From 8ed2df7187a042788ddb8e9838f90636fbff939c Mon Sep 17 00:00:00 2001 From: Molecule AI Research Lead Date: Sat, 18 Apr 2026 01:15:44 +0000 Subject: [PATCH 1/4] =?UTF-8?q?chore(eco-watch):=20add=20MemPalace=20+=20u?= =?UTF-8?q?pdate=20Google=20ADK=20=E2=80=94=202026-04-18=20run=20a?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - MemPalace (milla-jovovich/mempalace, 47.6k★, MIT, Python): local-first agent memory using Method of Loci; 29 MCP tools; 96.6% R@5 on LongMemEval; native Claude Code .claude-plugin integration. Verdict: WATCH - Google ADK: update to v1.31.0 (Apr 17 2026) — multi-language parity (Python/TS/Java/Go), native A2A (full protocol, Linux Foundation standard). Platform gaps confirmed open (no scheduling, no cross-agent HITL). Verdict: WATCH maintained with enhanced escalation triggers. --- docs/ecosystem-watch.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/ecosystem-watch.md b/docs/ecosystem-watch.md index a0c3ca5c..c5b334de 100644 --- a/docs/ecosystem-watch.md +++ b/docs/ecosystem-watch.md @@ -1805,7 +1805,9 @@ complementary: a Molecule AI workspace running ADK agents is a natural pairing. - ADK is the official successor for teams currently using LangGraph with Gemini → our langgraph adapter should note ADK as an alternative path. -**Last reviewed:** 2026-04-16 · **Stars / activity:** ~19k ⭐, v1.29.0 April 9, 2026, Google-maintained +**Last reviewed:** 2026-04-18 · **Stars / activity:** ~22k ⭐, v1.31.0 April 17 2026, Google-maintained + +**v1.31.0 update (2026-04-18):** Multi-language parity landed — Python, TypeScript, Java, Go all at 1.0. Native A2A added: full protocol (agent cards, message/send, task lifecycle, streaming, gRPC v0.3). A2A is Linux Foundation-governed, not Google-only — interops with any framework. **Platform gaps confirmed open**: no scheduling, no cron, no org-level workspace management, no cross-agent HITL (ADK `require_confirmation` explicitly broken across agent boundaries, maintainer-confirmed GitHub Discussion #3276). **Verdict: WATCH** (not elevated). Protocol layer compressed; Molecule platform layer intact. Escalation triggers: Vertex ships org-level workspace mgmt OR ADK fixes cross-agent HITL. --- @@ -2875,3 +2877,23 @@ langgraph/crewai adapters. **Signals to react to:** Claw Code ships A2A support → evaluate `molecule-ai-workspace-template-claw-code`. Anthropic legal action → monitor for project discontinuation risk. Claw Code's Python SDK becomes pip-installable → simplifies potential workspace template adapter. **Last reviewed:** 2026-04-17 · **Stars / activity:** 100k+★, Rust+Python, 72.6k forks, fastest-growing repo in GitHub history + +--- + +### MemPalace — `milla-jovovich/mempalace` + +**Pitch:** Local-first AI memory system using the "Method of Loci" — stores full conversation verbatim (not summarized) in a hierarchical palace structure (wings → rooms → drawers) with semantic search. + +**Shape:** Python 87.8%, MIT, 47.6k★, v3.3.0 April 14 2026. ChromaDB-backed vector retrieval; 96.6% R@5 on LongMemEval with zero API calls. Exposes **29 MCP tools** covering palace reads/writes, knowledge-graph operations, cross-wing navigation, drawer management, and agent diaries. Native Claude Code integration via `.claude-plugin`. Fully local — no external API required for memory ops. + +**Overlap with us:** (1) Our `agent_memories` table + `/workspaces/:id/memories` API provides platform-managed scoped memory — MemPalace provides richer, hierarchical, locally-searchable memory with knowledge-graph structure. (2) 29 MCP tools makes this trivially wrappable as a `molecule-mempalace` plugin. (3) Claude Code `.claude-plugin` integration targets the same surface as `molecule-ai-workspace-template-claude-code`. (4) 47.6k★ in weeks = high developer mindshare; teams will bring MemPalace into Molecule workspaces before we have a native integration. + +**Differentiation:** Local-first, single-agent memory layer — no multi-agent orchestration, no workspace lifecycle, no org hierarchy. Molecule provides governance and multi-agent platform; MemPalace provides the per-agent memory store. These are complementary layers, not