked separately under Task #140.
Token-auth clone URLs also flip ${GITHUB_TOKEN} -> ${GITEA_TOKEN} since
the GitHub token does not auth against Gitea.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.
## In-scope
- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
HONGMING to confirm the live mailbox/forwarding is set before
merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
upstream-already-disclosed deps out, self-XSS out, scanner-output
out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).
## NOT-claimed (explicit)
- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
research consistent with this policy will not be the basis of
action.
## Length
39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.
## Independent of
PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
First content for `Molecule-AI/.github/CONTRIBUTING.md`. GitHub
renders `<org>/.github/CONTRIBUTING.md` as the default contributor
guide for any repo in the org that doesn't ship its own.
## What's in scope
- **Where the code lives**: Gitea is canonical (post-2026-05-06 GitHub
org suspension); GitHub mirror is read-only OSS face. Non-security
issues at git.moleculesai.app/molecule-ai/internal.
- **How we ship**: branch off main (or staging on platform repos),
conventional branch names, imperative commit messages, merge by
merge commit (NOT squash), no force-push to main/staging.
- **Tests + CI + review**: run locally first; fix root cause not
--no-verify; one-business-day review SLA on non-trivial PRs.
- **What we do NOT require**: no CLA, no bug bounty, no GPG
enforcement, no mandatory issue templates. Explicit so
contributors don't waste time on absent features.
- **Boundaries**: no committed secrets, no shared-env cleanup, no
long-running background jobs in tests.
- **Repo-specific overrides win** when they disagree.
## Length
56 lines (orchestrator target was ~80; landed leaner because the
post-suspension reality + merge-commit shape are the load-bearing
bits and the rest is conventional-wisdom that doesn't need depth).
## Out of scope (parked, file when needed)
- Per-repo CONTRIBUTING overrides — tracked individually.
- Issue + PR templates — would live in profile/.github/ or per-repo;
current per-repo guidance is fine.
- GPG / CLA / bounty — explicitly called out as NOT required so
contributors don't infer absence as oversight.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
GitHub renders `<org>/.github/profile/README.md` as the org's public
landing page. Mirroring the same path here on Gitea so once GitHub
access is restored and repo-sync pushes this content over, it lands
in the right place automatically — no path translation step.
## Adds
- `profile/README.md` — comprehensive org-level intro (different from
molecule-core's product-deep README): pitch in 1 paragraph, "what we
ship" in 4 bullets, "where to start" routing table, repos-in-this-org
index split by purpose (product / adapters / marketing), license +
community footer.
- `profile/assets/molecule-icon.svg` — same SVG that landed on
molecule-core's README in PR #5; light/dark adaptive via
prefers-color-scheme styles.
- `profile/assets/molecule-logo.svg` — wordmark variant.
## Updates
- `README.md` (repo root, not user-visible on the org page) — documents
the layout convention + lists the other cross-org defaults GitHub
picks up from `<org>/.github/` (CONTRIBUTING.md, SECURITY.md,
SUPPORT.md, issue/PR templates, workflow templates) so a future
contributor knows where to add things.
## Why this content shape
GitHub org-profile READMEs are user-visible on the org's public page.
Standard wisdom for that surface:
- short — 1-2 screens, not the deep product pitch (which lives at
molecule-core)
- routes the reader to the right repo for what they actually want
(product / SaaS / Claude integration / docs / new runtime)
- lists the major repos with one-line descriptions so a visitor can
navigate without 30 tabs
- names the license model (BSL 1.1 → Apache 2.0 on 2029-01-01)
The "Where to start" table is the load-bearing piece — the rest is
context. If a visitor only reads the table, they still know where to
go.
## Out of scope (parked)
- CONTRIBUTING.md, SECURITY.md, SUPPORT.md — would normally live here
too. Skipping for now; current per-repo guidance is fine. File when
the org has enough cross-cutting policy to warrant it.
- GitHub Actions workflow templates — not relevant while we're on
Gitea + operator-host deploys.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
