Content for internal#8 / PR #1178 launch coverage.
Angle: EC2 console output surfaced directly in Canvas — no more
tab-switching to AWS Console.
~180 words.
Adds content/docs/guides/org-api-keys.md — CLI/API reference for minting,
listing, revoking org-scoped API keys. Referenced by the org-scoped API
keys blog post CTAs.
* docs(concepts): add Memory Inspector panel (canvas PR #738)
Document the canvas Memory Inspector panel — Side Panel → Memory tab.
Covers browse (LOCAL/TEAM scopes), semantic search via ?q= param,
and key expansion. Notes polling cadence (~15s heartbeat cycle).
Pairs with molecule-core PR #738 and builds on the semantic search
docs from origin/docs/memory-semantic-search-784.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(self-hosting): add ADMIN_TOKEN production requirement page
Adds content/docs/self-hosting/admin-token.mdx explaining:
- ADMIN_TOKEN must be set in production (deadline April 22, 2026)
- Generation: openssl rand -base64 32
- What /admin/* endpoints it gates
- Fail-open risk when unset
- Verification and rotation steps
Also updates meta.json nav and adds cross-link from self-hosting.mdx.
Pairs with: monorepo PR #729 (issue #684)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Molecule AI Documentation Specialist <documentation-specialist@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Molecule AI App-FE <app-fe@agents.moleculesai.app>
* docs(security): add OWASP Agentic AI Top 10 coverage report
Adds content/docs/security/owasp-agentic-top-10.mdx with honest coverage:
✅ COVERED (5): A01 Prompt Injection, A02 Sensitive Info Disclosure,
A03 Unbounded Resource Consumption, A06 Memory Poisoning,
A07 Cascade Hallucinations
⚠️ PARTIAL (3): A04 Sandboxing Escapes, A05 Agent-Human Relationship
Dysfunction, A08 Overreliance
❌ NOT COVERED: A09 Supply Chain Vulnerabilities, A10 Improper Agency Grants
Meta.json updated to include security section with all three pages.
PR merge order note: advisory (#808) should merge before this PR.
If advisory is not yet merged, rebase to remove duplicate entries.
Deadline: April 25, 2026
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(security): update molecule-monorepo → molecule-core in OWASP coverage
Terminology fix: repo reference updated to the correct name.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Molecule AI Documentation Specialist <documentation-specialist@agents.moleculesai.app>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Molecule AI App-FE <app-fe@agents.moleculesai.app>
MDX parser (next-mdx-remote or nextra) treats bare URLs as syntax
errors. Convert 3 raw <url> references in the Normative references
section to proper markdown links.
Addresses Molecule-AI/docs issue #45.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pairs with monorepo PRs #840 (opencode MCP bridge) and #842 (org-template +
integration guide). Adds opencode.mdx with prerequisites, opencode.json config,
token issuance, available tools, transport options, and SAFE-T1401/T1201
security notes. Adds ---Integrations--- nav section to meta.json.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pairs with monorepo PRs #840 (opencode MCP bridge) and #842 (org-template +
integration guide). Adds opencode.mdx with prerequisites, opencode.json config,
token issuance, available tools, transport options, and SAFE-T1401/T1201
security notes. Adds ---Integrations--- nav section to meta.json.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Terminology fix: all references to the repo now use the correct name
molecule-core (was molecule-monorepo). No content changes beyond the
repo name update.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mark Phase 2e as shipped — native tools=[] parameter and
response_format=json_schema now on the Anthropic native dispatch path.
- Update intro paragraph: Phase 2d is now stacked messages (#499),
Phase 2e is tools + structured output (#644, #645)
- Replace Phase 2d roadmap callout with "remaining roadmap" (vision + streaming)
- Update capability table: native tools and response_format now ✅ on
Anthropic native; 📋 roadmap for Gemini native
- Add two new sections with code examples for tools=[] and response_format
- Remove "not yet shipped" language from capability table header
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Document the canvas Memory Inspector panel — Side Panel → Memory tab.
Covers browse (LOCAL/TEAM scopes), semantic search via ?q= param,
and key expansion. Notes polling cadence (~15s heartbeat cycle).
