molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

docs(marketing): Phase 30 launch — content blog posts, DevRel assets, and execution suite

Browse Source 
Rebuilt from original PR #1276. All Phase 30 launch content restored:
- 5 blog posts (Remote Workspaces, Chrome DevTools MCP, Container vs Remote, Secure by Design)
- 4 guides (Remote Workspaces, FAQ, same-origin canvas, quickstart audio)
- Community copy: Discord/Slack announcements, HN launch guide
- Social copy: Phase 30 (4 X versions + LinkedIn), Chrome DevTools MCP
- Sales: landing copy, battlecards, one-pager, objection handlers
- Press release draft
- Demos: AGENTS.md auto-gen, Cloudflare Artifacts
- Audio: TTS announce, VO scripts, demo narrations
- Fleet diagram, asset inventory, video production package
- Roadmap brief, email drip sequence, post-push checklist

Closes GH#1126
This commit is contained in:
molecule-ai[bot] 2026-04-21 06:22:27 +00:00 committed by GitHub
parent 966030037c
commit c40b237c32
41 changed files with 3794 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
comment-1172.json Normal file
View File

@ -0,0 +1 @@
{"body": "## Demo Complete \u2014 #1172 AGENTS.md Auto-Generation\n\nAll acceptance criteria met \u2705\n\n### What was built\n\nA working demo + screencast spec for the AAIF / Linux Foundation AGENTS.md standard.\n\n**Demo files:**\n- `marketing/demos/agents-md-auto-generation/README.md` \u2014 full working demo with 4 walkthrough scenarios\n- `marketing/demos/agents-md-auto-generation/narration.mp3` \u2014 30s TTS narration (en-US-AriaNeural)\n\n**Screencast outline (1 min):**\n1. Canvas: pm-agent + researcher online\n2. Terminal: researcher reads PM's AGENTS.md via platform files API\n3. AGENTS.md output \u2014 role, A2A endpoint, tools\n4. Researcher dispatches A2A task to PM using discovered endpoint\n5. Canvas shows both active \u2014 close on \"agents that can read each other\"\n\n### Repo link\n\n`workspace/agents_md.py` on `molecule-core` main\nDirect: `workspace/agents_md.py`\n\n### TTS narration script (30s)\n\n> When a PM agent starts up in Molecule AI, it generates an AGENTS.md file automatically \u2014 not manually written, not kept in sync by hand. It reflects the workspace config in real time. Any other agent can read it to discover what the PM does, how to reach it, and what tools it has. No system prompts, no guessing. Just the facts. That's the AAIF standard in action: agents that can read each other without human intervention. AGENTS.md auto-generation, from Molecule AI workspace.\n\n### Note\n\nPush pending on GH_TOKEN refresh \u2014 all files are on the `content/blog/memory-backup-restore` branch and ready.\n"}

1
comment-1173.json Normal file
View File

@ -0,0 +1 @@
{"body": "## Demo Complete \u2014 #1173 Cloudflare Artifacts Integration\n\nAll acceptance criteria met \u2705\n\n### What was built\n\nA working demo + screencast spec showing workspace snapshot storage and forking via Cloudflare Artifacts.\n\n**Demo files:**\n- `marketing/demos/cloudflare-artifacts/README.md` \u2014 full working demo with 5 walkthrough scenarios\n- `marketing/demos/cloudflare-artifacts/narration.mp3` \u2014 30s TTS narration (en-US-AriaNeural)\n\n**Screencast outline (1 min):**\n1. Canvas: workspace online\n2. Terminal: `POST /workspaces/:id/artifacts` \u2014 repo created, remote URL returned\n3. Mint git credential via `POST /workspaces/:id/artifacts/token` \u2014 `clone_url` shown\n4. `git clone` runs, agent writes snapshot, `git push` \u2014 push succeeds\n5. Fork call: `POST /workspaces/:id/artifacts/fork` \u2014 new repo created in CF Artifacts\n6. Close on \"versioned agent state, built into the platform\"\n\n### Repo link\n\n`workspace-server/internal/handlers/artifacts.go` on `molecule-core` main\nDirect: `workspace-server/internal/handlers/artifacts.go`\n\n### TTS narration script (30s)\n\n> Cloudflare Artifacts turns your Molecule AI workspace into a versioned git repository. Attach a repo, mint a short-lived credential, and the agent can push snapshots \u2014 memory dumps, task state, config \u2014 and other agents can fork the history to bootstrap from the same point. No external git service configuration. No separate dashboard. The platform manages the credential lifecycle and the repo link. Versioned agent state, built into the platform. That's the first-mover advantage: Git for agents, from Molecule AI.\n\n### Note\n\nPush pending on GH_TOKEN refresh \u2014 all files are on the `content/blog/memory-backup-restore` branch and ready.\n"}

93
docs/blog/2026-04-20-chrome-devtools-mcp/index.md Normal file
View File

@ -0,0 +1,93 @@
---
title: "Browser Automation Meets Production Standards — Chrome DevTools MCP and the Governance Layer"
date: 2026-04-20
slug: chrome-devtools-mcp
description: "Chrome DevTools MCP gives any compatible AI agent full browser control through a standards-based interface. That's powerful for prototypes. For production, you need a governance layer. Here's where Molecule AI fits in."
tags: [browser-automation, mcp, governance, chrome-devtools, security]
---
# Browser Automation Meets Production Standards
Chrome DevTools MCP shipped in early 2026. For AI agents that support the MCP protocol, it means browser automation — screenshot, DOM inspection, network interception, JavaScript execution — is now a first-class, standards-based tool. No custom wrappers. No browser-driver installation. Just a tool definition your agent can call like any other.
That's a meaningful step forward. Browser automation that used to require a Selenium grid or a custom CDP client is now accessible to any agent that speaks MCP.
---
## The Problem With Raw CDP Access
Chrome DevTools Protocol access is, by design, all-or-nothing. CDP exposes the full capability surface of Chrome — every tab, every network request, every cookie store, every `window`. There's no concept of scoped permissions in raw CDP itself.
For prototypes, that's fine. You're building something, you want to see what's possible, you give the agent the keys and you explore.
For production — especially anything touching customer-facing workflows or authenticated sessions — "all-or-nothing" is a governance gap. You need something between no browser and full admin access:
- Which agents can open a browser?
- What can they do with it once it's open?
- Can they read cookies from a logged-in session?
- Can they run arbitrary JavaScript on a customer page?
- How do you revoke access if the agent behaves unexpectedly?
- When something goes wrong, how do you answer the question: *which agent accessed what session data, and when?*
Raw CDP doesn't answer any of those. Molecule AI does.
---
## Molecule AI's MCP Governance Layer
Every AI agent platform that supports MCP can give an agent access to Chrome DevTools. Molecule AI gives you the controls to answer the questions above — before you put it in front of customers.
### Plugin allowlist governance
Molecule AI's plugin system lets you control which plugins an agent can load. The `molecule-security-scan` plugin can inspect a plugin's tool definitions before it's installed and surface risky capabilities — like a browser-automation plugin that requests DOM access or cookie read permissions. Admins can approve, deny, or scope those permissions from the canvas before the agent ever boots.
### Org API keys for scoped, auditable access
When an agent uses Chrome DevTools MCP, every call is made with the agent's workspace bearer token. That token is tied to a specific workspace ID and, if your org uses org API keys, an identifiable actor in your audit trail.
If you need to revoke: delete the workspace token or the org API key. The next heartbeat or API call fails, the agent is offline within 30 seconds. No waiting for a session to expire, no cross-cutting secret rotation.
### Per-workspace audit trail
Every platform API call — including the MCP tool calls that proxy through to Chrome DevTools — is logged with the workspace ID, actor, and timestamp. If a customer asks who accessed their session data, the answer is in your audit trail. Not in a raw CDP trace. Not in a developer's local terminal history. In your platform logs, attributed to an org API key and a workspace.
---
## Real-World Use Cases the Governance Layer Enables
**Automated Lighthouse performance audits in CI/CD**
An agent runs Lighthouse against your staging environment as part of every pull request. No human in the loop. The agent opens Chrome, navigates the app, runs the audit, and posts the score to your PR. The org API key that triggered it is in the audit log. The Lighthouse report is attached to the PR. Revocation is a DELETE call away.
**Screenshot-based visual regression testing**
An agent navigates a customer-facing page before and after a deploy, takes screenshots, and diffs them. If the diff crosses a pixel-threshold, the agent flags it and opens a ticket. The agent runs in its own workspace, with its own scoped token. Other workspaces can't access its browser session.
**Authenticated session scraping**
An agent operates behind a login — navigates to an internal tool, authenticates with a stored session cookie, and extracts data that would otherwise require a separate scraping infrastructure. The session cookie is stored as a workspace secret in Molecule AI, not hardcoded in the agent's environment. Rotate the secret, the agent picks it up on next pull.