competitors. + +**Worth borrowing:** Verbatim storage + semantic retrieval as an opt-in mode for our `agent_memories` (currently free-form key-value). Wings/rooms/drawers hierarchy as a model for scoped memory namespacing (we have `scope` but no hierarchy). LongMemEval as a quality benchmark for our own memory retrieval accuracy. + +**Terminology collisions:** "memory" (same concept, different granularity — our memories are scoped key-value entries; MemPalace is a structured knowledge graph). "palace" = their namespace; our analogues are workspace + memory scope. + +**Signals to react to:** MemPalace ships cross-agent memory sharing → file BUILD issue for `molecule-mempalace` plugin immediately — directly competitive with our platform-managed memory layer. ADK or LangGraph officially recommend MemPalace → adoption velocity doubles. MemPalace reaches 100k★ → consider deep integration over shallow plugin wrapper. + +**Last reviewed:** 2026-04-18 · **Stars / activity:** 47.6k★, Python, MIT, v3.3.0 April 14 2026, viral growth (23k★ in first 2 weeks). **Verdict: WATCH** From 806ef6403c1257cec383d02d134fd18c0fe9fe2c Mon Sep 17 00:00:00 2001 From: Molecule AI Research Lead Date: Sat, 18 Apr 2026 01:47:20 +0000 Subject: [PATCH 2/4] =?UTF-8?q?chore(eco-watch):=20add=20MemPalace=20+=20u?= =?UTF-8?q?pdate=20Google=20ADK=20=E2=80=94=202026-04-18=20run=20a?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - MemPalace (milla-jovovich/mempalace, 47.6k★, MIT, Python): local-first agent memory using Method of Loci; 29 MCP tools; 96.6% R@5 on LongMemEval; native Claude Code .claude-plugin integration. Verdict: WATCH - Google ADK: update to v1.31.0 (Apr 17 2026) — multi-language parity (Python/TS/Java/Go), native A2A (full protocol, Linux Foundation standard). Platform gaps confirmed open (no scheduling, no cross-agent HITL). Verdict: WATCH maintained with enhanced escalation triggers. --- docs/ecosystem-watch.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/ecosystem-watch.md b/docs/ecosystem-watch.md index 7b513246..51553e9d 100644 --- a/docs/ecosystem-watch.md +++ b/docs/ecosystem-watch.md @@ -1821,7 +1821,9 @@ complementary: a Molecule AI workspace running ADK agents is a natural pairing. - ADK is the official successor for teams currently using LangGraph with Gemini → our langgraph adapter should note ADK as an alternative path. -**Last reviewed:** 2026-04-16 · **Stars / activity:** ~19k ⭐, v1.29.0 April 9, 2026, Google-maintained +**Last reviewed:** 2026-04-18 · **Stars / activity:** ~22k ⭐, v1.31.0 April 17 2026, Google-maintained + +**v1.31.0 update (2026-04-18):** Multi-language parity landed — Python, TypeScript, Java, Go all at 1.0. Native A2A added: full protocol (agent cards, message/send, task lifecycle, streaming, gRPC v0.3). A2A is Linux Foundation-governed, not Google-only — interops with any framework. **Platform gaps confirmed open**: no scheduling, no cron, no org-level workspace management, no cross-agent HITL (ADK `require_confirmation` explicitly broken across agent boundaries, maintainer-confirmed GitHub Discussion #3276). **Verdict: WATCH** (not elevated). Protocol layer compressed; Molecule platform layer intact. Escalation triggers: Vertex ships org-level workspace mgmt OR ADK fixes cross-agent HITL. --- @@ -2913,3 +2915,23 @@ langgraph/crewai adapters. **Signals to react to:** Claw Code ships A2A support → evaluate `molecule-ai-workspace-template-claw-code`. Anthropic legal action → monitor for project discontinuation risk. Claw Code's Python SDK becomes pip-installable → simplifies potential workspace template adapter. **Last reviewed:** 2026-04-17 · **Stars / activity:** 100k+★, Rust+Python, 72.6k forks, fastest-growing repo in GitHub history + +--- + +### MemPalace — `milla-jovovich/mempalace` + +**Pitch:** Local-first AI memory system using the "Method of Loci" — stores full conversation verbatim (not summarized) in a hierarchical palace structure (wings → rooms → drawers) with semantic search. + +**Shape:** Python 87.8%, MIT, 47.6k★, v3.3.0 April 14 2026. ChromaDB-backed vector retrieval; 96.6% R@5 on LongMemEval with zero API calls. Exposes **29 MCP tools** covering