Two refs to migrate:
- CLAUDE.md:147 (Setup section)
- runbooks/local-dev-setup.md:19 (Step 1)
Note: this repo is PRIVATE on Gitea. The clone URL uses the canonical
Gitea path; the runbook reader handles auth via SSH key, git
credential helper, or a personal token. Same convention as the rest
of the workspace-template + plugin-* PRs in the #37 series.
Refs: molecule-ai/internal#37, molecule-ai/internal#38
Previous commit's regex substitution dropped `COPY requirements.txt .`
and the initial `RUN pip install --no-cache-dir -r requirements.txt`
because of a bash-heredoc escape interaction (the \1 backref was
consumed before the python regex saw it, leaving a SOH char). This
restores both lines with the conditional version-pin upgrade after.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cache trap structurally for this template — same fix
already shipped in claude-code + hermes. publish-image.yml caller
forwards client_payload.runtime_version (set by cascade) to the
molecule-ci reusable workflow as runtime_version input. Reusable
workflow forwards it to docker build as a --build-arg. Dockerfile
declares ARG RUNTIME_VERSION before the pip install layer so cache
key is sensitive to the version. The pip install RUN does an extra
targeted upgrade to guarantee the exact version when ARG is set.
Pairs with molecule-ci PR #12 + molecule-core PR #2181.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two compounding bugs from the post-#87 extraction:
1. adapter.py never aliased GeminiCLIAdapter to the contract name
`Adapter`, which `molecule_runtime.adapters.get_adapter()` reads
via `getattr(mod, "Adapter")`. Without it, every gemini-cli
workspace startup fails preflight with "no `Adapter` class is
exported".
2. Four bare imports of runtime modules
(`from config`, `from executor_helpers` in adapter.py + cli_executor.py)
never got qualified to `from molecule_runtime.X import Y`. They
worked when the runtime was bundled into workspace/ where bare
imports resolved against sibling files; in the standalone template
repo they explode with ModuleNotFoundError.
Same migration debt as fixed in claude-code template
(commits 280e89c and e7dea39). The pattern across templates was
sniffed out by tonight's wire-real E2E sweep; the OTHER 5 templates
(langgraph, crewai, autogen, deepagents, openclaw) also need the
Adapter alias added — file separately. langgraph + deepagents also
have bare `from a2a_executor import LangGraphA2AExecutor` — same fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors molecule-ai-workspace-template-claude-code's PR #13: move the
adapter-specific executor file out of molecule-runtime into the template
that consumes it (molecule-core task #87 / #122).
Adds:
- cli_executor.py (465 LOC) — copied verbatim from
molecule-core/workspace/cli_executor.py @ commit 66b9c040.
- Dockerfile: COPY cli_executor.py . alongside adapter.py.
The adapter at adapter.py:118 already does
`from cli_executor import CLIAgentExecutor` — once this file lands at
/app/, Python's import order picks the local copy over the same-named
module that older molecule-runtime versions ship under site-packages.
Pure additive at this stage — molecule-runtime still ships the file too,
so any image built from this template just has two copies on disk
(local /app shadows the site-packages one). No behavior change.
Note on the file's RUNTIME_PRESETS dict: it contains entries for
codex / ollama / gemini-cli, but neither codex nor ollama has a
template repo today (verified 2026-04-27 against the
Molecule-AI/molecule-ai-workspace-template-* repo list). They're
unreachable in production. The presets travel with the file here only
because trimming them would diverge from the molecule-core source —
when the molecule-core deletion lands they'll vanish naturally.
Sequencing (the molecule-core PR follows AFTER this image rebuilds):
1. THIS PR — template gets local copy, image rebuilds with it
(current PR; safe because no removal yet)
2. molecule-core PR — drop workspace/cli_executor.py, bump runtime
PyPI version. Templates that haven't pulled the new runtime
version still work because their local copy is unchanged.
Reverse order (drop from runtime first) would break any template
image build pulling the latest runtime mid-sequence.
Source: molecule-core/workspace/cli_executor.py @ 66b9c040 (commit
hash pinned for traceability of any future divergence).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 'repository_dispatch' trigger (event-type: runtime-published) so
molecule-core's publish-runtime.yml cascade job can fire this template's
image rebuild after a new molecule-ai-workspace-runtime PyPI release.
Without this, every runtime release waited for the next push: main /
manual workflow_dispatch to propagate to the published image. With it,
runtime fixes flow monorepo → PyPI → all 8 template images
automatically.
Part of the runtime CD chain. See molecule-core docs/workspace-runtime-package.md.
Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com>
Pin LF on shell, Python, YAML, and Dockerfile so Windows Docker Desktop
checkouts don't introduce CRLF that breaks #!/bin/sh shebangs in the
container — that exact failure mode took down 14 workspaces during
#1933 fix v1 (exec /entrypoint.sh: no such file or directory cascade).
Same pattern as the .gitattributes already in
molecule-ai-workspace-template-claude-code, applied to the other 7
template repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a one-line caller for the publish-template-image.yml reusable
workflow in molecule-ci. On every push to main, this repo's
Dockerfile is now built and pushed to
ghcr.io/molecule-ai/workspace-template-gemini-cli:latest (plus a per-commit
sha tag). Closes the gap where template changes required a manual
tenant-side rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standard credential gitignore (.env / *.pem / .secrets/ / .auth_token).
Per-CEO directive 2026-04-16: every plugin and template repo should
gitignore credentials so self-hosters can't accidentally commit real
tokens to public repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
