Merge pull request 'ci: rename .github/workflows -> .gitea/workflows (post-suspension sweep)' (#8 ) from ci-rename-github-to-gitea into main

ci: rename .github/workflows -> .gitea/workflows (post-suspension sweep)
GitHub org Molecule-AI was suspended 2026-05-06; SCM moved to Gitea (git.moleculesai.app). The wholesale `git push --mirror` migration left workflow files under .github/workflows/, which Gitea Actions does NOT read - it reads .gitea/workflows/ exclusively. This rename + the cross-repo `uses:` path rewrite are the minimum edits to make CI fire on this repo again. The workflow content itself is not modified (other than the path rewrites and lowercasing of the old `Molecule-AI` org reference to the post-suspension `molecule-ai`). Refs: feedback_post_suspension_migration_must_sweep_dormant_repos
2026-05-10 21:18:18 +00:00 · 2026-05-10 14:13:22 -07:00 · 2026-05-10 19:51:56 +00:00 · 2026-05-10 19:51:18 +00:00 · 2026-05-10 16:23:14 +00:00 · 2026-05-10 16:19:58 +00:00
6 changed files with 50 additions and 6 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -0,0 +1,5 @@
+name: CI
+on: [push, pull_request]
+jobs:
+  validate:
+    uses: molecule-ai/molecule-ci/.gitea/workflows/validate-plugin.yml@main
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,5 +0,0 @@
-name: CI
-on: [push, pull_request]
-jobs:
-  validate:
-    uses: molecule-ai/molecule-ci/.github/workflows/validate-plugin.yml@main
--- a/.gitignore
+++ b/.gitignore
@ -19,3 +19,20 @@
 # Workspace auth tokens
 .auth-token
 .auth_token
+
+# Python bytecode (append only — do not remove entries above)
+__pycache__/
+*.pyc
+.pytest_cache/
+# Python bytecode (append only — do not remove entries above)
+__pycache__/
+*.pyc
+*.py[cod]
+*$py.class
+.Python
+*.egg-info/
+*.egg
+.pytest_cache/
+build/
+dist/
+.eggs/
--- a/plugin.yaml
+++ b/plugin.yaml
@ -1,5 +1,5 @@
 name: molecule-careful-bash
-version: 1.0.0
+version: 1.0.1
 description: Refuse destructive bash commands (git push --force to main, rm -rf at root, DROP TABLE prod). PreToolUse:Bash hook.
 author: Molecule AI
 tags: [molecule, guardrails]
--- a/tests/README.md
+++ b/tests/README.md
@ -0,0 +1,27 @@
+# Test Coverage — molecule-careful-bash
+
+## What We Test
+
+This plugin has **executable hooks** (Python), so it warrants real unit tests.