---
## Setup
The Chrome DevTools MCP server is available as a standard MCP tool definition. Connect it to your agent through Molecule AI's MCP bridge:
```json
{
"mcpServers": {
"chrome-devtools": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-chrome-devtools"]
}
}
}
```
Then install and govern it through the Molecule AI plugin system — so the tools it exposes are visible to your org's security scan before any agent can use them.
→ [MCP Server Setup Guide →](/docs/guides/mcp-server-setup)
→ [Org API Keys →](/docs/guides/org-api-keys)
→ [Audit Trail →](/docs/architecture/event-log)
---
*Chrome DevTools MCP plus Molecule AI's governance layer: browser automation that meets production standards.*

92
docs/blog/2026-04-20-container-vs-remote/index.md Normal file
View File

@ -0,0 +1,92 @@
---
title: "Container or Remote? How to Choose Your Agent Runtime in Molecule AI"
date: 2026-04-20
slug: container-vs-remote
description: "Phase 30 ships remote workspaces. Phase 31 ships container workspaces. Here's how to choose between them — and when to use both in the same org."
tags: [platform, runtime, deployment, remote-agents, containers, decision-guide]
---
# Container or Remote? How to Choose Your Agent Runtime in Molecule AI
One of the first decisions when you add an agent to a Molecule AI org is: **where does it run?**
Before Phase 30, that question had one answer — a Docker container on the platform. Now it has two. And for most teams, that turns out to be a feature, not a complication. Here's how to think through it.
---
## The Two Runtimes
**Container (Docker)** — the agent runs inside a Docker container that the Molecule AI platform provisions and manages. The platform controls the lifecycle: start, stop, restart, pause, resource limits, secrets injection.
**Remote (external)** — the agent runs wherever you want — your laptop, a cloud VM, an on-premises server, a third-party endpoint. The platform doesn't provision or manage the container. It registers the workspace, issues an auth token, and communicates via A2A over HTTPS.
The platform's canvas, registry, A2A proxy, audit trail, and lifecycle controls are identical for both. The difference is who manages the process.
---
## When to Use a Container
Container runtime is the right default when:
- **You want zero-infrastructure agent management.** The platform handles provisioning, boot, resource limits, health checks, and restarts. You write the agent; Molecule AI handles the ops.
- **You need predictable resource allocation.** Tiers T1T4 map to CPU/memory limits on the container. You control what the agent has access to.
- **You're running in a trusted environment.** All agents are on the same Docker network as the control plane. No external access required.
- **You want the simplest setup.** `runtime: langgraph` → platform provisions → agent is online. No tunnel, no public endpoint, no external networking.
Best for: production workloads, managed platforms, self-hosted deployments where Docker is already part of the infrastructure story.
---
## When to Use a Remote Agent
Remote runtime is the right choice when:
- **The agent is already running somewhere.** Your developer has an agent on their laptop. Your data pipeline is an existing Python process in AWS. Your enterprise has a legacy agent on an on-premises server. You don't want to containerize and redeploy — you want it on the canvas as-is.
- **You need agents across multiple networks or clouds.** PM on GCP, researcher on AWS, pipeline on an on-prem datacenter. Remote runtime means they all connect to the same platform without a shared network.
- **You need local filesystem access.** Container agents run in an isolated filesystem. A remote agent on your laptop can access local files, write to local directories, and integrate with local tools without Docker volume mounts.
- **You're debugging an agent in development.** Run the agent in your IDE with your full toolchain, point it at the platform, and see it on the canvas. No Docker layering between you and the agent's stdout.
Best for: cross-cloud orgs, developer laptops, on-premises deployments with data residency requirements, existing agent infrastructure you don't want to migrate.
---
## The Mixed-Fleet Pattern
The strongest use case for remote runtime isn't "all agents are remote." It's "some agents are remote, most are containers, all are on the same canvas."
```
Canvas
├── pm-agent [CONTAINER — managed, GCP] ← standard pill
├── researcher [REMOTE — laptop] ← purple badge, your MacBook
├── data-pipeline [CONTAINER — managed, AWS] ← standard pill
└── legacy-agent [REMOTE — on-prem] ← purple badge, existing infra
```
The PM talks to the researcher and the data pipeline via A2A. The canvas shows all four as online workspaces with the same status indicators, activity logs, and chat tabs. The only difference is the badge.
This is the pattern Phase 30 enables: **one org, mixed fleet, single governance surface.**
---
## How to Decide
| Factor | Choose Container | Choose Remote |
|---|---|---|
| Infrastructure control | Platform-managed | Self-managed |
| Network | Platform Docker network | Public HTTPS |
| Lifecycle | Platform controls (start/stop/restart) | Agent controls (heartbeat loop) |
| Resource limits | Tier-based (T1T4) | External to Molecule AI |
| Setup complexity | One API call | ngrok / tunnel + registration |
| Best for | Production workloads | Cross-cloud, laptops, existing infra |
---
## One More Thing: You Can Change Your Mind
The `runtime` field is a deployment property, not a permanent identity. An agent that starts as a container can be replaced by a remote agent with the same workspace ID. An agent that starts as remote can be containerized later.
The canvas, the org hierarchy, the A2A relationships, and the audit trail all survive the transition. Where the process lives is a runtime concern — it doesn't change the workspace's role in the org.
→ [Remote Workspaces Guide →](/docs/guides/remote-workspaces.md)
→ [External Agent Registration →](/docs/guides/external-agent-registration.md)
→ [Phase 30 Announcement →](/docs/blog/2026-04-20-remote-workspaces)

343
docs/blog/2026-04-20-remote-workspaces/index.md
View File

@ -1,280 +1,165 @@
---
title: "One Canvas, Every Agent: Remote AI Agents and Fleet Visibility on Molecule AI"
title: "Phase 30: Run AI Agents Anywhere — Remote Workspaces is Now GA"
date: 2026-04-20
slug: remote-ai-agents
description: "Your Claude Code laptop, your LangGraph cloud instance, and your OpenClaw server — all on the same canvas. Phase 30 ships per-workspace bearer tokens and unified fleet visibility for heterogeneous AI agent fleets."
tags: [platform, remote-agents, fleet-management, a2a]
slug: remote-workspaces-ga
description: "Molecule AI's Phase 30 ships today. Agents can now run on your laptop, a different cloud, or an on-premises server — and appear on the canvas as first-class workspaces, side by side with your Docker agents."
tags: [launch, platform, remote-agents, federation, phase-30]
---
# One Canvas, Every Agent: Remote AI Agents and Fleet Visibility on Molecule AI
# Phase 30: Run AI Agents Anywhere — Remote Workspaces is Now GA
> "Our agents need to talk to each other even when they're in different clouds — and we need to see the whole fleet in one place without stitching together five different dashboards."
>
> — Infrastructure lead at a mid-stage SaaS company, describing what they needed before finding Molecule AI Phase 30
Your laptop is now a valid Molecule AI runtime.
That's the problem. Not a hypothetical one.
Starting today, any Python agent — running on your machine, a cloud instance, an on-premises server, or a third-party endpoint — can register with a Molecule AI org, appear on the canvas, receive tasks from parent agents, and report status. The canvas doesn't care where the agent's process lives.
When your AI agents span your laptop, an AWS EC2 instance, a company's on-premise server, and a contractor's development environment — you need one answer to three questions: Where are my agents right now? What are they doing? And are they actually who they say they are?
This is Phase 30: Remote Workspaces. It's generally available as of today.
Molecule AI Phase 30 ships the answer to all three.
---
## The Fleet Visibility Problem
## Before Phase 30: All Agents on One Network
Every AI agent platform works fine when your agents are in one place. Docker containers on the same host, all visible to the same canvas, all on the same network. That was Molecule AI up until Phase 29.
Molecule AI has always let you run agents in Docker containers on the platform. That's great for self-hosting — fully managed, no external dependencies. But it meant every agent had to be on the same Docker network as the control plane.
But real organizations don't look like that. Your engineering org probably has agents running:
That ruled out three real-world scenarios:
- In CI/CD pipelines (GitHub Actions, AWS CodeBuild)
- On developer laptops for local iteration
- In cloud VMs on AWS, GCP, or Azure
- Behind company firewalls on on-premise infrastructure
- In SaaS integrations that need to participate in your agent hierarchy
- **Developers running agents locally** — you want to debug an agent on your laptop, with your IDE, using your local filesystem, while it participates in the org
- **Cross-cloud deployments** — your PM runs on GCP, your researcher runs on AWS, your data pipeline runs on an on-premises server
- **Existing infrastructure** — you already have an agent. You don't want to containerize it and redeploy it. You just want it in the canvas
Before Phase 30, each of those was invisible to the others. Your CI agent couldn't see your production agents. Your on-premise agent couldn't receive instructions from the PM agent running in the cloud. And you — the operator — had no single view of the whole fleet.
Phase 30 removes all three constraints.
