The 3-line wrapper at .github/workflows/secret-scan.yml referenced
`uses: molecule-ai/molecule-core/.github/workflows/secret-scan.yml@staging`.
molecule-core is private; act_runner clones cross-repo reusable
workflows anonymously, so the resolve fails at 0s with no logs.
Same root cause + same fix that molecule-controlplane already shipped
(see its secret-scan.yml comment block lines 10-22). Inlining keeps
the gate functional until Gitea is upgraded or the canonical scanner
moves to a public repo. When either lands, this file reverts to the
3-line wrapper.
Refs: internal#46 Phase 3 Class 2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gitea is case-sensitive on owner slugs; canonical is lowercase
`molecule-ai/...`. Mixed-case `Molecule-AI/...` refs fail-at-0s
when the runner tries to resolve the cross-repo workflow / checkout.
Same fix as molecule-controlplane#12. Mechanical case-correction;
no behavior change beyond making CI resolve again.
Refs: internal#46
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Calls the canonical workflow shipped in
Molecule-AI/molecule-monorepo#2109. Defense against the #2090-class
leak: a hosted-agent commit slipping a credential-shaped string into
a PR — caught at the PR layer, before merge.
Higher stakes here than most repos: this package publishes to PyPI,
so a leaked credential on a release tag would propagate to every
downstream tenant on next pip install.
Pattern set lives in molecule-monorepo so we don't maintain a
parallel copy here. Pairs with the runtime-side pre-commit hook
(scripts/pre-commit-checks.sh) which catches local commits before
they reach a PR.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This repo is now a publish artifact of Molecule-AI/molecule-core/workspace/.
Runtime code edits go to the monorepo; the publish-runtime workflow
regenerates this mirror + uploads to PyPI on every runtime-v* tag.
Changes:
- Delete .github/workflows/publish.yml. PyPI publishing now happens only
from the monorepo's publish-runtime workflow. Without removing this,
two different code shapes could reach PyPI depending on which workflow
fired (the drift this lockdown is preventing).
- Delete .github/workflows/auto-promote-staging.yml. The staging→main
fast-forward dance has no purpose on a mirror repo — the mirror is
rebuilt wholesale on each release.
- Replace .github/workflows/ci.yml with a 'mirror-guard' job that fails
on any pull_request event with a clear redirect message. Push events
are still allowed (so existing in-flight branches don't all turn red
while the migration finishes); that allowance becomes a follow-up
removal once the auto-sync from monorepo is wired up.
- Rewrite README.md with a prominent ⚠ banner pointing at the monorepo.
- Add CONTRIBUTING.md with the explicit redirect table.
What this does NOT do:
- Wire up the auto-sync from monorepo → this repo. The
publish-runtime workflow currently uploads to PyPI but doesn't push
the rewritten tree back here. As a follow-up, extend that workflow
with a step that commits the build dir to this repo's main. Until
then this repo's contents will go stale relative to PyPI — but
that's fine because no one should be reading code from here anyway.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
PR #31 added `-ll --severity-level=high` but these flags conflict:
- `-ll` is a shorthand for `--level low` (only show low+ issues)
- `--severity-level=high` suppresses everything but high-severity issues
The combination causes bandit to exit 2 because `--severity-level` is
not allowed alongside `-l/--level`. Use `--severity-level=high` alone.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #29 introduced WORKSPACE_ID validation at module import time
(platform_auth.py). The CI environment did not set WORKSPACE_ID,
causing 8 failures + 13 errors on every main push. Add a dummy
CI-only value so imports succeed without affecting real workspaces.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Bandit runs on every PR against molecule_runtime/ at high severity.
Addresses audit recommendation from issue #9.
Co-authored-by: Molecule AI Infra-Runtime-BE <infra-runtime-be@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Every modular workspace template repo (claude-code, hermes, langgraph,
…) was crashing on boot with:
KeyError: "Unknown runtime '<runtime>'. Available: "
Root cause: `molecule_runtime/main.py` and four other modules used
top-level imports like `from adapters import get_adapter` — a monorepo
legacy that resolved when something on sys.path had an `adapters/`
package. Standalone template repos COPY only `adapter.py` (singular) to
/app and don't ship an `adapters/` package, so this import path went
through some side-resolution that left `get_adapter` unable to see the
user's adapter. The ADAPTER_MODULE → import → getattr → issubclass
chain then silently fell through to the discovery branch and reported
"Unknown runtime".
Fix is one-line per file: `from adapters` → `from molecule_runtime.adapters`
in:
- molecule_runtime/main.py:27
- molecule_runtime/a2a_executor.py:44
- molecule_runtime/coordinator.py:20
- molecule_runtime/prompt.py:6
- molecule_runtime/builtin_tools/temporal_workflow.py:417
Tests + CI added so this regression class is caught at PR time, not at
runtime in self-hosters' clusters:
- tests/test_imports.py: parametrised import smoke for every previously
affected module + a grep guard that fails if any future change
reintroduces a top-level `from adapters` / `import adapters` line
- .github/workflows/ci.yml: runs the smoke on every PR (no CI existed
before — the publish workflow only fires on tag push)
Closes#1.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extracts shared workspace runtime from molecule-monorepo/workspace-template
into a publishable PyPI package.
- molecule_runtime/ package with all shared infrastructure modules
- Adapter discovery via ADAPTER_MODULE env var (standalone repos) + built-in scan
- molecule-runtime console script entry point (main_sync)
- CI workflow to publish on version tags
- Published to PyPI as molecule-ai-workspace-runtime==0.1.0
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