palace reads/writes, knowledge-graph operations, cross-wing navigation, drawer management, and agent diaries. Native Claude Code integration via `.claude-plugin`. Fully local — no external API required for memory ops. + +**Overlap with us:** (1) Our `agent_memories` table + `/workspaces/:id/memories` API provides platform-managed scoped memory — MemPalace provides richer, hierarchical, locally-searchable memory with knowledge-graph structure. (2) 29 MCP tools makes this trivially wrappable as a `molecule-mempalace` plugin. (3) Claude Code `.claude-plugin` integration targets the same surface as `molecule-ai-workspace-template-claude-code`. (4) 47.6k★ in weeks = high developer mindshare; teams will bring MemPalace into Molecule workspaces before we have a native integration. + +**Differentiation:** Local-first, single-agent memory layer — no multi-agent orchestration, no workspace lifecycle, no org hierarchy. Molecule provides governance and multi-agent platform; MemPalace provides the per-agent memory store. These are complementary layers, not competitors. + +**Worth borrowing:** Verbatim storage + semantic retrieval as an opt-in mode for our `agent_memories` (currently free-form key-value). Wings/rooms/drawers hierarchy as a model for scoped memory namespacing (we have `scope` but no hierarchy). LongMemEval as a quality benchmark for our own memory retrieval accuracy. + +**Terminology collisions:** "memory" (same concept, different granularity — our memories are scoped key-value entries; MemPalace is a structured knowledge graph). "palace" = their namespace; our analogues are workspace + memory scope. + +**Signals to react to:** MemPalace ships cross-agent memory sharing → file BUILD issue for `molecule-mempalace` plugin immediately — directly competitive with our platform-managed memory layer. ADK or LangGraph officially recommend MemPalace → adoption velocity doubles. MemPalace reaches 100k★ → consider deep integration over shallow plugin wrapper. + +**Last reviewed:** 2026-04-18 · **Stars / activity:** 47.6k★, Python, MIT, v3.3.0 April 14 2026, viral growth (23k★ in first 2 weeks). **Verdict: WATCH** From ab11c2073044b515a88dc72f3d026758aa2de5c3 Mon Sep 17 00:00:00 2001 From: Molecule AI Research Lead Date: Sat, 18 Apr 2026 01:48:03 +0000 Subject: [PATCH 3/4] =?UTF-8?q?chore(eco-watch):=20BLOCK=20MemPalace=20?= =?UTF-8?q?=E2=80=94=20coordinated=20fraud=20(SA=20audit=202026-04-18)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SA forensic audit found: 89% bot-farmed stars (42k of 47.6k), malware domain mempalace.tech, deleted PyPI maintainer (supply-chain risk), unpatched ChromaDB RCE (#6717), non-existent PyPI package (squattable), unsafe HuggingFace pickle loading, and crypto pump-and-dump association. Verdict changed from WATCH to BLOCKED/FRAUD. GH #912 plugin proposal is closed per audit verdict. Co-Authored-By: Claude Sonnet 4.6 --- docs/ecosystem-watch.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/docs/ecosystem-watch.md b/docs/ecosystem-watch.md index c5b334de..1ac55d06 100644 --- a/docs/ecosystem-watch.md +++ b/docs/ecosystem-watch.md @@ -2882,18 +2882,20 @@ langgraph/crewai adapters. ### MemPalace — `milla-jovovich/mempalace` -**Pitch:** Local-first AI memory system using the "Method of Loci" — stores full conversation verbatim (not summarized) in a hierarchical palace structure (wings → rooms → drawers) with semantic search. +> ⛔ **BLOCKED — COORDINATED FRAUD** (Security Audit 2026-04-18). Do not integrate, evaluate, or reference this project. -**Shape:** Python 87.8%, MIT, 47.6k★, v3.3.0 April 14 2026. ChromaDB-backed vector retrieval; 96.6% R@5 on LongMemEval with zero API calls. Exposes **29 MCP tools** covering palace reads/writes, knowledge-graph operations, cross-wing navigation, drawer management, and agent diaries. Native Claude Code integration via `.claude-plugin`. Fully local — no external API required for memory ops. +**Pitch (original):** Local-first AI memory system using the "Method of Loci" — stores full conversation verbatim in a hierarchical palace structure (wings → rooms → drawers) with semantic search. -**Overlap with us:** (1) Our `agent_memories` table + `/workspaces/:id/memories` API provides platform-managed scoped memory — MemPalace provides richer, hierarchical, locally-searchable memory with knowledge-graph structure. (2) 29 MCP tools makes this trivially wrappable as a `molecule-mempalace` plugin. (3) Claude Code `.claude-plugin` integration targets the same surface as `molecule-ai-workspace-template-claude-code`. (4) 47.6k★ in weeks = high developer mindshare; teams will bring MemPalace into Molecule workspaces before we have a native integration. +**Fraud findings (SA forensic audit — 2026-04-18):** -**Differentiation:** Local-first, single-agent memory layer — no multi-agent orchestration, no workspace lifecycle, no org hierarchy. Molecule provides governance and multi-agent platform; MemPalace provides the per-agent memory store. These are complementary layers, not competitors. +- **F1 CRITICAL — Star fraud (89%):** 42,497 of 47,600 stars are bot-farmed. Bot activity ran April 6–13 at metronomic 30-second intervals; confirmed via stargazer timestamp forensics. Authentic star count ≈ 5,000. +- **F2 CRITICAL — Malware domain:** `mempalace.tech` (cited in the project's own `HISTORY.md`) is a confirmed malware impostor domain. Any traffic to this domain must be treated as hostile. +- **F3 CRITICAL — Deleted PyPI maintainer:** GitHub account `aya-thekeeper` (sole PyPI maintainer) was deleted after publishing — live supply-chain attack surface. Any version published under that account is unverifiable. +- **F4 HIGH — Unpatched ChromaDB RCE:** Depends on ChromaDB with an open server-side + client-side RCE via `trust_remote_code` (GitHub issue #6717). Maintainer has not patched. +- **F5 HIGH — Non-existent PyPI package:** `uvx mempalace-mcp` does not exist on PyPI — squattable typosquat attack surface. +- **F6 HIGH — Unsafe model loading:** HuggingFace model download with pickle deserialization (no hash pinning). +- **F7 MEDIUM — Crypto fraud:** Associated with `MEMPALACE` Solana token pump-and-dump scheme. -**Worth borrowing:** Verbatim storage + semantic retrieval as an opt-in mode for our `agent_memories` (currently free-form key-value). Wings/rooms/drawers hierarchy as a model for scoped memory namespacing (we have `scope` but no hierarchy). LongMemEval as a quality benchmark for our own memory retrieval accuracy. +**GH #912** (molecule-mempalace plugin proposal) closed — BLOCKED by this audit. Do not reopen without a full independent security re-audit. -**Terminology collisions:** "memory" (same concept, different granularity — our memories are scoped key-value entries; MemPalace is a structured knowledge graph). "palace" = their namespace; our analogues are workspace + memory scope. - -**Signals to react to:** MemPalace ships cross-agent memory sharing → file BUILD issue for `molecule-mempalace` plugin immediately — directly competitive with our platform-managed memory layer. ADK or LangGraph officially recommend MemPalace → adoption velocity doubles. MemPalace reaches 100k★ → consider deep integration over shallow plugin wrapper. - -**Last reviewed:** 2026-04-18 · **Stars / activity:** 47.6k★, Python, MIT, v3.3.0 April 14 2026, viral growth (23k★ in first 2 weeks). **Verdict: WATCH** +**Last reviewed:** 2026-04-18 · **Stars / activity:** 47.6k★ claimed (89% bot-farmed; ~5k authentic), Python, MIT, v3.3.0 April 14 2026. **Verdict: BLOCKED/FRAUD** From f0a1bff27f7c5ed130fdabb5eb449ba5f3714fc2 Mon Sep 17 00:00:00 2001 From: Molecule AI Research Lead Date: Sat, 18 Apr 2026 03:12:59 +0000 Subject: [PATCH 4/4] =?UTF-8?q?chore(eco-watch):=20add=20chrome-devtools-m?= =?UTF-8?q?cp=20+=20craft-agents-oss=20=E2=80=94=202026-04-18=20run=20b?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two new entries from daily sweep (TR GitHub trending + CI social feeds): - chrome-devtools-mcp (ChromeDevTools/chrome-devtools-mcp, 35.9k★): Official Google Chrome DevTools MCP server — 29 tools for browser control, network inspection, Lighthouse audits. Strong MCP adoption signal from Google. GH #926 filed: add as bundled MCP server option in workspace templates. - craft-agents-oss (lukilabs/craft-agents-oss, 4.3k★): Electron desktop app on Claude Agent SDK — multi-session inbox, 3-tier permissions, MCP support. Single-user desktop vs. Molecule's multi-tenant org-graph. UX reference for approval queue / permission tier UI. CI sweep clean (no additional findings). RevoClaw near-miss logged (outside 24h window, no public repo yet). Co-Authored-By: Claude Sonnet 4.6 --- docs/ecosystem-watch.