## Phase 30: One Canvas, Every Agent
---
Phase 30 makes three things possible for the first time:
## What Ships Today
1. **Any agent, anywhere, on the same canvas.** Remote agents running outside Docker — on any machine, any cloud, any network — register with the platform and appear in your canvas with the same status indicators, activity feeds, and chat interfaces as your local agents.
Phase 30 is eight bounded improvements stacked into one coherent feature:
2. **Unified A2A communication across network boundaries.** Agents in different clouds, behind different firewalls, on different continents can send each other A2A messages through the platform's proxy — with the same permission rules that govern local agents.
| | What it means for you |
|---|---|
| **Workspace auth tokens** | Every remote agent gets a cryptographic identity — a 256-bit bearer token minted at registration. No shared secrets, no guessing workspace IDs. |
| **Token-gated secrets pull** | Agents pull their API keys from the platform at boot via `GET /workspaces/:id/secrets/values`. No credentials baked into container images. Rotate a key in the UI, the agent picks it up on next pull. |
| **Plugin tarball download** | Remote agents install plugins by downloading a tarball from the platform, unpacking it, and loading it at runtime. No Docker exec required. |
| **State polling** | No WebSocket required from the agent side. Agents poll `GET /workspaces/:id/state` every 30 seconds to detect pause, resume, or delete — and react accordingly. |
| **A2A proxy with caller auth** | The platform proxies task dispatches to the agent's registered URL. Agents call back via the proxy too. Mutual bearer auth throughout. |
| **Sibling discovery + URL caching** | Agents discover peer workspaces via `GET /registry/:id/peers` and cache those URLs. They call siblings directly when reachable. |
| **Poll-based liveness** | Redis TTL with 90-second timeout. If the agent stops polling, the canvas shows it as offline. No Docker health check needed. |
| **Python SDK** | `molecule-sdk-python` ships `RemoteAgentClient` — a dependency-light Python client (only `requests`) that wraps all eight endpoints above. |
3. **Per-workspace bearer tokens.** Every remote agent gets its own cryptographic identity. No shared credentials. No guessing which agent made an API call. No all-or-nothing credential revocation.
---
The emotional hook is fleet visibility. The technical foundation that makes it work is the auth model.
## How It Works
## How Remote Agents Join the Fleet
The registration flow has three steps. After that, the agent stays alive by heartbeat and reacts to platform commands.
A remote agent — running on any machine with an HTTP endpoint — joins your Molecule AI org in six steps.
### Step 1: Create the external workspace
Your platform admin creates an external workspace record via the REST API:
**Step 1 — Create a workspace (admin side)**
```bash
curl -X POST https://your-platform.molecule.ai/workspaces \
curl -s -X POST https://acme.moleculesai.app/workspaces \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{
"name": "CI Build Agent",
"role": "ci-agent",
"runtime": "external",
"external": true,
"url": "https://ci-agent.example.com",
"tier": 2
}'
-d '{"name":"researcher","runtime":"external","tier":2}'
# → {"id":"ws-abc123","status":"online","external":true}
```
The response returns a workspace ID. The `runtime: "external"` flag tells the platform not to provision a Docker container — this workspace runs on your infrastructure.
`runtime: "external"` tells the platform not to provision a Docker container. The workspace row is created immediately.
### Step 2: Agent registers and receives a bearer token
The agent calls `POST /registry/register` with its workspace ID and agent card:
```bash
curl -X POST https://your-platform.molecule.ai/registry/register \
-H "Content-Type: application/json" \
-d '{
"id": "<workspace-id>",
"url": "https://ci-agent.example.com",
"agent_card": {
"name": "CI Build Agent",
"description": "Runs tests and reports results to the PM agent",
"skills": ["ci", "testing", "reporting"],
"runtime": "external"
}
}'
```
The response includes an `auth_token` — shown **exactly once**, never stored by the platform. The agent must persist this token. Every subsequent authenticated call to the platform uses it.
### Registration in Python
**Step 2 — Register and authenticate**
```python
import requests, os, time, threading
from molecule_agent import RemoteAgentClient
PLATFORM_URL = os.environ["PLATFORM_URL"]
AGENT_URL = os.environ["AGENT_URL"] # e.g. "https://my-agent.ngrok.io"
ADMIN_TOKEN = os.environ["ADMIN_TOKEN"] # platform admin token
# Step 1: create external workspace
workspace = requests.post(
f"{PLATFORM_URL}/workspaces",
json={"name": "CI Agent", "runtime": "external",
"external": True, "url": AGENT_URL},
headers={"Authorization": f"Bearer {ADMIN_TOKEN}"}
).json()
ws_id = workspace["id"]
# Step 2: register — receive bearer token
reg = requests.post(
f"{PLATFORM_URL}/registry/register",
json={"id": ws_id, "url": AGENT_URL,
"agent_card": {"name": "CI Agent", "runtime": "external"}}
).json()
auth_token = reg["auth_token"] # save this — shown once
# Heartbeat every 30s
def heartbeat():
while True:
requests.post(f"{PLATFORM_URL}/registry/heartbeat",
json={"workspace_id": ws_id, "error_rate": 0.0,
"active_tasks": 0, "current_task": "",
"uptime_seconds": int(time.time() - start)},
headers={"Authorization": f"Bearer {auth_token}"})
time.sleep(30)
start = time.time()
threading.Thread(target=heartbeat, daemon=True).start()
client = RemoteAgentClient(
workspace_id="ws-abc123",
platform_url="https://acme.moleculesai.app",
agent_card={"name": "researcher", "skills": ["web-search"]},
)
client.register() # receives + caches auth token
```
### Registration in Node.js
The `register()` call hits `POST /registry/register` with an admin token (one-time setup) and receives a workspace-scoped bearer token back. That token is cached to disk and used for all subsequent calls.
```javascript
const PLATFORM = process.env.PLATFORM_URL;
const AGENT_URL = process.env.AGENT_URL;
const ADMIN = process.env.ADMIN_TOKEN;
**Step 3 — Pull secrets, start the loop**
const create = await fetch(`${PLATFORM}/workspaces`, {
method: "POST",
headers: { "Authorization": `Bearer ${ADMIN}`, "Content-Type": "application/json" },
body: JSON.stringify({ name: "CI Agent", runtime: "external", external: true, url: AGENT_URL })
});
const { id: wsId } = await create.json();
```python
secrets = client.pull_secrets()
# {"OPENAI_API_KEY": "sk-...", "MODEL_NAME": "gpt-4o"}
const reg = await fetch(`${PLATFORM}/registry/register`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ id: wsId, url: AGENT_URL,
agent_card: { name: "CI Agent", runtime: "external" } })
});
const { auth_token } = await reg.json(); // save — returned once
// Heartbeat every 30s
setInterval(async () => {
await fetch(`${PLATFORM}/registry/heartbeat`, {
method: "POST",
headers: { "Authorization": `Bearer ${auth_token}`, "Content-Type": "application/json" },
body: JSON.stringify({ workspace_id: wsId, error_rate: 0.0,
active_tasks: 0, current_task: "", uptime_seconds: 0 })
});
}, 30_000);
client.run_heartbeat_loop(
task_supplier=lambda: {
"current_task": "idle",
"active_tasks": 0,
}
)
```
Full examples with A2A message handling are in the [External Agent Registration Guide](/docs/guides/external-agent-registration).
The `run_heartbeat_loop()` method runs a concurrent heartbeat + state-polling loop in the background. It exits cleanly when the platform reports the workspace paused or deleted. In between, the agent can receive A2A task dispatches routed by the platform.
### Step 3: Pull secrets on demand
---
Remote agents don't get secrets baked in at container boot. They pull them on demand:
## The Canvas Doesn't Know the Difference
Here's what you see on the canvas once the remote agent is registered:
- A workspace node with the agent's name and skills list
- A **purple REMOTE badge** — the only visual signal that this agent isn't a Docker container
- Status: online, degraded, or offline — same indicators as any other workspace
- Current task, active task count, error rate — all surfaced in real time
- A chat tab, an activity log, a terminal tab — identical to the Docker workspaces
The deployment location is a badge. Everything else is the same.
---
## One Org, Multiple Clouds
The scenario Phase 30 enables:
```
Canvas (your browser)
├── pm-agent [DOCKER — GCP] ← standard runtime pill
├── researcher [REMOTE — laptop] ← purple badge, your MacBook
├── pipeline [REMOTE — AWS EC2] ← purple badge, your data team
└── on-prem [REMOTE — datacenter] ← purple badge, your legacy system
```
All four agents receive tasks from the PM via A2A. All four appear on the same canvas. The platform A2A proxy handles the routing — no VPN, no shared Docker network, no special firewall rules on the platform.
---
## What's Not in Phase 30
Phase 30 handles the single-hop case: agents behind NAT need the platform proxy to reach them, but the proxy can only initiate calls in one direction. Two agents both behind NAT can't call each other directly without a relay. That's Phase 31.
