Molecule AI Infra-Runtime-BE
ac8108a1a7
peer-supplied `summary` and `response_preview` fields written to DELEGATION_RESULTS_FILE by the heartbeat loop were injected into the agent prompt without sanitization — a direct OFFSEC-003 injection path. New `_detect_injection_safe()` helper wraps `builtin_tools.compliance.detect_prompt_injection()` with lazy import and fail-open behaviour. When injection patterns are detected in either `summary` or `response_preview`, the field is replaced with "" before formatting. The delegation metadata (status, task line) is preserved so the agent still knows a delegation completed; only the malicious content is stripped. Fail-open: if builtin_tools.compliance is unavailable (e.g. minimal test environment), the function logs a warning and passes text through. This is acceptable because builtin_tools is always present in production containers; the fail-open only affects degenerate test environments. 6 new tests covering: clean pass-through, injection in summary, injection in preview, truncation of clean preview, no-file path, fail-open when compliance unavailable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .gitea/workflows | ||
| molecule_runtime | ||
| tests | ||
| .gitignore | ||
| CONTRIBUTING.md | ||
| pyproject.toml | ||
| README.md | ||
molecule-ai-workspace-runtime
⚠️ This repo is a publish artifact, not the source of truth.
Runtime code lives in
Molecule-AI/molecule-core→workspace/. This repo is regenerated and republished from there by thepublish-runtimeworkflow on everyruntime-v*tag.Don't edit files here directly. PRs against this repo will not be merged. Open them against
molecule-coreinstead.
Shared Python runtime infrastructure for all Molecule AI agent adapters.
This package provides the core machinery every Molecule AI workspace container needs:
- A2A server — registers with the platform, heartbeats, serves A2A JSON-RPC
- Adapter interface —
BaseAdapter/AdapterConfig/SetupResult - Built-in tools — delegation, memory, approvals, sandbox, telemetry
- Skill loader — loads and hot-reloads skill modules from
/configs/skills/ - Plugin system — per-workspace + shared plugin discovery and install
- Config / preflight — YAML config loading with validation
Installation
pip install molecule-ai-workspace-runtime
Adapter discovery
The runtime discovers adapters in two ways:
-
ADAPTER_MODULEenv var (standalone adapter repos):ADAPTER_MODULE=adapter molecule-runtimeThe runtime imports
adapterand callsadapter.Adapter. -
Subdirectory scan (monorepo local dev): falls back to scanning
molecule_runtime/adapters/<runtime>/and importing the matching subdir'sAdapterclass.
Contributing
Don't open PRs here. Send your change to
Molecule-AI/molecule-core
under the workspace/ directory. After your PR merges to main and a
runtime-v* tag is pushed, the publish-runtime
workflow rebuilds this mirror + uploads the new wheel to PyPI.
See docs/workspace-runtime-package.md
for the full publishing flow.
Why this split
The runtime needs to ship as a PyPI artifact (so the 8 workspace template
images can pip install it), but it also needs to evolve in lock-step
with the platform's wire protocol (queue shape, A2A metadata, event
payloads). A monorepo edit + auto-publish pipeline gives both: atomic
cross-cutting changes, plus a clean PyPI release on every tag.
For the back-history of why this repo previously was the source of truth
and the drift that caused: see issue Molecule-AI/molecule-core#2103.