molecule-ai/molecule-ai-workspace-runtime

Go to file

rabbitblood 4bafea58ae fix(llm_auth): tighten base-URL hostname match + strip whitespace + no token in logs Self-review findings on #38: 1. Token substring leak: the "unknown prefix" warning included the first 12 chars of the token in the log message. Logs get shipped to Langfuse / CloudWatch / slack-firehose — 12 bytes of a secret in a log is still 12 bytes too many. Warning no longer references the token value at all. 2. Base-URL substring match was too loose: `"anthropic.com" not in base` would accept `https://proxy.anthropic.com.evil.example/` as "looks like Anthropic, keep the URL." Replaced with an allowlist of exact hostnames parsed via urllib.parse.urlparse. 3. Whitespace in pasted tokens: operators frequently paste tokens from terminals with a trailing newline. The token would flow through startswith() detection but then fail downstream auth with a confusing "malformed token" error. Strip and persist the cleaned value. 4. Malformed base URL crash guard: if someone sets ANTHROPIC_BASE_URL to something urlparse can't handle, don't crash — fall through to clearing it, which is the safe choice in OAuth mode. Added 5 new tests covering each of the above. 16/16 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-23 10:46:07 -07:00
.github/workflows	fix(CI): remove conflicting bandit flags from security linter step	2026-04-21 00:58:43 +00:00
molecule_runtime	fix(llm_auth): tighten base-URL hostname match + strip whitespace + no token in logs	2026-04-23 10:46:07 -07:00
tests	fix(llm_auth): tighten base-URL hostname match + strip whitespace + no token in logs	2026-04-23 10:46:07 -07:00
.gitignore	chore: gitignore credentials for molecule-ai-workspace-runtime	2026-04-16 09:18:48 -07:00
pyproject.toml	chore: bump 0.1.8 — executor_helpers phantom-busy fix confirmed in tree	2026-04-21 07:16:47 -07:00
README.md	feat: initial release of molecule-ai-workspace-runtime 0.1.0	2026-04-16 04:26:06 -07:00

README.md

molecule-ai-workspace-runtime

Shared Python runtime infrastructure for all Molecule AI agent adapters.

This package provides the core machinery that every Molecule AI workspace container needs:

A2A server — Registers with the platform, heartbeats, serves A2A JSON-RPC
Adapter interface — BaseAdapter / AdapterConfig / SetupResult
Built-in tools — delegation, memory, approvals, sandbox, telemetry
Skill loader — loads and hot-reloads skill modules from /configs/skills/
Plugin system — per-workspace + shared plugin discovery and install
Config / preflight — YAML config loading with validation

Installation

pip install molecule-ai-workspace-runtime

Adapter Discovery

The runtime discovers adapters in two ways:

ADAPTER_MODULE env var (standalone adapter repos):
```
ADAPTER_MODULE=my_adapter molecule-runtime
```
The module must export an Adapter class extending BaseAdapter.
Built-in subdirectory scan (monorepo local dev): Scans molecule_runtime/adapters/ subdirectories for Adapter classes.

Writing an Adapter

from molecule_runtime.adapters.base import BaseAdapter, AdapterConfig
from a2a.server.agent_execution import AgentExecutor

class Adapter(BaseAdapter):
    @staticmethod
    def name() -> str:
        return "my-runtime"

    @staticmethod
    def display_name() -> str:
        return "My Runtime"

    @staticmethod
    def description() -> str:
        return "My custom agent runtime"

    async def setup(self, config: AdapterConfig) -> None:
        result = await self._common_setup(config)
        # Store result attributes for create_executor

    async def create_executor(self, config: AdapterConfig) -> AgentExecutor:
        # Return an AgentExecutor instance
        ...

Set ADAPTER_MODULE=my_package.adapter and run molecule-runtime.

License

BSL-1.1 — see LICENSE for details.