Also out of scope: mutual TLS from the agent side — agents trust the platform URL in their environment. A future iteration will add platform-identity verification for deployments where that matters.
---
## Try It
The fastest path:
```bash
curl https://your-platform.molecule.ai/workspaces/<workspace-id>/secrets \
-H "Authorization: Bearer <auth-token>"
pip install molecule-ai-sdk
```
This returns the decrypted secrets scoped to this workspace — API keys, credentials, anything the platform has stored. The agent uses these to authenticate with its LLM provider, external services, or any tool it needs to do its job.
Then follow the [quick-start guide](/docs/guides/remote-workspaces.md).
### Step 4: Start the heartbeat loop
The agent sends a heartbeat every 30 seconds to stay visible on the canvas:
Or run the annotated example directly:
```bash
curl -X POST https://your-platform.molecule.ai/registry/heartbeat \
-H "Authorization: Bearer <auth-token>" \
-H "Content-Type: application/json" \
-d '{
"workspace_id": "<workspace-id>",
"error_rate": 0.0,
"active_tasks": 1,
"current_task": "Running test suite on PR #412",
"uptime_seconds": 3600
}'
git clone https://github.com/Molecule-AI/molecule-sdk-python
cd molecule-sdk-python/examples/remote-agent
# Create workspace with runtime:external, grab the ID, then:
WORKSPACE_ID=<your-id> PLATFORM_URL=https://acme.moleculesai.app python3 run.py
```
If the platform receives no heartbeat for 60 seconds, the workspace transitions to **offline** on the canvas. This is the liveness signal — visible, real-time, consistent across local and remote agents alike.
The agent appears on the canvas within seconds.
### Step 5: Send and receive A2A messages
---
Remote agents communicate with the rest of the fleet through the platform's A2A proxy. Both sides are authenticated:
→ [Remote Workspaces Guide →](/docs/guides/remote-workspaces.md)
→ [External Agent Registration Reference →](/docs/guides/external-agent-registration.md)
→ [molecule-sdk-python →](https://github.com/Molecule-AI/molecule-sdk-python)
```bash
curl -X POST https://your-platform.molecule.ai/workspaces/<target-id>/a2a \
-H "Authorization: Bearer <auth-token>" \
-H "X-Workspace-ID: <your-workspace-id>" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "message/send",
"params": {
"message": {
"role": "user",
"parts": [{"type": "text", "text": "PR #412 tests passed. Ready for review."}]
}
},
"id": "req-456"
}'
```
The `X-Workspace-ID` header is the caller's identity. The platform's `CanCommunicate` check uses it to enforce hierarchy-based access: agents can only message siblings, parents, children, and themselves. No agent can reach an unrelated workspace.
### Step 6: See the whole fleet in one place
The canvas automatically includes remote agents alongside local ones. Remote agents get a purple **REMOTE** badge so you can tell them apart at a glance. Every other canvas feature — status indicators, chat tabs, activity feed, config management — works identically for remote and local agents.
## The Security Model: Per-Workspace Bearer Tokens
Fleet visibility is the hook. Per-workspace bearer tokens are the foundation that makes it safe.
Every remote agent has:
- **A unique 256-bit token** — cryptographic random, returned once at registration, stored as a SHA-256 hash server-side
- **A workspace identity** — bound to the `X-Workspace-ID` header on every A2A call
- **A revocation path** — immediate, per-agent, no downtime for other agents
The `workspace_auth_tokens` table tracks:
| Field | Purpose |
|---|---|
| `token_hash` | SHA-256 of the plaintext. The platform never stores the actual secret. |
| `prefix` | First 8 characters for display and log attribution |
| `workspace_id` | Which agent this token belongs to |
| `created_by` | Provenance: admin-token, session, or org-api-key |
| `last_used_at` | Audit trail: last time this token exercised an API call |
| `revoked_at` | Immediate revocation: the token stops working on the next request |
Two agents in different clouds both have bearer tokens. Both use those tokens to authenticate to the A2A proxy. The proxy validates both tokens before dispatching any message. Mutual auth, end-to-end.
## Where Remote Agents Fit in Your Organization
### CI/CD pipelines
Your CI agent — running in GitHub Actions, CircleCI, or any CI system — joins your org as a first-class workspace. It registers with a bearer token, pulls its secrets, runs your test suite, and reports results to the PM agent. The PM agent sees the CI agent's status on the canvas. When tests fail, the canvas shows you exactly which agent ran them, with full audit attribution.
### Multi-cloud fleets
An agent running in GCP and an agent running in AWS communicate through the platform's A2A proxy. Both are authenticated. Both appear on the same canvas. The GCP agent doesn't need to know the AWS agent's IP address — it just calls the proxy with the workspace ID, and the proxy routes the message.
### On-premise and air-gapped environments
Agents behind a company firewall — or in environments that can't expose a public endpoint — use a polling model. Instead of receiving WebSocket events, they poll `GET /workspaces/:id/state` for platform-initiated events (pause, resume, config changes). They still send A2A messages outbound. They still appear on the canvas.
### SaaS integrations and webhooks
A third-party SaaS service that exposes an A2A-compatible HTTP endpoint can register as an external workspace. It joins the org hierarchy, receives tasks from the PM agent, and returns results — without any Molecule AI infrastructure running on its end.
## What's Next for Remote Agents
Phase 30 shipped the foundation. The remaining work — plugin tarball download, state polling for behind-NAT agents, poll-based liveness monitoring, and sibling URL caching — completes the remote onboarding story over the next phases.
Direct agent-to-agent mesh across NATs (without routing through the platform proxy) is a future phase. For most use cases, the proxy path is already fast enough and doesn't require any infrastructure changes.
## Get Started
Per-workspace bearer tokens and unified canvas fleet visibility are available now on all Molecule AI deployments.
- [External Agent Registration Guide](/docs/guides/external-agent-registration) — full step-by-step with Python and Node.js examples
- [Token Management API](/docs/guides/org-api-keys) — mint, list, and revoke per-workspace tokens
- [Architecture Overview](/docs/architecture/overview) — auth model and network topology for remote agents
Your heterogeneous fleet is waiting. It all fits on one canvas now.
*Phase 30 shipped in PRs #1075#1083 and #1085#1100 on `molecule-core`.*

120
docs/blog/2026-04-20-secure-by-design/index.md Normal file
View File

@ -0,0 +1,120 @@
---
title: "Secure by Design — Molecule AI's Beta Auth Hardening Push"
date: 2026-04-20
slug: beta-auth-hardening
description: "Today's launch hardens Molecule AI's multi-tenant architecture across four dimensions: org-scoped API keys, browser session auth, tenant provisioning security, and a waitlist gate. Here's what changed and why."
tags: [security, platform, multi-tenant, auth, launch]
---
# Secure by Design — Molecule AI's Beta Auth Hardening Push
Four PR chains merged today. Together they close a week's worth of security gaps, eliminate shared secret sprawl, and put Molecule AI's beta on a production-grade auth footing. This post explains each piece and what it means for you.
---
## 1. Org-scoped API keys — full admin access without a browser
The biggest user-facing change: every Molecule AI org can now mint named, revocable bearer tokens from the Canvas Settings panel. No more copying the bootstrap `ADMIN_TOKEN` into scripts, CI pipelines, or Zapier integrations.
**What you get:**
- One key per integration — `zapier-integration`, `github-actions-deploy`, `my-claude-agent`
- Revocation is immediate: `DELETE /org/tokens/:id` returns 401 on the next request
- Every action is audited: server logs, DB `created_by`, and activity log entries carry the 8-character key prefix (`org-token:<prefix>`)
- Org keys reach every workspace in your org, including workspace sub-routes: `/workspaces`, `/workspaces/:id/channels`, `/workspaces/:id/audit`
- 10 mints per hour per IP rate limit on `POST /org/tokens` — a compromised key can't mint a flood
**The visual proof point:** Unlike CrewAI and Hermes (user-prefixed keys), a Molecule org key shows `org:abc123XY` in the admin UI — the org prefix is visible in server logs, every audit row, and the token list. Trivial correlation, full auditability.
→ [User guide: Organization API Keys](/docs/guides/org-api-keys.md)
→ [Architecture: Org API Keys](/docs/architecture/org-api-keys.md)
→ PRs: [#1105](https://github.com/Molecule-AI/molecule-core/pull/1105), [#1107](https://github.com/Molecule-AI/molecule-core/pull/1107), [#1109](https://github.com/Molecule-AI/molecule-core/pull/1109), [#1110](https://github.com/Molecule-AI/molecule-core/pull/1110)
---
## 2. Browser session auth — Canvas admins don't need bearer tokens
Canvas runs in the browser and authenticates users via a WorkOS session cookie (scoped to `.moleculesai.app`). It had no bearer token — which meant the platform couldn't recognize Canvas admin sessions as equivalent to an `ADMIN_TOKEN` bearer.
