78ae139609
Adds two operator-visible boot diagnostics that close the diagnosis gap exposed by the 2026-05-02 MiniMax E2E crash-loop. The universal canvas-picked-model fix (Bug B) and per-model required_env (Bug D) live in molecule-core PR #2538 — this PR adds the per-template visibility that complements them so operators can answer "is the key missing or is routing wrong?" from `docker logs` alone. Changes ------- adapter.py: - _AUTH_ENV_AUDIT tuple of 8 vendor env names (CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_API_KEY/AUTH_TOKEN/BASE_URL, MINIMAX/GLM/KIMI/DEEPSEEK_API_KEY). - _audit_auth_env_presence() helper — single INFO line of NAME=set/unset pairs. NEVER logs values; the test pins this with a "fake-secret-MUST- NOT-LEAK" sentinel that must never appear in the log message. - One call site at the end of setup()'s boot banner so every workspace start emits both "which provider got picked" and "which envs are present" in adjacent log lines. entrypoint.sh: - log_boot_context() function fired once before the gosu drop (as root) and once after (as agent) so an operator can spot env values lost across the privilege drop. Emits uid/gid/user/hostname/workspace_id/ platform_url/configs_dir/workspace_dir + the same 8 env names as NAME=set/unset. Mirror of _AUTH_ENV_AUDIT — list pinned in sync by a new AST-style test (test_audit_env_list_matches_entrypoint_sh) that parses entrypoint.sh and asserts set-equality with adapter.py's tuple. tests/test_adapter_logging.py (new): - 4 tests covering the audit contract: every name appears, all-unset scenario, empty-string treated as unset (matches routing semantics), and the cross-file sync gate against entrypoint.sh's for-loop. - Stubs molecule_runtime + a2a so the helpers can be imported without the real wheel installed in CI (mirrors test_adapter_prevalidate.py's scaffolding pattern). Why this complements molecule-core PR #2538 ------------------------------------------- - PR #2538 makes Bug B (canvas-picked model silently dropped) impossible by resolving model centrally in workspace/config.py:load_config — every adapter (claude-code, hermes, codex, future ones) gets the passthrough for free. - PR #2538 makes Bug D (preflight rejects valid auth for non-default models) impossible by REPLACE-not-union per-entry required_env. - This template PR is the per-template observability layer: when one of those universal fixes regresses (or when an operator misconfigs a vendor key), the boot logs say exactly which env was present at each tier. Validated end-to-end on workspace be27badd-00a7-4cef-91e8-af428175c76f (clean boot, MINIMAX_API_KEY=set audited, no crash-loop). Closes part of molecule-monorepo task #248. Sibling of #2538 for molecule-core. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .claude | ||
| .github/workflows | ||
| .molecule-ci/scripts | ||
| runbooks | ||
| scripts | ||
| tests | ||
| __init__.py | ||
| .gitattributes | ||
| .gitignore | ||
| adapter.py | ||
| claude_sdk_executor.py | ||
| CLAUDE.md | ||
| config.yaml | ||
| Dockerfile | ||
| entrypoint.sh | ||
| known-issues.md | ||
| README.md | ||
| requirements.txt | ||
template-claude-code-default
Molecule AI workspace template for the claude-code-default runtime.
Usage
In Molecule AI canvas
Select this template when creating a new workspace — it appears in the template picker automatically.
From a URL (community install)
Paste this URL when creating a workspace:
github://Molecule-AI/template-claude-code-default
Files
config.yaml— workspace configuration (runtime, model, skills, etc.)system-prompt.md— agent system prompt (if present)
Auth paths
| Path | Env var(s) | Where to get the key |
|---|---|---|
| OAuth (Claude Code subscription) | CLAUDE_CODE_OAUTH_TOKEN |
claude login |
| Anthropic API (direct) | ANTHROPIC_API_KEY |
console.anthropic.com |
| Third-party Anthropic-compat (e.g. Xiaomi MiMo pay-as-you-go) | ANTHROPIC_API_KEY (provider's key) |
provider console |
| Xiaomi MiMo Token Plan | ANTHROPIC_API_KEY (Token Plan key), ANTHROPIC_BASE_URL (Token Plan endpoint) |
token-plan dashboard |
For third-party providers, entrypoint.sh rewrites ANTHROPIC_BASE_URL based on the selected MODEL so the claude CLI routes there. Currently auto-routes mimo-* models to https://api.xiaomimimo.com/anthropic (pay-as-you-go). Token Plan users should set ANTHROPIC_BASE_URL=https://token-plan-sgp.xiaomimimo.com/anthropic as a workspace or org-level secret — the shell mapping is the fallback and operator-set values always win. Other Token Plan endpoints (e.g. token-plan-hk.xiaomimimo.com) can be used by setting the secret explicitly.
Schema version
template_schema_version: 1 — compatible with Molecule AI platform v1.x.
License
Business Source License 1.1 — © Molecule AI.