molecule-ai/molecule-ai-workspace-runtime
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
24 Commits 4 Branches 13 Tags 377 KiB
Python 96.6%
Shell 3.4%
83f87702ea
Go to file
Molecule AI Infra-Runtime-BE 83f87702ea fix(cli_executor + sandbox): CWE-78 auth helper + subprocess warning 
Issue #21 (CWE-78): _create_auth_helper() wrote a shell script using
shlex.quote() which does NOT protect against $(...) command substitution
inside the token value. Replaced with a mode-0600 token file passed via
AGENT_AUTH_TOKEN_FILE env var — token is never interpreted by a shell.

Issue #22 (CWE-266): sandbox subprocess backend warns once at module
load time when active, alerting operators that SANDBOX_BACKEND=docker or
e2b should be used for production isolation.

Co-Authored-By: Infra-Runtime-BE <infra-runtime-be@molecule.ai>
2026-04-20 23:05:57 +00:00
.github/workflows fix: switch top-level from adapters import to absolute imports (#1) 2026-04-16 07:53:03 -07:00
molecule_runtime fix(cli_executor + sandbox): CWE-78 auth helper + subprocess warning 2026-04-20 23:05:57 +00:00
tests Merge pull request #26 from Molecule-AI/fix/plugin-setup-env-scrub 2026-04-20 23:04:33 +00:00
.gitignore chore: gitignore credentials for molecule-ai-workspace-runtime 2026-04-16 09:18:48 -07:00
pyproject.toml fix: pin a2a-sdk<1.0 to keep a2a.server.apps import working 2026-04-20 15:34:27 -07:00
README.md feat: initial release of molecule-ai-workspace-runtime 0.1.0 2026-04-16 04:26:06 -07:00

README.md

molecule-ai-workspace-runtime

Shared Python runtime infrastructure for all Molecule AI agent adapters.

This package provides the core machinery that every Molecule AI workspace container needs:

  • A2A server — Registers with the platform, heartbeats, serves A2A JSON-RPC
  • Adapter interfaceBaseAdapter / AdapterConfig / SetupResult
  • Built-in tools — delegation, memory, approvals, sandbox, telemetry
  • Skill loader — loads and hot-reloads skill modules from /configs/skills/
  • Plugin system — per-workspace + shared plugin discovery and install
  • Config / preflight — YAML config loading with validation

Installation

pip install molecule-ai-workspace-runtime

Adapter Discovery

The runtime discovers adapters in two ways:

  1. ADAPTER_MODULE env var (standalone adapter repos):

    ADAPTER_MODULE=my_adapter molecule-runtime

    The module must export an Adapter class extending BaseAdapter.

  2. Built-in subdirectory scan (monorepo local dev): Scans molecule_runtime/adapters/ subdirectories for Adapter classes.

Writing an Adapter

from molecule_runtime.adapters.base import BaseAdapter, AdapterConfig
from a2a.server.agent_execution import AgentExecutor

class Adapter(BaseAdapter):
    @staticmethod
    def name() -> str:
        return "my-runtime"

    @staticmethod
    def display_name() -> str:
        return "My Runtime"

    @staticmethod
    def description() -> str:
        return "My custom agent runtime"

    async def setup(self, config: AdapterConfig) -> None:
        result = await self._common_setup(config)
        # Store result attributes for create_executor

    async def create_executor(self, config: AdapterConfig) -> AgentExecutor:
        # Return an AgentExecutor instance
        ...

Set ADAPTER_MODULE=my_package.adapter and run molecule-runtime.

License

BSL-1.1 — see LICENSE for details.