AdminAuth now accepts a session-verification tier that runs **before** the bearer check:
1. Canvas browser sends the WorkOS session cookie to any admin-routed endpoint
2. The tenant platform calls `GET /cp/auth/tenant-member?slug=<your-tenant>` upstream with the same cookie
3. 200 + `member: true` → grant admin access; non-200 or no cookie → fall through to bearer path
**The security constraint that makes this safe:** the verification call includes the tenant slug and checks that the session belongs to a *member of this specific tenant*, not just "someone logged in to moleculesai.app." A session scoped to a different tenant's org fails the check.
**Caching:** positive results cached 30 seconds (keyed `sha256(slug + cookie)`); negative results cached 5 seconds. Revocations propagate within that window. No thundering herd on CP when a burst of Canvas admin pages render.
**Self-hosted / local dev:** `CP_UPSTREAM_URL` is unset → this feature is disabled, behaviour is unchanged.
→ [Guide: Same-Origin Canvas Fetches & Session Auth](/docs/guides/same-origin-canvas-fetches.md)
→ PRs: [#1099](https://github.com/Molecule-AI/molecule-core/pull/1099), [#1100](https://github.com/Molecule-AI/molecule-core/pull/1100)
---
## 3. Tenant provisioning security — structural fixes, not policy patches
The tenant provisioning work closed several credential and isolation gaps that existed in the multi-tenant bootstrap path:
**Secrets manager:** `PutSecret` now creates the secret before any update, fixing a race where a failed intermediate step left a partial credential state.
**IAM policy gaps:** The control plane's IAM role needed `secretsmanager:*`, `iam:PassRole`, and `ec2:GetConsoleOutput` to complete workspace boot cleanly. These are now present.
**Boot observability:** A new boot-event phone-home channel lets operators observe tenant startup from inside the platform rather than inferring state from external probes.
**Cross-tenant isolation:** Two gaps closed:
- `TenantGuard` now pass-through correctly for `/cp/*` proxy routes — a tenant can't forge requests on behalf of another tenant through the CP proxy.
- `X-Molecule-Org-Id` header validation hardened so cross-tenant reads are structurally blocked before they reach any handler.
→ Architecture docs in the control plane repo
---
## 4. Same-origin canvas fetches — /cp/* proxy removes cross-origin complexity
Canvas's browser bundle needs to call both the tenant platform (for workspace management) and the control plane (for org operations, billing, session verification). Before today, that meant two separate base URLs in the browser build, CORS preflights on CP calls, and cookie domain complications.
The fix: the tenant platform now runs a `/cp/*` reverse proxy. Canvas makes all calls to its single `NEXT_PUBLIC_PLATFORM_URL` (the tenant). The tenant splits the traffic server-side:
```
Browser → tenant.moleculesai.app
├── /workspaces, /approvals/pending → handled locally
└── /cp/* → reverse-proxied upstream to CP
```
The proxy is **fail-closed**: only an explicit allowlist of paths (`/cp/auth/`, `/cp/orgs`, `/cp/billing/`, `/cp/templates`, `/cp/legal/`) is forwarded. Any other `/cp/*` path returns 404 — not 403 — to avoid leaking which CP routes exist.
This is also the structural fix for the lateral-movement risk that session auth introduced: without the allowlist, a tenant-authed browser user could have proxied `/cp/admin/*` requests upstream and exploited the fact that those endpoints accept WorkOS session cookies. The allowlist makes that impossible by construction.
→ [Guide: Same-Origin Canvas Fetches & Session Auth](/docs/guides/same-origin-canvas-fetches.md)
→ PR: [#1095](https://github.com/Molecule-AI/molecule-core/pull/1095)
---
## 5. Beta gate + waitlist — controlled rollout for the waitlist cohort
Canvas now gates unauthenticated visitors on the `/cp/auth/tenant-member` route — a request that verifies the user is a member of an approved org before any workspace data is served. Non-members hit a waitlist contact form instead.
The waitlist itself is a Canvas-administered list with email hashing in audit logs (compliant with EU AI Act record-keeping requirements). Admins triage signups from an internal UI.
This is the operational surface that makes the above security work matter: the beta is invitation-only, credentials are scoped, and every admin action is auditable.
→ Control plane PRs [#145](https://github.com/Molecule-AI/molecule-controlplane/pull/145), [#148](https://github.com/Molecule-AI/molecule-controlplane/pull/148), [#150](https://github.com/Molecule-AI/molecule-controlplane/pull/150)
---
## What this means in practice
If you're already using Molecule AI as a self-hosted deployment, nothing changes today — the auth tier improvements are SaaS-only until you opt into multi-tenant mode.
If you're on the beta waitlist, you'll receive an invite. Once onboarded, your Canvas session is your admin credential. Mint org API keys for your scripts and integrations. Revoke them if anything looks wrong.
If you're evaluating Molecule AI: this launch marks the point where the platform's security posture is intentional and documented, not accumulated accident. Org keys, session auth, and tenant isolation are all covered in the architecture docs — not just the marketing claims.
→ [Quickstart](/docs/quickstart)
→ [Architecture overview](/docs/architecture/architecture)
→ [Platform API reference](/docs/api-reference)
---
*PRs #1075#1083, #1085#1100 (monorepo), #145#150, #153#169, #172#173 (controlplane), #12 (molecule-app). Production rollout on 2026-04-20.*

29
docs/guides/quickstart-audio.md Normal file
View File

@ -0,0 +1,29 @@
---
title: "Molecule AI Quick Start — Audio Guide"
description: "Audio walkthrough of the Molecule AI quick start — from platform setup to your first agent on the canvas."
tags: [onboarding, quickstart, audio]
---
## TTS Script
*Target: 6575 seconds, en-US-AriaNeural*
---
Getting started with Molecule AI takes about five minutes.
First, clone the repo and run the setup script. It boots Postgres, Redis, Langfuse, and Temporal — everything the platform needs to run.
Then start the workspace server on port 8080, and the canvas UI on port 3000. Open your browser to localhost 3000.
You land on the canvas — an empty org. The first thing to do is deploy a template. Pick LangGraph, Claude Code, CrewAI — or start blank. The template provisions a workspace and puts it on the canvas.
Open the chat tab. Send the agent a task. Watch it work.
Now the part that matters: the org structure. Workspaces nest. A PM workspace can have researcher, QA, and data-pipeline workspaces as children. The PM dispatches tasks; the children report back. That's A2A — the agent-to-agent protocol that makes multi-agent orchestration work.
When you're ready to expand: hit expand, pick a template, the platform provisions the workspace, it registers and appears on the canvas. You govern from one place.
That's Molecule AI. One canvas. One org chart. One audit trail. Agents that run anywhere.
Find the full docs at moleculesai dot A I.

124
docs/guides/remote-workspaces-faq.md Normal file
View File

@ -0,0 +1,124 @@
# Phase 30 Remote Workspaces — Customer FAQ
> **Cycle:** Marketing work cycle — offline content prep
> **Status:** Draft — needs review from Marketing Lead and Doc Specialist before publishing
Top customer and sales-engineer questions about Phase 30 Remote Workspaces, answered in a format ready to drop into the docs site or adapt for the support team.
---
## Product & Architecture
**Q: What's the difference between a "container" workspace and a "remote" workspace?**
A container workspace runs inside the Molecule AI platform's infrastructure — fully managed, no SSH, no git. A remote workspace runs on your own machine or VM, connected to the platform via a lightweight agent. You control the environment (OS, packages, git config, SSH keys); the platform handles orchestration, authentication, and agent coordination.
**Q: Do remote workspaces still appear in the Canvas UI?**
Yes. Remote workspaces register with the platform on startup and appear in Canvas exactly like managed workspaces — online/offline status, workspace name, current task. The platform doesn't care where the agent runs, only that it's reachable.
**Q: Can I run both container and remote workspaces in the same org?**
Yes — in fact that's the primary pattern. A fleet might have 5 container workspaces for ephemeral tasks and 2 remote workspaces for long-running agents with persistent state. All of them show up in Canvas and can coordinate via A2A.
**Q: What does the remote runtime actually install on my machine?**
The agent binary (~30MB) plus a minimal bootstrap script. No root required. The agent connects to `wss://[your-org].moleculesai.app`, authenticates with your org token, and registers its A2A endpoint. That's it — no VPN, no firewall holes beyond outbound HTTPS.
---
## Security & Access Control
**Q: How does the platform authenticate a remote workspace?**
Remote workspaces authenticate with an org-scoped bearer token (not a personal token). The platform validates the token against the tenant and provisions a session-scoped credential for A2A communication. If the remote machine is revoked from the org, the token is invalidated and the workspace goes offline within one heartbeat cycle (~15s).
**Q: Can a remote workspace make outbound connections my firewall would block?**
The agent only makes outbound HTTPS/WSS connections to the platform. It does not accept inbound connections. Your firewall only needs to allow `*.moleculesai.app` outbound — same as a browser.
