molecule-ai/molecule-ai-vanity-import-responder
35
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

[deploy] Cloudflare Worker for go.moleculesai.app/* (closes internal#71 phase 1) #1

New Issue
Open
opened 2026-05-08 00:32:34 +00:00 by claude-ceo-assistant · 1 comment
claude-ceo-assistant commented 2026-05-08 00:32:34 +00:00
Owner
Copy Link

Summary

Deploy the worker.js + wrangler.toml in this repo to a Cloudflare Worker bound to go.moleculesai.app/*. Phase 1 of molecule-ai/internal#71's staged rollout — the migration PRs (plugin-gh-identity#3, molecule-cli#2, molecule-controlplane#32, molecule-core#82) build self-referentially today, but external go install go.moleculesai.app/<area>@latest resolves only after this responder is live.

Acceptance criteria

# 1. go-import meta tag returns the right SCM mapping
curl -s 'https://go.moleculesai.app/core/platform?go-get=1' | grep go-import
# expected:
# <meta name="go-import" content="go.moleculesai.app/core git https://git.moleculesai.app/molecule-ai/molecule-core">

# 2. End-to-end go install resolves via the responder
go install go.moleculesai.app/cli/cmd/molecule@latest
which molecule    # should land in $GOPATH/bin

# 3. Bare host returns the human index, not 404
curl -s 'https://go.moleculesai.app/' | grep -q "Vanity import host"

# 4. Unknown vanity prefix returns 404 with the documented message
curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/unknown/path'
# expected: 404

# 5. Path-injection attempts get 400, not 200
curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/../etc/passwd'
# expected: 400

Prerequisites

  1. Cloudflare API token with the following scopes, placed in /etc/molecule-bootstrap/all-credentials.env on operator (5.78.80.188) as CLOUDFLARE_API_TOKEN=<token>:
    • Account → Workers Scripts → Edit
    • Zone → DNS → Edit (on moleculesai.app)
    • Zone → Workers Routes → Edit (on moleculesai.app)
  2. wrangler installed on operator host (or wherever the deploy runs from). One-time: npm install -g wrangler.

Deploy command

cd /path/to/molecule-ai-vanity-import-responder
export CLOUDFLARE_API_TOKEN=$(grep ^CLOUDFLARE_API_TOKEN= /etc/molecule-bootstrap/all-credentials.env | cut -d= -f2-)
wrangler deploy

wrangler.toml already declares the route: { pattern = "go.moleculesai.app/*", zone_name = "moleculesai.app" } — so binding happens automatically. DNS for go.moleculesai.app needs to point at Cloudflare's edge (typically a CNAME flattened to the moleculesai.app root or a separate proxied A record); Cloudflare's "Workers + Pages" UI will surface the binding once the worker is published.

Smoke tests after deploy

The five curl commands above. All five must pass.

Rollback

wrangler delete

The migrated PRs still build internally without the responder. Rolling back a botched deploy returns the system to the current pre-deploy state (external go install <vanity> fails; internal builds unaffected). Zero state to migrate.

Out of scope

  • Vanity for container images (registry.go.moleculesai.app/...) — separate RFC.
  • Vanity for npm scope — separate RFC.
  • HA / multi-region failover — Cloudflare Workers run on every edge by default; nothing to configure for HA.

Related

Reporter

Hongming directed staged repo creation to track responder deploy as Gitea issue (post-internal#71 sweep). 2026-05-07.

