Mirrors molecule-ai-workspace-template-claude-code's PR #13: move the
adapter-specific executor file out of molecule-runtime into the template
that consumes it (molecule-core task #87 / #122).
Adds:
- cli_executor.py (465 LOC) — copied verbatim from
molecule-core/workspace/cli_executor.py @ commit 66b9c040.
- Dockerfile: COPY cli_executor.py . alongside adapter.py.
The adapter at adapter.py:118 already does
`from cli_executor import CLIAgentExecutor` — once this file lands at
/app/, Python's import order picks the local copy over the same-named
module that older molecule-runtime versions ship under site-packages.
Pure additive at this stage — molecule-runtime still ships the file too,
so any image built from this template just has two copies on disk
(local /app shadows the site-packages one). No behavior change.
Note on the file's RUNTIME_PRESETS dict: it contains entries for
codex / ollama / gemini-cli, but neither codex nor ollama has a
template repo today (verified 2026-04-27 against the
Molecule-AI/molecule-ai-workspace-template-* repo list). They're
unreachable in production. The presets travel with the file here only
because trimming them would diverge from the molecule-core source —
when the molecule-core deletion lands they'll vanish naturally.
Sequencing (the molecule-core PR follows AFTER this image rebuilds):
1. THIS PR — template gets local copy, image rebuilds with it
(current PR; safe because no removal yet)
2. molecule-core PR — drop workspace/cli_executor.py, bump runtime
PyPI version. Templates that haven't pulled the new runtime
version still work because their local copy is unchanged.
Reverse order (drop from runtime first) would break any template
image build pulling the latest runtime mid-sequence.
Source: molecule-core/workspace/cli_executor.py @ 66b9c040 (commit
hash pinned for traceability of any future divergence).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 'repository_dispatch' trigger (event-type: runtime-published) so
molecule-core's publish-runtime.yml cascade job can fire this template's
image rebuild after a new molecule-ai-workspace-runtime PyPI release.
Without this, every runtime release waited for the next push: main /
manual workflow_dispatch to propagate to the published image. With it,
runtime fixes flow monorepo → PyPI → all 8 template images
automatically.
Part of the runtime CD chain. See molecule-core docs/workspace-runtime-package.md.
Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com>
Pin LF on shell, Python, YAML, and Dockerfile so Windows Docker Desktop
checkouts don't introduce CRLF that breaks #!/bin/sh shebangs in the
container — that exact failure mode took down 14 workspaces during
#1933 fix v1 (exec /entrypoint.sh: no such file or directory cascade).
Same pattern as the .gitattributes already in
molecule-ai-workspace-template-claude-code, applied to the other 7
template repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a one-line caller for the publish-template-image.yml reusable
workflow in molecule-ci. On every push to main, this repo's
Dockerfile is now built and pushed to
ghcr.io/molecule-ai/workspace-template-gemini-cli:latest (plus a per-commit
sha tag). Closes the gap where template changes required a manual
tenant-side rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standard credential gitignore (.env / *.pem / .secrets/ / .auth_token).
Per-CEO directive 2026-04-16: every plugin and template repo should
gitignore credentials so self-hosters can't accidentally commit real
tokens to public repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
