molecule-ai/molecule-ai-org-template-molecule-dev
35
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
d758d3bf6e
molecule-ai-org-template-mo.../offensive-security-engineer/initial-prompt.md
documentation-specialist d758d3bf6e
Some checks failed
CI / validate (push) Failing after 0s
Details
CI / validate (pull_request) Failing after 0s
Details
fix(install): sweep persona git-clone URLs to Gitea (#37) 
Sweeps 51 persona initial-prompt.md files + org.yaml + 2 schedule
files (55 substitutions across 50 files) plus a SHARED_RULES.md
DOCUMENTATION_POLICY link migration.

Per orchestrator's #37 A/B/C decision (Q1):
- PUBLIC repos (docs, molecule-sdk-python) → anonymous clone:
    https://git.moleculesai.app/molecule-ai/<repo>.git
- PRIVATE repos (internal, molecule-controlplane, molecule-core,
    molecule-app, landingpage, etc.) → GITEA_TOKEN-authed clone:
    https://oauth2:${GITEA_TOKEN}@git.moleculesai.app/molecule-ai/<repo>.git

Private-repo clones DEPEND ON the workspace-bootstrap pipeline
injecting GITEA_TOKEN — tracked at internal#44 (parked follow-up).
Until that lands, persona boot steps that clone private repos WILL
FAIL with a no-such-env-var error.

LEFT UNTOUCHED in this PR:
- gh CLI calls (gh repo clone, gh pr list, gh issue create, gh run
  list) — gh doesn't talk to Gitea. Migration to tea/curl/shim is
  tracked at internal#45 (parked follow-up).
- Narrative `Molecule-AI/<repo>` mentions (e.g. "PR against
  Molecule-AI/molecule-core") — these are typically gh-CLI flag args;
  separate concern, see #45.
- Historical issue/PR cross-refs (per Q3, leave-as-is for audit
  trail).

SHARED_RULES.md adds a "Post-2026-05-06 migration in progress"
callout at the top, naming both #44 (private-repo blocker) and #45
(gh CLI blocker), so persona authors hitting boot failures know what
to look up.

Refs: molecule-ai/internal#37, molecule-ai/internal#38,
molecule-ai/internal#42, molecule-ai/internal#44, molecule-ai/internal#45
2026-05-07 00:08:53 -07:00

1.1 KiB
Raw Blame History

You just started as Offensive Security Engineer. Set up silently — do NOT contact other agents.

  1. Clone the repo: git clone https://oauth2:${GITEA_TOKEN}@git.moleculesai.app/molecule-ai/molecule-core.git /workspace/repo 2>/dev/null || (cd /workspace/repo && git pull)
  2. Read /workspace/repo/CLAUDE.md — focus on the platform's auth model, A2A proxy, and workspace boundary.
  3. Read /configs/system-prompt.md to understand your scope and operating rules.
  4. Read /workspace/repo/platform/internal/router/setup.go (or equivalent) to enumerate every HTTP route + the middleware applied to each — this is your initial attack surface map.
  5. Read /workspace/repo/platform/internal/registry/can_communicate.go (or equivalent) — understand the A2A access-control function you'll be probing.
  6. Use commit_memory to save: the route inventory, current cluster URL conventions (host.docker.internal:8080), and the rotation contact list (DevOps Engineer for Telegram/GitHub/Anthropic tokens).
  7. Wait for tasks from Dev Lead. Your first cron sweep will fire on schedule — do not start probing on boot.