## Summary Deploy the worker.js + wrangler.toml in this repo to a Cloudflare Worker bound to `go.moleculesai.app/*`. Phase 1 of molecule-ai/internal#71's staged rollout — the migration PRs (plugin-gh-identity#3, molecule-cli#2, molecule-controlplane#32, molecule-core#82) build self-referentially today, but external `go install go.moleculesai.app/<area>@latest` resolves only after this responder is live. ## Acceptance criteria ```bash # 1. go-import meta tag returns the right SCM mapping curl -s 'https://go.moleculesai.app/core/platform?go-get=1' | grep go-import # expected: # <meta name="go-import" content="go.moleculesai.app/core git https://git.moleculesai.app/molecule-ai/molecule-core"> # 2. End-to-end go install resolves via the responder go install go.moleculesai.app/cli/cmd/molecule@latest which molecule # should land in $GOPATH/bin # 3. Bare host returns the human index, not 404 curl -s 'https://go.moleculesai.app/' | grep -q "Vanity import host" # 4. Unknown vanity prefix returns 404 with the documented message curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/unknown/path' # expected: 404 # 5. Path-injection attempts get 400, not 200 curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/../etc/passwd' # expected: 400 ``` ## Prerequisites 1. **Cloudflare API token** with the following scopes, placed in `/etc/molecule-bootstrap/all-credentials.env` on operator (`5.78.80.188`) as `CLOUDFLARE_API_TOKEN=<token>`: - Account → Workers Scripts → Edit - Zone → DNS → Edit (on `moleculesai.app`) - Zone → Workers Routes → Edit (on `moleculesai.app`) 2. `wrangler` installed on operator host (or wherever the deploy runs from). One-time: `npm install -g wrangler`. ## Deploy command ```bash cd /path/to/molecule-ai-vanity-import-responder export CLOUDFLARE_API_TOKEN=$(grep ^CLOUDFLARE_API_TOKEN= /etc/molecule-bootstrap/all-credentials.env | cut -d= -f2-) wrangler deploy ``` `wrangler.toml` already declares the route: `{ pattern = "go.moleculesai.app/*", zone_name = "moleculesai.app" }` — so binding happens automatically. DNS for `go.moleculesai.app` needs to point at Cloudflare's edge (typically a CNAME flattened to the `moleculesai.app` root or a separate proxied A record); Cloudflare's "Workers + Pages" UI will surface the binding once the worker is published. ## Smoke tests after deploy The five `curl` commands above. All five must pass. ## Rollback ```bash wrangler delete ``` The migrated PRs still build internally without the responder. Rolling back a botched deploy returns the system to the current pre-deploy state (external `go install <vanity>` fails; internal builds unaffected). Zero state to migrate. ## Out of scope - Vanity for container images (`registry.go.moleculesai.app/...`) — separate RFC. - Vanity for npm scope — separate RFC. - HA / multi-region failover — Cloudflare Workers run on every edge by default; nothing to configure for HA. ## Related - Parent RFC: molecule-ai/internal#71 - Migration PRs (need this responder for external installs to work): - molecule-ai/molecule-ai-plugin-gh-identity#3 - molecule-ai/molecule-cli#2 - molecule-ai/molecule-controlplane#32 - molecule-ai/molecule-core#82 - Source: this repo (`worker.js`, `wrangler.toml`, `README.md` already pushed to main as commit 56306dd). ## Reporter Hongming directed staged repo creation to track responder deploy as Gitea issue (post-internal#71 sweep). 2026-05-07.
claude-ceo-assistant commented 2026-05-08 00:51:38 +00:00
Author
Owner
Copy Link

Deploy progress — 2/3 done

Step Status
① Worker script uploaded id=go-import-responder (ES module, 7059 bytes, multipart upload via REST API)
② Worker route bound pattern=go.moleculesai.app/*script=go-import-responder (route id 6fc72368860a4df3bc934a62c68a8a6d)
③ DNS record for go.moleculesai.app Token lacks Zone:DNS:Edit scope. Needs manual step OR token-scope widening.

Smoke test

$ curl -s 'https://go.moleculesai.app/core/platform?go-get=1'
network: <urlopen error [Errno -2] Name or service not known>

go.moleculesai.app doesn't resolve yet — DNS record below would unblock.

What's needed for step ③

Add a DNS record on the moleculesai.app zone in Cloudflare (5 fields, ~20 seconds):

Field Value
Type AAAA
Name go
IPv6 address 100::
Proxy status Proxied (orange cloud)
TTL Auto

The 100:: placeholder is the standard CF Workers pattern: it's a non-routable address that signals "this is a Worker-served hostname." Cloudflare's edge intercepts the request at the route binding (already wired) and serves it via the Worker. No actual origin server is needed.

(Alternative: CNAME go → moleculesai.app proxied=true also works. AAAA 100:: is preferred because it skips the upstream-origin lookup entirely.)

Alternatively — widen the token

If you'd rather have me complete this without a manual step, the existing CLOUDFLARE_API_TOKEN (id 12ab594f85ddd…) needs Zone.DNS.Edit added to its scope on the moleculesai.app zone. With that, I can re-run the deploy and add the DNS record via API.

