molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 147 Actions 91 Packages Projects Releases Wiki Activity

Merge pull request #973 from Molecule-AI/docs/rfc2119-opencode-must-not

Browse Source 
docs(opencode): 'should not' → 'must not' for SAFE-T1201 (closes #861)
This commit is contained in:
Hongming Wang 2026-04-19 00:26:05 -07:00 committed by GitHub
commit 0519327179
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/integrations/opencode.md
View File

@ -77,7 +77,7 @@ opencode sends this tool call to the Molecule MCP endpoint. The platform routes
`list_peers` returns the full set of workspace names and roles visible to your workspace. This is intentional: provisioned agents need to know their peers to delegate effectively. Be aware that any opencode agent with a valid `MOLECULE_MCP_TOKEN` can enumerate your org topology.
### SAFE-T1201 — tool surface audit pending
The full `@molecule-ai/mcp-server` npm package exposes additional tools beyond those listed above. These are pending a SAFE-T1201 security audit (tracked in #747 follow-on) and **should not be exposed to external agents in production** until that audit completes.
The full `@molecule-ai/mcp-server` npm package exposes additional tools beyond those listed above. These are pending a SAFE-T1201 security audit (tracked in #747 follow-on) and **must not be exposed to external agents in production** until that audit completes.
### Token scoping
Issue tokens with the minimum required scopes (`mcp:read`, `mcp:delegate`). Rotate tokens regularly. Revoke via `DELETE /workspaces/:id/tokens/:token_id`.