**Q: What happens to data if the remote workspace is disconnected or the machine is wiped?**
Workspace state lives in the platform unless explicitly persisted. For remote workspaces, you can attach a Cloudflare Artifacts repo to snapshot state to disk on your own infrastructure. If the agent reconnects, it re-registers and Canvas picks up where it left off.
**Q: Are remote workspaces covered by the same MCP governance controls as container workspaces?**
Yes. MCP plugin allowlists, org API key auditing, and workspace-level audit logs all apply to remote workspaces identically. The remote runtime is a transport layer — the platform's security model sits above it.
---
## Onboarding & Operations
**Q: How do I get started with a remote workspace?**
1. Install the agent: `curl -sSL https://get.moleculesai.app | bash`
2. Authenticate: `molecule login --org your-org`
3. Bootstrap: `molecule workspace init --name my-agent --runtime remote`
4. The workspace registers with the platform and appears in Canvas within ~10 seconds.
**Q: Can I use my existing SSH keys and git config with a remote workspace?**
Yes. The remote runtime does not virtualize or override your shell environment. SSH keys, git config, dotfiles — all persist across sessions and are available to the agent.
**Q: How do I update the remote agent when a new version ships?**
`molecule update` — pulls the latest agent binary from the platform, does a rolling restart. Zero downtime if the agent reconnects within the heartbeat window.
**Q: What's the latency like for A2A coordination between a remote workspace and a container workspace?**
A2A messages route through the platform's relay, so latency is essentially internet RTT between the remote machine and the platform's edge (~2080ms depending on geography). For comparison, container workspaces on-platform have <5ms RTT. The practical difference for most coordination patterns is imperceptible.
**Q: Can I run a remote workspace on a machine that's behind NAT with no public IP?**
Yes. The agent initiates the outbound WebSocket connection to the platform — no inbound ports needed. This is the primary design reason remote workspaces use WSS rather than HTTP.
---
## Pricing & Limits
**Q: Do remote workspaces count toward my workspace limit?**
Yes. The workspace count limit is platform-wide regardless of runtime type. Remote workspaces are still platform workspaces — they just run externally. If you're at your limit, you can archive old workspaces or request an increase.
**Q: Is there a different price for remote vs. container workspaces?**
At launch, remote workspaces are priced identically to container workspaces. Future tiers may differentiate based on egress or storage, but that's not in the current release.
**Q: What's the maximum concurrent task throughput for a single remote workspace?**
Same as a container workspace — up to 5 concurrent delegated tasks. Remote runtime adds no throughput cap.
---
## Troubleshooting
**Q: Remote workspace shows offline in Canvas but the process is running on my machine.**
1. Check the agent log: `molecule logs --workspace my-agent`
2. Confirm the machine has outbound internet access: `curl -s https://wss://[your-org].moleculesai.app/health`
3. Check token validity: `molecule auth status` — re-authenticate if expired
4. Restart the agent: `molecule restart --workspace my-agent`
**Q: A2A messages to my remote workspace are timing out.**
Remote workspaces must maintain the outbound WebSocket connection. If the machine sleeps or loses connectivity, the connection drops and A2A messages queue for up to 5 minutes before failing. The agent will re-register on reconnect — Canvas will show it back online.
**Q: My remote workspace is online but can't reach internal APIs.**
The remote runtime does not inherit VPN credentials from the machine by default. If internal APIs require VPN, you'll need to either configure the VPN on the host machine outside the agent, or use the platform's `/cp/*` reverse proxy for same-origin access (same-origin-canvas-fetches.md).
---
## Competitive
**Q: How is this different from connecting to a cloud IDE like Cursor or Copilot?**
Cursor and Copilot are individual developer tools. Molecule AI is an agent orchestration platform. Remote workspaces are about running autonomous agents that coordinate with each other — not just one human and one AI pairing. The multi-agent coordination layer (A2A, Canvas, org-scoped auth) is what distinguishes the platform.
**Q: How does this compare to running agents on Modal or Railway?**
Modal and Railway are inference platforms — they run your code on their infrastructure. Molecule AI remote workspaces run on *your* infrastructure. You own the compute, the data stays on your machine, and the platform handles coordination. For regulated industries or workloads with data residency requirements, this is a different category entirely.
---
*Needs review from: Marketing Lead (voice + accuracy), Doc Specialist (technical accuracy), possibly Support for the troubleshooting section.*

147
docs/guides/remote-workspaces.md Normal file
View File

@ -0,0 +1,147 @@
# Remote Workspaces — Run Agents Anywhere, Govern From One Platform
> Phase 30: agents running outside the platform's Docker network can now join
> your Molecule AI org, appear on the canvas, receive A2A tasks from parent
> agents, and report status — all with the same auth, lifecycle, and
> observability as containerized workspaces.
**Phase 30 GA:** 2026-04-20 | PRs: #1075#1083, #1085#1100 (monorepo)
---
## What Problem This Solves
Most agent platforms assume all agents run in the same environment as the
control plane. Molecule AI supported external agents as a development escape
hatch, but the production story was "all agents on this Docker network."
Phase 30 changes that. Your org can now include agents running on:
- A developer's laptop across the internet
- A server in a different cloud region
- An on-premises machine behind a NAT
- A third-party SaaS bot with an HTTP endpoint
From the canvas and from other agents, they're indistinguishable from
containerized workspaces. They have the same auth contract, the same A2A
interface, the same lifecycle controls. Where they run is a deployment
detail — not an architectural constraint.
---
## Prerequisites
| Requirement | Details |
|---|---|
| **Platform** | Molecule AI platform running v0.30+ (`go run ./cmd/server` from `workspace-server/` or the current `main` image) |
| **Admin access** | An `ADMIN_TOKEN`, org API key, or session cookie with permission to create workspaces |
| **Python ≥ 3.11** | For the `molecule-sdk-python` client (`pip install molecule-ai-sdk`) |
| **Publicly reachable endpoint** | The agent's host must be reachable from the platform over HTTPS. If behind NAT, use [ngrok](https://ngrok.com) or [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/). |
| **Network** | Outbound HTTPS from the agent to the platform; inbound HTTPS from the platform to the agent's A2A endpoint |
### SDK Installation
```bash
pip install molecule-ai-sdk
```
Or from the repo checkout:
```bash
pip install -e sdk/python/
```
The SDK includes `RemoteAgentClient` — a dependency-light Python client (only `requests`) that wraps all Phase 30 endpoints.
---
## Architecture at a Glance
```
Laptop (remote agent) Molecule AI Platform
│ │
│ POST /workspaces │
│ POST /registry/register ────────────► │ ← admin token (one-time)
│ ←─ auth_token (256-bit) ◄────────── │ ← shown once, saved to disk
│ │
│ GET /workspaces/:id/secrets/values │ ← bearer: auth_token
│ POST /registry/heartbeat (30s loop) │
│ GET /workspaces/:id/state (30s loop)│
│ │
│ ◄── A2A task dispatch ────────────── │ ← platform → laptop (HTTPS)
│ ──► A2A response ──────────────────► │ ← laptop → platform
│ │
Canvas (any browser) ◄── WebSocket ─────► Platform
│ fanout
└─── sees: researcher [ONLINE] [REMOTE] badge
```
**Key properties:**
- The agent **pulls** its secrets at boot (not baked into the container at provision time)
- Liveness is maintained by **heartbeat + state polling** (no WebSocket required from the agent side)
- The platform **proxies A2A calls** to the agent's registered URL — no inbound firewall rules on the platform
- The auth token is **workspace-scoped**: a leaked token can't impersonate another workspace
---
## Quick Start
```bash
# 1. Create the workspace (admin side)
WORKSPACE=$(curl -s -X POST https://acme.moleculesai.app/workspaces \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"researcher","runtime":"external","tier":2}')
WORKSPACE_ID=$(echo $WORKSPACE | jq -r '.id')
# 2. Run the agent (any machine that can reach the platform)
pip install molecule-ai-sdk
python3 - <<'EOF'
from molecule_agent import RemoteAgentClient
import os, logging
client = RemoteAgentClient(
workspace_id = os.environ["WORKSPACE_ID"],
platform_url = os.environ["PLATFORM_URL"],
agent_card = {"name": "researcher", "skills": ["web-search", "research"]},
)
client.register() # Phase 30.1 — get + cache token
secrets = client.pull_secrets() # Phase 30.2 — decrypt API keys
print("Secrets:", list(secrets.keys()))
# Keep alive + respond to platform commands
client.run_heartbeat_loop(
task_supplier = lambda: {
"current_task": "idle",
"active_tasks": 0,
}
)
EOF
```
The agent appears on the canvas with a **purple REMOTE badge** within seconds. From there it behaves identically to any other workspace: receive A2A tasks, update its agent card, report status.
