Fixes molecule-core#1957: agent identity collapse where all agents share
one GitHub PAT and their writes attribute to the CEO.
This plugin takes the pragmatic "wrap, don't multiply identities" path:
- Injects MOLECULE_AGENT_ROLE / OWNER / ATTRIBUTION_BADGE per workspace
- Ships a shell wrapper for `gh` that:
* prepends an attribution badge to issue/PR bodies on publish
* rewrites --assignee @me to the role's designated human owner
* emits an NDJSON audit log to /var/log/molecule-gh.ndjson
- Wrapper is shipped as base64 env var; each workspace template's
install.sh decodes and writes it to /usr/local/bin/gh
Scales where GitHub Apps / machine users don't: adding a new agent role
is one entry in config.yaml, not a GitHub UI roundtrip per role.
See README + known-issues.md for the v2-architecture migration plan.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4fd5ac7be3