The INCIDENT_LOG.md F1088 entry documented three production credentials
that leaked via molecule-core PR #1098 (commit d513a0c) and were then
INCLUDED IN PLAINTEXT in the documentation itself — the incident report
became a secondary leak surface.
Status of the three tokens (per the report's own Blast Radius table):
- MiniMax (sk-cp-...KVw): revoked / endpoint inactive
- GitHub PAT (github_pat_...hsIJLIL): revoked, confirmed 401
- Admin token (HlgeMb8...ShARE=): treated as active, rotation pending
Even revoked tokens add noise to security audits and are findable via
GitHub Code Search on the public docs repo. This PR replaces the full
values with the short-suffix convention already in use in the same
file's Blast Radius table, preserving the audit trail without the
public-search surface.
Side note: caught by Molecule-AI/molecule-core#2109's secret-scan
workflow on PR #96 (the org-wide rollout that reused this same regex
set caught its own first real find before the rollout PR even merged).
The full values remain in molecule-core git history per F1088's
explicit closure decision (no BFG scrub required); this PR doesn't
change that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ubuntu-latest jobs die in ~2s for private repos — org's GitHub-hosted
minute budget is exhausted. The ci.yml already uses self-hosted (Mac mini).
Align the auto-promote workflow to use the same runner.
workflow_dispatch manual runs at 15:06, 15:08, 15:10, 15:22, 15:23 all
failed with the same 2s timeout pattern.
CEO directive 2026-04-24: staging must not be behind main. Some hotfixes
landed directly on main and were never backported. Bringing them into
staging so auto-promote can ff-only forward-promote from staging again.
docs is a private repo and the org's GitHub-hosted Actions minute budget
is exhausted. Every ubuntu-latest run on this repo has been dying in ~2s
with zero step output (runner allocated then killed before checkout).
Per the 2026-04-22 runner policy: private repos use the self-hosted Mac
mini; public repos stay on ubuntu-latest (which remains free for public
repos regardless of minute budget).
Switches `runs-on: ubuntu-latest` → `runs-on: self-hosted`. No other
changes. The existing steps (checkout, node 20 setup, npm ci, npm run
build) all work on macOS without modification.
If the Mac mini has more specific labels assigned (e.g. macOS, ARM64),
tighten this to a matrix later — for now `self-hosted` matches any
registered runner, which should route correctly as long as there's only
one in the org.
* docs(guides): add Tool Trace and Platform Instructions
feature docs for Phase 34 features (PR #1686):
- Tool Trace: explains what it captures, how to query activity logs,
security/privacy properties, and use cases (compliance, debugging, verification)
- Platform Instructions: explains global/workspace scopes, API endpoints
for CRUD and resolve, content limits, security properties, and how
it relates to Tool Trace as a complete governance loop
Co-Authored-By: Technical Writer <technical-writer@molecule.ai>
* chore(docs): add trailing newline to tool-trace.md
* chore(docs): add trailing newline to platform-instructions.md
* docs(guides): add run_id to Tool Trace schema + split outer/inner field tables
---------
Co-authored-by: Molecule AI Technical Writer <technical-writer@agents.moleculesai.app>
Co-authored-by: Technical Writer <technical-writer@molecule.ai>
Co-authored-by: molecule-ai[bot] <276602405+molecule-ai[bot]@users.noreply.github.com>
Pair PR: molecule-cli#5
- Adds new guides/molecli-shell-completion.md with bash/zsh/fish/PowerShell
install instructions for molecli tab completion (Cobra-generated)
- Adds entry to guides/index.md under new "CLI Tooling" section
- Links to molecule-cli#5 for implementation details
Co-authored-by: Molecule AI Documentation Specialist <documentation-specialist@agents.moleculesai.app>
[Molecule-Platform-Evolvement-Manager]
PR #59 (commit dae42e2) was merged ~2 weeks ago with a bad diff that
deleted all Next.js/Fumadocs build files (package.json, app/, lib/,
source.config.ts, tsconfig.json, etc.) and most MDX content pages.
This broke the Vercel build, taking doc.moleculesai.app offline.
Root cause: the PR branch was likely rebased or reset to a state that
only contained the marketing/ subtree, so the merge diff showed
deletions for every other file.
This commit:
1. Restores all build infrastructure from the last good commit (86fa0e9)
2. Restores 25 deleted MDX content pages (concepts, quickstart, etc.)
3. Adds frontmatter (title) to 55 .md files added post-bad-merge that
were missing the required YAML frontmatter for Fumadocs
4. Removes duplicate quickstart.mdx (superseded by quickstart.md)
5. Adds CI workflow (.github/workflows/ci.yml) to catch build failures
on PRs before merge — this would have prevented the outage
Build verified: 99 static pages generated successfully.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The CWE-78 Scope Refinement and F1085 entries were added at the
wrong nested path:
BAD: content/docs/security/content/docs/security/changelog.md
GOOD: content/docs/security/changelog.md
This revert removes the bad file from main. The correct-path file
(content/docs/security/changelog.md) has the original 5 entries
and will be the build source going forward.
A follow-up PR will add the two missing entries at the correct path.
Closes: docs site ECONNREFUSED (Vercel build failure)
* docs(guides): add browser-testing skill — Playwright from molecule-ai-plugin-browser-automation
Added browser-testing (Playwright headless Chromium) as a new Browser skill
alongside browser-automation in the skill-catalog.md table. Includes install
examples for both CLI and config.yaml, and a note about Playwright system
dependencies.
Ref: molecule-ai-plugin-browser-automation#4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(guides): fix browser-testing install docs — remove fabricated --from plugin: syntax
- Change source: plugin:molecule-ai-plugin-browser-automation → source: plugin
- Remove --from plugin: CLI example (flag does not exist in molecule-core CLI)
- Replace install section with auto-discovery note: browser-testing is
auto-discovered when the plugin is installed, no extra flags needed
Co-Authored-By: Technical Writer Agent <technical-writer@agents.moleculesai.app>
---------
Co-authored-by: Molecule AI Technical Writer <technical-writer@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The secrets endpoint is GET /workspaces/:id/secrets, not
GET /workspaces/:id/secrets/values. Fix three occurrences in:
- workspace-runtime.md: comparison table and curl example
- remote-workspaces.md: ASCII diagram and Phase 30.2 table
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Port three docs from molecule-core PR #1419 into public docs:
- docs/guides/skill-catalog.md: new skill catalog CLI guide
- docs/api/workspace-files.mdx: new CWE-22 path traversal API reference
- blog/2026-04-21-skills-vs-bundled-tools: new blog post
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