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/ecosystem-watch.md b/docs/ecosystem-watch.md index 1ac55d06..fdf39c01 100644 --- a/docs/ecosystem-watch.md +++ b/docs/ecosystem-watch.md @@ -2899,3 +2899,43 @@ langgraph/crewai adapters. **GH #912** (molecule-mempalace plugin proposal) closed — BLOCKED by this audit. Do not reopen without a full independent security re-audit. **Last reviewed:** 2026-04-18 · **Stars / activity:** 47.6k★ claimed (89% bot-farmed; ~5k authentic), Python, MIT, v3.3.0 April 14 2026. **Verdict: BLOCKED/FRAUD** + +--- + +### chrome-devtools-mcp — `ChromeDevTools/chrome-devtools-mcp` + +**Pitch:** "Chrome DevTools for coding agents" — 29 MCP tools exposing browser navigation, input automation, network inspection, Lighthouse auditing, and performance tracing directly to AI agents. + +**Shape:** Official MCP server from Google's Chrome DevTools team (not a third-party wrapper). TypeScript, Apache-2.0, 35.9k★. 29 tools across 6 categories: input (click, type, fill_form), navigation, emulation, performance traces, network inspection, script execution + screenshots. + +**Overlap with us:** Molecule's MCP client already wires up to `opencode.json` and workspace config — this drops in as a bundled MCP server for any workspace agent. Complements existing `browser-automation` plugin (Puppeteer/CDP scraper) with DevTools-level depth: network HAR exports, JS console, Lighthouse audits, memory snapshots. + +**Differentiation:** Pure MCP server — no orchestration, no agent runtime. Molecule is the governance layer that decides *which* workspaces get browser access. + +**Worth borrowing:** Add as a recommended/bundled MCP server option in workspace templates. Instant browser-equipped agents with no build effort. + +**Terminology collisions:** None. + +**Signals to react to:** Google's own DevTools team shipping an MCP server is the strongest possible MCP adoption signal. If it becomes the canonical browser integration, Molecule's MCP client tier-1 support becomes a harder differentiator. + +**Last reviewed:** 2026-04-18 · **Stars / activity:** 35.9k★, TypeScript, Apache-2.0, official Google Chrome DevTools + +--- + +### craft-agents-oss — `lukilabs/craft-agents-oss` + +**Pitch:** Open-source desktop agent app built on Anthropic's Claude Agent SDK — multi-session inbox, 3-tier permissions, MCP + REST API connections, event-driven automations. + +**Shape:** Electron desktop app (+ headless server + CLI), TypeScript, Apache-2.0, 4.3k★, v0.8.9 released April 16 2026. Single-user; 4 LLM providers (Anthropic, Google, OpenAI, GitHub Copilot); drag-drop file attachments; automations triggered by labels, schedules, or tool usage. + +**Overlap with us:** UI-layer overlap — multi-session management, permission tiers, MCP connections, multi-LLM support all map onto Molecule's workspace lifecycle and canvas. Built on the same Claude Agent SDK stack. + +**Differentiation:** craft-agents-oss is single-user desktop; Molecule is multi-tenant org-graph with A2A inter-agent coordination. No agent-to-agent delegation, no org hierarchy, no Docker workspace isolation. + +**Worth borrowing:** 3-tier permission UI (Explore / Ask to Edit / Auto) and multi-session inbox labeling workflow are clean UX references for Molecule's workspace approval queue. + +**Terminology collisions:** "sessions" = Molecule's "workspaces"; "sources" = Molecule's "tools/plugins." Watch for user confusion. + +**Signals to react to:** 4.3k stars on launch day signals strong demand for a GUI wrapper around Claude Agent SDK. Molecule's org-chart canvas is the richer multi-tenant answer — worth differentiating loudly in positioning. + +**Last reviewed:** 2026-04-18 · **Stars / activity:** 4.3k★, TypeScript, Apache-2.0, v0.8.9 April 16 2026