Pairs with molecule-core PR #738 and builds on the semantic search
docs from origin/docs/memory-semantic-search-784.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Document the admin-only cross-org schedule health endpoint returning
last-fired, next-scheduled, consecutive-empty count, and phantom detection
status for every schedule in the org. Complements the per-workspace peer
health endpoint already documented. Pairs with molecule-core PRs #671 and
#796.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Document GET /workspaces/:id/metrics — WorkspaceAuth-required endpoint
returning input/output/cache-read/cache-write token counts over rolling
1h and 30d windows. Notes the canvas WorkspaceUsage panel as the live
counterpart. Security context: endpoint auth hardened in PR #696.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Document POST/DELETE /admin/orgs/:orgId/plugins/allowlist endpoints for
controlling which plugins workspaces in an org may load. Covers allowlist
semantics (empty = all permitted; non-empty = allowlist-only), relationship
to supply-chain pinning, and the two admin API endpoints. Adds both
endpoints to the API Reference table at the bottom of the page.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
molecule-core-net was incorrect — docker-compose.infra.yml and docker-compose.yml both
declare the network as molecule-monorepo-net (8+ references confirmed). Repo was renamed
to molecule-core but the network name was not changed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Repo was renamed Molecule-AI/molecule-monorepo → Molecule-AI/molecule-core.
Updates git clone URLs, cd commands, and Docker network name references
in quickstart.mdx, self-hosting.mdx, and architecture.mdx.
Note: molecule-core-net Docker network name updated from molecule-monorepo-net —
verify docker-compose.infra.yml network name matches before merging.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Closes the TOCTOU race (PR #882/issue #819): documents that hibernation
uses an atomic SQL claim that aborts if active_tasks > 0 at commit time,
so no in-flight task is silently dropped.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the two security controls landed in workspace-template/adapters/smolagents:
- make_safe_env() strips *_API_KEY/*_TOKEN + SMOLAGENTS_ENV_DENYLIST from child process env
- safe_send_message() prefixes [smolagents], truncates at 2000 chars, HTML-escapes output
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- google-adk.mdx: update comparison table LangGraph example from
anthropic:claude-sonnet-4-6 → anthropic:claude-opus-4-7
- quickstart.mdx: add callout noting claude-opus-4-7 as the new
default for workspaces that don't pin a model explicitly
Pairs with molecule-core PR #743 / closes#727.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents GET /workspaces/:id/events/stream — WorkspaceAuth-guarded
Server-Sent Events endpoint compatible with the AG-UI protocol.
Covers envelope format, event types, curl and JS examples.
Pairs with molecule-core PR #601 (closes#590).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Quick start install example: add @1.0.0 version pin
- .mcp.json Configure example: pin to @1.0.0, remove -y auto-accept flag
- Add Callout warning explaining why pinning is required (unpinned + -y =
arbitrary code execution on package compromise) with link to npm page
- Troubleshooting: update standalone run example to use pinned version
Addresses SAFE-MCP finding NEW-003 (HIGH) from SAFE-MCP audit (PR #808).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Two-Axis Model sources table: replace mutable `github://owner/repo` row with
pinned-tag and pinned-SHA rows; clarify these are now the only valid forms
- Installing a Plugin: update GitHub example to use `#v1.0.0`; add Callout
warning that bare refs return HTTP 422 with link to Supply Chain Security section
- Install Safeguards: add `PLUGIN_ALLOW_UNPINNED` env var row (dev escape hatch)
- New "Supply Chain Security" section: explains pinned-ref enforcement (SAFE-T1102),
shows valid vs invalid ref forms, SHA-256 content integrity option with hash
computation recipe, and PLUGIN_ALLOW_UNPINNED escape hatch
Pairs with monorepo PR #775 (fix(security): plugin supply chain hardening).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- api-reference.mdx: add POST /workspaces/:id/hibernate to Lifecycle table;
callout explaining hibernated vs paused, 503+Retry-After auto-wake pattern,
and hibernation_idle_minutes config option
- concepts.mdx: add workspace status lifecycle table (all 7 statuses);
document hibernation as opt-in automatic cost-saving mode with link to API ref
Pairs with monorepo PR #724 (feat(registry): workspace hibernation).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #760 extracted medo.py from builtin_tools (where it was dead code) into
a proper agentskills.io plugin at plugins/molecule-medo/. It is now an
explicit opt-in via local://molecule-medo rather than being silently shipped
in every workspace image.
- Add Platform Opt-in Plugins table with molecule-medo
- Document the three exposed tools: create/update/publish_medo_app
- Show install flow: set MEDO_API_KEY secret, then POST to /plugins
- Show org.yaml example for declarative deployment
Pairs with monorepo PR #760 / closes#741.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #784 added pgvector-backed semantic search to GET /workspaces/:id/memories.
