Lazy import inside async def execute() used the v0 a2a-sdk symbol +
import path. Module-load doesn't evaluate it so the boot-smoke gate
in molecule-ci's publish-template-image workflow didn't catch it,
but the image ships broken — first A2A message hits ImportError:
from a2a.utils import new_agent_text_message
ImportError: cannot import name 'new_agent_text_message' from 'a2a.utils'
Verified against the running image (a2a-sdk==1.0.2):
a2a.utils.new_agent_text_message: False
a2a.helpers.new_agent_text_message: False
a2a.utils.new_text_message: False
a2a.helpers.new_text_message: True
Surfaced via cross-template audit while verifying v0.1.36 cascade
health. crewai/openclaw/autogen all share the same lazy-import bug.
Fix: rename symbol + switch import path.
Refs: molecule-core memory `reference_a2a_sdk_v0_to_v1_migration`,
task #131 (smoke gate doesn't catch lazy imports).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous commit's regex substitution dropped `COPY requirements.txt .`
and the initial `RUN pip install --no-cache-dir -r requirements.txt`
because of a bash-heredoc escape interaction (the \1 backref was
consumed before the python regex saw it, leaving a SOH char). This
restores both lines with the conditional version-pin upgrade after.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cache trap structurally for this template — same fix
already shipped in claude-code + hermes. publish-image.yml caller
forwards client_payload.runtime_version (set by cascade) to the
molecule-ci reusable workflow as runtime_version input. Reusable
workflow forwards it to docker build as a --build-arg. Dockerfile
declares ARG RUNTIME_VERSION before the pip install layer so cache
key is sensitive to the version. The pip install RUN does an extra
targeted upgrade to guarantee the exact version when ARG is set.
Pairs with molecule-ci PR #12 + molecule-core PR #2181.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`molecule_runtime.adapters.get_adapter()` reads
`getattr(mod, "Adapter")` after importing ADAPTER_MODULE.
Without the alias the workspace startup fails preflight with
"no \`Adapter\` class is exported".
Same fix already shipped in claude-code, hermes, gemini-cli,
langgraph, deepagents today. Surfaced by today's wire-real E2E
sweep against fresh template images. The new bare-imports lint
in molecule-ci PR #8 catches related issues automatically.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 'repository_dispatch' trigger (event-type: runtime-published) so
molecule-core's publish-runtime.yml cascade job can fire this template's
image rebuild after a new molecule-ai-workspace-runtime PyPI release.
Without this, every runtime release waited for the next push: main /
manual workflow_dispatch to propagate to the published image. With it,
runtime fixes flow monorepo → PyPI → all 8 template images
automatically.
Part of the runtime CD chain. See molecule-core docs/workspace-runtime-package.md.
Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com>
Pin LF on shell, Python, YAML, and Dockerfile so Windows Docker Desktop
checkouts don't introduce CRLF that breaks #!/bin/sh shebangs in the
container — that exact failure mode took down 14 workspaces during
#1933 fix v1 (exec /entrypoint.sh: no such file or directory cascade).
Same pattern as the .gitattributes already in
molecule-ai-workspace-template-claude-code, applied to the other 7
template repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a one-line caller for the publish-template-image.yml reusable
workflow in molecule-ci. On every push to main, this repo's
Dockerfile is now built and pushed to
ghcr.io/molecule-ai/workspace-template-openclaw:latest (plus a per-commit
sha tag). Closes the gap where template changes required a manual
tenant-side rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standard credential gitignore (.env / *.pem / .secrets/ / .auth_token).
Per-CEO directive 2026-04-16: every plugin and template repo should
gitignore credentials so self-hosters can't accidentally commit real
tokens to public repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
