f1bede31a8
Adds a secret-scan gate alongside the existing internal-paths block in the runtime's bundled pre-commit hook. Runs on every commit in every repo (not scoped to Molecule-AI public repos like the internal-paths block) — refuses any staged addition matching a high-value credential shape and prints a recovery message that does NOT echo the secret value. Pattern set covers GitHub family (ghp_, ghs_, gho_, ghu_, ghr_, github_pat_), Anthropic / OpenAI / Slack / AWS — same shape as the tenant-proxy CI scanner; keep aligned when either side adds a pattern. Single hook file dispatches both checks (renamed pre-commit-block-internal-paths.sh → pre-commit-checks.sh) so each agent commit pays one git-config + one hook-install surface, not two. Both checks share the existing fast-paths (skip if GIT_AUTHOR_NAME unset; skip during rebase / cherry-pick / merge / revert). End-to-end test exercises a real bash subprocess against a real temp git repo with real staged content. Three cases: - ghs_-prefixed token in package.json (the actual #2090 vector) → refuse - clean README → pass through - sk-ant- key in a non-Molecule-AI repo → refuse (secret scan is universal, internal-paths block is not) Skipped when bash is not on PATH so Windows test environments without WSL stay green. Bumps version 0.1.15 → 0.1.16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .github/workflows | ||
| molecule_runtime | ||
| tests | ||
| .gitignore | ||
| pyproject.toml | ||
| README.md | ||
molecule-ai-workspace-runtime
Shared Python runtime infrastructure for all Molecule AI agent adapters.
This package provides the core machinery that every Molecule AI workspace container needs:
- A2A server — Registers with the platform, heartbeats, serves A2A JSON-RPC
- Adapter interface —
BaseAdapter/AdapterConfig/SetupResult - Built-in tools — delegation, memory, approvals, sandbox, telemetry
- Skill loader — loads and hot-reloads skill modules from
/configs/skills/ - Plugin system — per-workspace + shared plugin discovery and install
- Config / preflight — YAML config loading with validation
Installation
pip install molecule-ai-workspace-runtime
Adapter Discovery
The runtime discovers adapters in two ways:
-
ADAPTER_MODULEenv var (standalone adapter repos):ADAPTER_MODULE=my_adapter molecule-runtimeThe module must export an
Adapterclass extendingBaseAdapter. -
Built-in subdirectory scan (monorepo local dev): Scans
molecule_runtime/adapters/subdirectories forAdapterclasses.
Writing an Adapter
from molecule_runtime.adapters.base import BaseAdapter, AdapterConfig
from a2a.server.agent_execution import AgentExecutor
class Adapter(BaseAdapter):
@staticmethod
def name() -> str:
return "my-runtime"
@staticmethod
def display_name() -> str:
return "My Runtime"
@staticmethod
def description() -> str:
return "My custom agent runtime"
async def setup(self, config: AdapterConfig) -> None:
result = await self._common_setup(config)
# Store result attributes for create_executor
async def create_executor(self, config: AdapterConfig) -> AgentExecutor:
# Return an AgentExecutor instance
...
Set ADAPTER_MODULE=my_package.adapter and run molecule-runtime.
License
BSL-1.1 — see LICENSE for details.