When ?q= is supplied and an embedding function is configured, results are
ordered by cosine similarity and include a similarity_score field.
Documents the query parameter, response shape, and graceful FTS fallback
so callers know the endpoint is backwards-compatible.
Pairs with monorepo PR #784 (feat: pgvector semantic search, closes#776).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Workspace config.yaml now supports a `role` field which drives
AGENTS.md generation at startup (PR #763). Every workspace publishes
an AAIF-standard /workspace/AGENTS.md so peers can discover name,
role, description, A2A endpoint, and MCP tools.
- Expand Workspaces section with AGENTS.md auto-generation details
- Add table of AGENTS.md sections and their config.yaml sources
- Add role field to all workspaces in the org definition example
- Document fallback (role → description) and non-fatal startup behaviour
Pairs with monorepo PRs #763 and #794.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds content/docs/workspace-config.mdx covering:
- Config tab overview (how to open, form vs raw YAML mode)
- Claude Settings panel: gating condition, where to find it in the UI
- Effort levels table: low / medium / high / xhigh (extended thinking) / max
with descriptions, use-case guidance, cost/latency/quality tradeoffs
- Task budget: token ceiling, 20k minimum, when it applies, sizing guidance
- config.yaml reference with three annotated examples
- Beta header note: task-budgets-2026-03-13 added automatically by executor
- Executor wiring callout: config stored today, executor wiring ships next release
Updates meta.json: adds workspace-config after concepts in the nav.
Closes#608 (docs portion)
Source PRs: molecule-monorepo#639 (effort + task_budget UI), #654 (max level)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Inserts a hands-on ## Quickstart section between Secrets and Basic usage
in content/docs/google-adk.mdx. Covers workspace creation via REST API,
ready-state polling, first A2A task, multi-turn session state demo, and
Vertex AI alternative. Explains context_id → InMemorySessionService mapping
and google: model prefix stripping — gaps not covered by the reference docs.
Pairs with: Molecule-AI/molecule-monorepo#569 (docs/devrel-feat-550)
Existing docs: Docs PR #4 (google-adk.mdx reference page, already merged)
Source PR: Molecule-AI/molecule-core#550
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pre-draft docs for the google-adk workspace adapter (issue #542, PR #550).
Covers installation, secrets, config reference, A2A compatibility, plugin
support, and troubleshooting. Also adds google-adk to the runtimes table
in architecture.mdx and the runtime list in concepts.mdx.
Closes#542
Co-authored-by: Molecule AI Documentation Specialist <documentation-specialist@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Customer-facing documentation site for Molecule AI. Built with Fumadocs
(open-source MIT, Next.js 15 App Router native, Tailwind v4, MDX) so we
own the deployment and aesthetic and can grow into custom doc components
for our agent-canvas flows.
## Why Fumadocs (over Mintlify, Nextra, Docusaurus)
- Open source, no vendor lock-in (vs Mintlify SaaS subscription)
- Built on Next.js 15 App Router — matches our existing canvas stack
- Less opinionated than Nextra; can grow into custom doc components
- React/Tailwind first; team already on this stack
- Ships search, dark mode, Shiki highlighting, MDX out of the box
## Initial structure
- app/ — Next.js App Router (home + docs + search route)
- content/docs/ — MDX source (3 hand-written + 9 stub pages)
- lib/source.ts — Fumadocs loader bound to the MDX content
- mdx-components.tsx — default + future custom MDX renderers
- source.config.ts — MDX compile config
## Hand-written launch content
- index.mdx — landing / what you can build / how it works
- quickstart.mdx — clone repo → docker compose → import template → talk to PM
- concepts.mdx — the five primitives: workspaces / plugins / channels / schedules / canvas
## Stub pages (Documentation Specialist agent fills these in on cron)
- org-template, plugins, channels, schedules
- architecture, api-reference, self-hosting
- observability, troubleshooting
## Ownership
The Documentation Specialist agent in the molecule-dev org template will
own this repo end-to-end:
- Watches PRs landing in the platform monorepo
- Auto-opens docs PRs when public APIs / templates / plugins / channels change
- Runs daily cron to backfill stubs and refresh stale pages
Manual edits welcome. Agent picks up on next cron tick.