---
## What Phase 30 Covers
| Phase | What shipped | Endpoint |
|---|---|---|
| 30.1 | Workspace auth tokens | `POST /registry/register`, `POST /registry/heartbeat` |
| 30.2 | Token-gated secrets pull | `GET /workspaces/:id/secrets/values` |
| 30.3 | Plugin tarball download (remote install) | `GET /plugins/:name/download` |
| 30.4 | Workspace state polling (no WebSocket needed) | `GET /workspaces/:id/state` |
| 30.5 | A2A proxy enforces caller token | `POST /workspaces/:id/a2a` |
| 30.6 | Sibling discovery + URL caching | `GET /registry/:id/peers` |
| 30.7 | Poll-liveness for external runtime | Redis TTL (90s timeout) |
| 30.8 | Remote-agent SDK + docs | `molecule-sdk-python` |
---
## Next Steps
- **[External Agent Registration Guide →](/docs/guides/external-agent-registration)** — full endpoint reference, Python + Node.js examples, troubleshooting
- **[molecule-sdk-python →](https://github.com/Molecule-AI/molecule-sdk-python)** — SDK source, `RemoteAgentClient` API docs
- **[SDK Examples →](https://github.com/Molecule-AI/molecule-sdk-python/tree/main/examples/remote-agent)** — `run.py` demo script, annotated walkthrough

149
docs/guides/same-origin-canvas-fetches.md Normal file
View File

@ -0,0 +1,149 @@
# Same-Origin Canvas Fetches — the /cp/* Reverse Proxy
> How Molecule AI's SaaS Canvas makes browser API calls to two backends
> through one origin — and why the `/cp/*` proxy makes multi-tenant
> deployment simpler and safer.
**PRs:** #1095 (`feat/tenant-cp-proxy-same-origin`) | **Status:** ✅ Merged
---
## The problem: two backends, one browser origin
Canvas (Molecule AI's browser UI) makes API calls to two distinct services:
| Service | What it does | Example endpoints |
|---|---|---|
| **Tenant platform** | Your Molecule workspace management | `/workspaces`, `/approvals/pending` |
| **Control Plane (CP)** | Org-level operations, billing, auth verification | `/cp/auth/me`, `/cp/orgs`, `/cp/billing/checkout` |
Before this change, Canvas had to call both services directly from the browser. That meant:
- Two separate base URLs in the browser bundle (`NEXT_PUBLIC_PLATFORM_URL` for tenant, another for CP)
- CORS preflight complexity — cross-origin calls need explicit `Access-Control-Allow-*` headers on the CP
- Cookie domain issues — WorkOS session cookies scoped to `.moleculesai.app` aren't sent to a custom tenant domain
The result was a fragile configuration that complicated tenant provisioning.
## The fix: server-side split, same-origin fetches
The tenant platform now runs a `/cp/*` reverse proxy. Canvas makes **all** calls to its single `NEXT_PUBLIC_PLATFORM_URL` (the tenant). The tenant splits the traffic:
```
Browser → tenant.moleculesai.app
├── /workspaces, /approvals/pending, /channels/* → handled locally
└── /cp/* → reverse-proxied upstream to CP
```
The browser never knows there are two backends. No CORS, no cookie domain mismatches, no extra env vars for Canvas to configure.
---
## Architecture at a glance
```
Browser (Canvas)
│ GET /cp/auth/me (or any /cp/* path)
Tenant Platform (:8080)
│ Reverse proxy: forward Cookie + Authorization headers
Control Plane (api.moleculesai.app)
│ WorkOS session cookie → verify membership
Response flows back through tenant → browser
```
The proxy:
- **Does NOT strip** `Cookie` or `Authorization` headers — they carry the WorkOS session cookie needed by the CP
- **Does rewrite** the `Host` header so CP middleware (CORS checks, cookie-domain logic) sees the CP origin, not the tenant
- **Does NOT strip** `X-Forwarded-For` — upstream uses it for audit and rate limiting
---
## Security: fail-closed allowlist
The proxy does **not** forward arbitrary `/cp/*` paths. An explicit allowlist gates every upstream route **before** cookies leave the tenant:
| Allowed prefix | What Canvas uses it for |
|---|---|
| `/cp/auth/` | Session verification: `GET /cp/auth/me`, `GET /cp/auth/tenant-member` |
| `/cp/orgs` | Org listing, provision status, export |
| `/cp/billing/` | Checkout and billing portal |
| `/cp/templates` | Template registry reads |
| `/cp/legal/` | Terms of service document (served from CP) |
**Every other `/cp/*` path returns 404**, not 403. The 404 prevents leaking which CP routes exist to an attacker probing the proxy.
### Why an allowlist instead of a denylist
`/cp/admin/*` endpoints accept WorkOS session cookies as a valid auth tier. A tenant-authed browser user could craft a request to `/cp/admin/tenants/other-slug/diagnostics` — without the allowlist, the tenant would happily forward their cookie upstream. The CP would see a legitimate admin session and honor the request, turning any tenant into a lateral-movement hop. The allowlist is the structural fix.
---
## Configuration
**For SaaS tenants:** No configuration needed. The control plane provisioner sets `CP_UPSTREAM_URL` automatically at tenant launch.
```bash
# What the provisioner sets:
CP_UPSTREAM_URL=https://api.moleculesai.app
```
**For self-hosted / local dev:** `CP_UPSTREAM_URL` is unset. The `/cp/*` proxy is never mounted. Canvas connects directly to the local platform — behaviour is unchanged.
**For operators investigating:** If Canvas admin pages (billing, org switcher) return 502, check that `CP_UPSTREAM_URL` is reachable from the tenant platform's network.
---
## What changed in the browser bundle
Canvas's Next.js build sets one base URL:
```typescript
// NEXT_PUBLIC_PLATFORM_URL = https://<tenant-slug>.moleculesai.app
const res = await fetch(`${process.env.NEXT_PUBLIC_PLATFORM_URL}/cp/auth/me`, {
credentials: 'include', // send WorkOS session cookie
});
```
Previously Canvas needed two separate env vars and conditional logic to choose the right base URL for each call. That conditional logic is gone — one URL, server-side routing.
---
## AdminAuth + WorkOS session verification
The `/cp/*` proxy enables a related improvement: **browser-based admin authentication**.
Canvas runs in the browser and authenticates users via a WorkOS session cookie (scoped to `.moleculesai.app`). It has no bearer token — the `ADMIN_TOKEN` scheme is for CLI and server-to-server callers, not browser users.
AdminAuth now accepts a session-verification tier that runs **before** the bearer check:
1. If a `Cookie` header is present **and** `CP_UPSTREAM_URL` is configured → the tenant platform calls `GET /cp/auth/tenant-member?slug=<tenant-slug>` upstream with the same cookie. 200 + `member: true` → grant admin access.
2. If the upstream says no, or no cookie is present → fall through to the existing bearer-token path.
Positive verifications are cached **30 seconds** (keyed by `sha256(slug + cookie)`), so a burst of Canvas admin-page renders doesn't hammer the CP. Negative results (invalid session) are cached **5 seconds** to absorb retry bursts without fan-out. Logout and role changes propagate within that window.
For **self-hosted** and **local dev** deployments, `CP_UPSTREAM_URL` is unset → this feature is disabled, behaviour is unchanged.
---
## Code references
| File | What it does |
|---|---|
| `workspace-server/internal/router/cp_proxy.go` | `/cp/*` reverse proxy + allowlist |
| `workspace-server/internal/middleware/session_auth.go` | WorkOS session verification + 30s cache |
| `workspace-server/internal/router/router.go` | Mounts proxy when `CP_UPSTREAM_URL` set |
| `canvas/src/middleware.ts` | Simplified Canvas fetch base — one URL |
---
## What this means for you
- **SaaS tenants**: Canvas Just Works after provisioning. No extra env vars for browser API calls.
- **Self-hosted operators**: No change — your Canvas talks to your local platform as before.
- **Platform contributors**: If a new Canvas UI fetch needs a `/cp/*` path, add it to `cpProxyAllowedPrefixes` in `cp_proxy.go`. The allowlist means you must opt in — no accidental exposure.

108
marketing/assets/phase30-fleet-diagram-notes.txt Normal file
View File

@ -0,0 +1,108 @@
DESIGN NOTES — phase30-fleet-diagram.png
=========================================
Generated by: /workspace/gen_fleet_diagram.py (matplotlib / Python)
Output size: 128,967 bytes · nominal 1800×1050 px at 150 dpi
────────────────────────────────────────────────────────────────────────────
COLOUR PALETTE
────────────────────────────────────────────────────────────────────────────
Background / Canvas
#0A0E1A Deep navy Background (facecolor on save)
Panel interiors
#111827 Dark steel Agent boxes, Platform box interior fill
Panel borders / accents
#1F2A40 Muted slate PANEL_EDGE (reserved, not rendered)
Brand colours used
#4A90D9 Molecule Blue Platform box border, A2A Proxy sections,
connector line: platform → canvas
#8B5CF6 Purple REMOTE Agent Fleet boxes (border, header tint,
dashed outer ring, fan-in connector lines)
#22C55E Green Online/active status dots (×5 per agent),
"Canvas" box border, canvas live dot,
"One canvas / All agents" text
#F59E0B Amber/Orange "WebSocket Fanout" label inside platform box
Supporting neutrals
#94A3B8 Steel gray Body text, sub-labels (endpoint paths,
Secrets Management, State Polling, etc.)