Verification once DNS lands

# 1. Resolution
dig +short go.moleculesai.app    # expect a Cloudflare-anycast address

# 2. Worker behavior
curl -s 'https://go.moleculesai.app/' | grep -o "Vanity import host"
# expected: Vanity import host

curl -s 'https://go.moleculesai.app/core/platform?go-get=1' | grep go-import
# expected:
#   <meta name="go-import" content="go.moleculesai.app/core git https://git.moleculesai.app/molecule-ai/molecule-core">

# 3. End-to-end go install
go install go.moleculesai.app/cli/cmd/molecule@latest
which molecule    # in $GOPATH/bin

# 4. Path validation
curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/../etc/passwd'
# expected: 400

Worker code update

The initial commit (56306dd) had both Service-Worker (addEventListener('fetch', …)) and ES-module (export default { fetch }) syntax for vendor-portability. CF Workers rejects mixed syntax during upload (Uncaught SyntaxError: Unexpected token 'export' at line 165). Pushed a follow-up commit replacing the file with ES-module-only — same external behavior, runs unchanged on CF Workers + Vercel Edge + Deno Deploy. The deployed Worker reflects the corrected file.

Tracking

  • Tracked task in this repo: this issue (#1)
  • Adjacent task tracked elsewhere: #213 (the orchestration-side hand-off note Hongming relayed)
## Deploy progress — 2/3 done | Step | Status | |---|---| | ① Worker script uploaded | ✅ `id=go-import-responder` (ES module, 7059 bytes, multipart upload via REST API) | | ② Worker route bound | ✅ `pattern=go.moleculesai.app/*` → `script=go-import-responder` (route id `6fc72368860a4df3bc934a62c68a8a6d`) | | ③ DNS record for `go.moleculesai.app` | ❌ Token lacks `Zone:DNS:Edit` scope. **Needs manual step OR token-scope widening.** | ## Smoke test ``` $ curl -s 'https://go.moleculesai.app/core/platform?go-get=1' network: <urlopen error [Errno -2] Name or service not known> ``` `go.moleculesai.app` doesn't resolve yet — DNS record below would unblock. ## What's needed for step ③ Add a DNS record on the `moleculesai.app` zone in Cloudflare (5 fields, ~20 seconds): | Field | Value | |---|---| | Type | AAAA | | Name | `go` | | IPv6 address | `100::` | | Proxy status | Proxied (orange cloud) | | TTL | Auto | The `100::` placeholder is the standard CF Workers pattern: it's a non-routable address that signals "this is a Worker-served hostname." Cloudflare's edge intercepts the request at the route binding (already wired) and serves it via the Worker. No actual origin server is needed. (Alternative: `CNAME go → moleculesai.app` proxied=true also works. AAAA 100:: is preferred because it skips the upstream-origin lookup entirely.) ### Alternatively — widen the token If you'd rather have me complete this without a manual step, the existing `CLOUDFLARE_API_TOKEN` (id `12ab594f85ddd…`) needs `Zone.DNS.Edit` added to its scope on the `moleculesai.app` zone. With that, I can re-run the deploy and add the DNS record via API. ## Verification once DNS lands ```bash # 1. Resolution dig +short go.moleculesai.app # expect a Cloudflare-anycast address # 2. Worker behavior curl -s 'https://go.moleculesai.app/' | grep -o "Vanity import host" # expected: Vanity import host curl -s 'https://go.moleculesai.app/core/platform?go-get=1' | grep go-import # expected: # <meta name="go-import" content="go.moleculesai.app/core git https://git.moleculesai.app/molecule-ai/molecule-core"> # 3. End-to-end go install go install go.moleculesai.app/cli/cmd/molecule@latest which molecule # in $GOPATH/bin # 4. Path validation curl -s -o /dev/null -w '%{http_code}\n' 'https://go.moleculesai.app/../etc/passwd' # expected: 400 ``` ## Worker code update The initial commit (`56306dd`) had both Service-Worker (`addEventListener('fetch', …)`) and ES-module (`export default { fetch }`) syntax for vendor-portability. CF Workers rejects mixed syntax during upload (`Uncaught SyntaxError: Unexpected token 'export' at line 165`). Pushed a follow-up commit replacing the file with ES-module-only — same external behavior, runs unchanged on CF Workers + Vercel Edge + Deno Deploy. The deployed Worker reflects the corrected file. ## Tracking - Tracked task in this repo: this issue (#1) - Adjacent task tracked elsewhere: #213 (the orchestration-side hand-off note Hongming relayed)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-vanity-import-responder#1
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?