+
+| File | Tests | Coverage |
+|------|-------|---------|
+| `hooks/pre-bash-careful.py` | 35 pytest tests | Destructive command blocking, token exfiltration prevention |
+
+## Test Categories
+
+| Class | Count | What |
+|-------|-------|------|
+| `TestRefuseForcePush` | 5 | `git push --force` to main/master blocked; feature branches allowed |
+| `TestRefuseGitResetHard` | 3 | `git reset --hard` on main blocked; feature branches allowed |
+| `TestRefuseSQLDestructive` | 4 | `DROP TABLE/DATABASE prod` blocked; test/sandbox allowed |
+| `TestRefuseRmRf` | 5 | `rm -rf /`, home, `.git` blocked; safe paths allowed |
+| `TestTokenExfiltrationBlocking` | 13 | Token file reads, `env \| grep` secrets, credential path exfil blocked |
+| `TestWarnList` | 2 | Warning-only patterns: `--force-with-lease`, `close` PR |
+| Safe-prompt passthrough | 3 | Legitimate commands (normal push, grep for non-secret, non-token files) pass through |
+
+## Running Tests
+
+```bash
+python -m pytest tests/ -v
+```
--- a/tests/pycache/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc
+++ b/tests/pycache/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc
Author	SHA1	Message	Date
Molecule AI · sdk-lead	a2ba1e38f1	Merge pull request 'ci: rename .github/workflows -> .gitea/workflows (post-suspension sweep)' (#8 ) from ci-rename-github-to-gitea into main All checks were successful CI / validate (push) Successful in 1m16s Details	2026-05-10 21:18:18 +00:00
infra-sre	a6caa3b944	ci: rename .github/workflows -> .gitea/workflows (post-suspension sweep) All checks were successful CI / validate (push) Successful in 58s Details CI / validate (pull_request) Successful in 58s Details GitHub org Molecule-AI was suspended 2026-05-06; SCM moved to Gitea (git.moleculesai.app). The wholesale `git push --mirror` migration left workflow files under .github/workflows/, which Gitea Actions does NOT read - it reads .gitea/workflows/ exclusively. This rename + the cross-repo `uses:` path rewrite are the minimum edits to make CI fire on this repo again. The workflow content itself is not modified (other than the path rewrites and lowercasing of the old `Molecule-AI` org reference to the post-suspension `molecule-ai`). Refs: feedback_post_suspension_migration_must_sweep_dormant_repos	2026-05-10 14:13:22 -07:00
claude-ceo-assistant	bf8f649996	chore(ci): remove recovery marker (rerun delivered, see internal#233) Some checks failed CI / validate (push) Failing after 1s Details	2026-05-10 19:51:56 +00:00
claude-ceo-assistant	31ce9b05e2	chore(ci): re-fire after incident recovery 2026-05-10 (see internal#233; revert me) Some checks failed CI / validate (push) Failing after 2s Details	2026-05-10 19:51:18 +00:00
Molecule AI · sdk-lead	3b400bb757	Merge pull request 'chore: plugin hygiene — .gitignore Python ignores + __pycache__ cleanup' (#7 ) from plugin/hygiene into main Some checks failed CI / validate (push) Failing after 1s Details	2026-05-10 16:23:14 +00:00
Molecule AI · plugin-dev	e9b2b0b61c	chore: append Python ignores to .gitignore Some checks failed CI / validate (push) Failing after 1s Details CI / validate (pull_request) Failing after 2s Details	2026-05-10 16:19:58 +00:00
Molecule AI · plugin-dev	d13e827ed8	chore: remove committed __pycache__/test_pre_bash_careful.cpython-311-pytest-9.0.3.pyc Some checks failed CI / validate (push) Failing after 1s Details	2026-05-10 16:18:36 +00:00
Molecule AI · sdk-lead	4cbe3ddf23	Merge pull request 'docs+ci(molecule-careful-bash): add tests/README.md + append Python ignores to .gitignore' (#6 ) from plugin/test-coverage into main Some checks failed CI / validate (push) Failing after 1s Details	2026-05-10 14:12:25 +00:00
Molecule AI Plugin-Dev	f7b98959fa	docs+ci(molecule-careful-bash): add tests/README.md + append Python ignores to .gitignore Some checks failed CI / validate (pull_request) Failing after 2s Details CI / validate (push) Failing after 3s Details - Document 35-test coverage across 6 test categories (destructive command blocking, token exfiltration prevention, safe-prompt passthrough) - Add __pycache__/, *.pyc, .pytest_cache/ to .gitignore (append only — all security entries preserved) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-10 14:11:19 +00:00
Molecule AI Infra-SRE	b874be18c5	chore: bump version to 1.0.1 — OFFSEC-002 resolved (#4 ) All checks were successful CI / validate (push) Successful in 1m7s Details [sdk-lead-agent] Version bump tracking the OFFSEC-002 token-exfil fix that landed in #3. CI green. Approved + merged. Co-authored-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app> Co-committed-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>	2026-05-10 11:36:19 +00:00