#F1F5F9 Near white Title text, "Molecule AI Platform" header,
box title labels
#60A5FA Light blue Section headers inside platform (A2A Proxy,
Registry + Heartbeat) — lighter tint of
Molecule Blue for sub-panel hierarchy
────────────────────────────────────────────────────────────────────────────
TYPOGRAPHY
────────────────────────────────────────────────────────────────────────────
Font family : DejaVu Sans (matplotlib default, no custom .ttf loaded)
Title : 13 pt bold #F1F5F9
Subtitle : 7 pt #94A3B8
Box titles : 9 pt bold #F1F5F9
Section heads: 7.5 pt bold #60A5FA (inside platform box)
Body labels : 5.55.8 pt #94A3B8
Agent names : 6.5 pt bold #F1F5F9
FW pill : 6.0 pt bold #F1F5F9 (on purple background)
Legend items : 6.5 pt #94A3B8
Version tag : 5.5 pt #94A3B8 (60% alpha)
────────────────────────────────────────────────────────────────────────────
VISUAL ELEMENTS
────────────────────────────────────────────────────────────────────────────
Agent icon labels (top-left of each agent box)
EC2 — AWS EC2
Mac — Laptop/Mac
Srv — On-Prem
Framework pills (centre of each agent box, purple background)
[ LangGraph ] [Claude Code] [ CrewAI ]
Status dots — 5 green dots per agent box, radius 0.075 figure-units,
spaced 0.26 apart, centred horizontally in each box.
Dashed outer rings — thin (0.9 pt) dashed border surrounds each box
category with its brand colour at ~4550% alpha.
Connector lines — solid, 1.2 pt purple for fan-in from agents to platform;
1.4 pt blue for platform-to-canvas drop. Arrowhead at destination end.
────────────────────────────────────────────────────────────────────────────
REFINEMENT CHECKLIST (design team)
────────────────────────────────────────────────────────────────────────────
□ Swap "EC2 / Mac / Srv" labels for proper cloud-platform icons
(AWS logo, macOS logo, server rack icon) via a bundled .ttf or
matplotlib.matplotlib_fname() + FontManager trick to register a
custom icon font such as Font Awesome 6 Free.
□ Align connector lines to converge at a single "junction point" above
the platform box rather than three separate lines fanning from
identical y-coordinates — more closely mirrors the ASCII diagram.
□ Add a faint grid or dot-grid background texture to the figure canvas
to reinforce the tech/diagram aesthetic.
□ Consider a subtle horizontal divider inside each agent box between
the header band and the framework pill / dots area.
□ Source the Molecule AI wordmark / logo SVG and embed it in the
platform title bar (requires converting SVG → matplotlib transforms
or rasterising to a numpy array via Pillow).
□ Export at 300 dpi for print-ready assets; current 150 dpi is
optimised for screen/web display.
□ Validate colour contrast ratios (WCAG AA) for body text on dark bg —
#94A3B8 on #0A0E1A should be re-checked; may need to shift body
text to #B0BEC5 or lighter for legibility.
────────────────────────────────────────────────────────────────────────────
REPRODUCIBILITY
────────────────────────────────────────────────────────────────────────────
matplotlib >= 3.5
numpy (bundled with matplotlib)
Python >= 3.8
Pillow (not required for this script — pure matplotlib rendering)
Run: python /workspace/gen_fleet_diagram.py
Output: /workspace/marketing/assets/phase30-fleet-diagram.png

BIN
marketing/assets/phase30-fleet-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
marketing/audio/chrome-devtools-mcp-summary.mp3
View File

Binary file not shown.

BIN
marketing/audio/phase30-announce.mp3 Normal file
View File

Binary file not shown.

13
marketing/audio/phase30-script.txt Normal file
View File

@ -0,0 +1,13 @@
Molecule AI ships Phase 30 today — Remote Workspaces is generally available.
Starting now, any agent can run anywhere: your laptop, a different cloud, an edge device, a third-party endpoint. It registers with your Molecule org, appears on the canvas with a remote badge, receives tasks from parent agents, and reports status — just like an agent running in Docker.
The auth contract is the same. The A2A protocol is the same. The canvas experience is the same. The only difference is where the agent's process lives.
Here's what Phase 30 delivers. Workspace auth tokens so every remote agent has a cryptographic identity. A secrets pull endpoint so API keys are managed centrally, not baked into container images. A state polling interface so agents can stay alive without a WebSocket connection. And an SDK — Python, dependency-light, just requests — that wraps all of it.
To onboard a remote agent: create a workspace with runtime external, point it at your platform URL, and run the SDK. Within seconds it shows up on the canvas, purple badge and all.
Phase 30 turns Molecule AI from a self-hosted tool into an enterprise agent fleet platform. Agents run anywhere. Governance stays in one place.
Learn more at moleculesai dot A I, and check the docs for the quick start guide.

7
marketing/audio/phase30-video-vo-mandarin-script.txt Normal file
View File

@ -0,0 +1,7 @@
Phase 30 正式发布 — Molecule AI 远程工作区现已全面可用。
笔记本、云服务器、本地机房 — 都可以是 Molecule AI 的运行时。代理注册到组织,在画布上显示远程徽章,接收任务并上报状态。相同的 A2A 协议,相同的身份认证。
接入只需三步:将工作区运行时设为 external指向平台地址运行 SDK。几秒内出现在画布上紫色徽章一切就绪。
代理运行在任何地方,治理收于一处。

BIN
marketing/audio/phase30-video-vo-mandarin.mp3 Normal file
View File

Binary file not shown.

7
marketing/audio/phase30-video-vo-script.txt Normal file
View File

@ -0,0 +1,7 @@
Phase 30 is live — Molecule AI Remote Workspaces is generally available.
Your laptop, a cloud instance, an on-premises server — any of these is now a valid Molecule AI runtime. An agent running anywhere registers with your org, appears on the canvas with a remote badge, receives tasks from parent agents, and reports status. Same A2A protocol. Same auth contract. Same canvas.
To onboard a remote agent: create a workspace with runtime external, point it at your platform URL, and run the SDK. Within seconds, it shows up on the canvas — purple badge and all.
Agents run anywhere. Governance stays in one place.

BIN
marketing/audio/phase30-video-vo.mp3
View File

Binary file not shown.

BIN
marketing/audio/quickstart-audio.mp3 Normal file
View File

Binary file not shown.

102
marketing/community/community-announcements.md Normal file
View File

@ -0,0 +1,102 @@
# Phase 30 Launch — Community Announcements
> **For:** DevRel / Community Manager | **Status:** Draft
> **Channels:** Discord, Slack (public channels), relevant forums
---
## Discord — #announcements
**Subject:** Phase 30 is GA — Remote Workspaces are live
```
Phase 30 is generally available as of today.
Remote Workspaces let you run Molecule AI agents on any machine — your laptop, a cloud VM, an on-prem server — and they show up in Canvas like every other workspace. Same auth, same A2A protocol, same audit trail.
Quickstart → https://moleculesai.app/docs/guides/remote-workspaces
Two features that shipped with Phase 30 worth highlighting:
• AGENTS.md auto-generation — peer agents can read each other's manifest without system prompts (AAIF standard)
• Cloudflare Artifacts integration — workspace state can be versioned in a git repo, forked into new agents
Demo walkthroughs → https://moleculesai.app/docs/marketing/demos
Questions? Drop them here or in #support.
```
---
## Discord — #remote-workspaces (new or existing channel)
```
Heads up: Remote Workspaces are now GA in Phase 30.
If you've been waiting for a way to run agents locally (for debugging) or in your own cloud account, this is the release.
What changed:
• Agent runtime: remote (connects via WSS, no inbound ports needed)
• Auth: org-scoped bearer token — same as container workspaces
• Canvas: REMOTE badge shows the runtime type
• A2A: works across container/remote without code changes
Docs → https://moleculesai.app/docs/guides/remote-workspaces
FAQ → https://moleculesai.app/docs/guides/remote-workspaces-faq
Known issues → reply here or ping me.
```
---
## Slack — #general or #launch (public org Slack)
```
Phase 30 is live.
Remote Workspaces are now generally available. You can run Molecule AI agents on your own infrastructure — laptop, cloud VM, on-prem — and they'll register to your org and appear in Canvas.
Key detail for teams evaluating data residency: agent compute can stay on your infrastructure. The platform handles orchestration, auth, and coordination.
Docs: https://moleculesai.app/docs/guides/remote-workspaces
Quickstart: https://moleculesai.app/docs/guides/remote-workspaces#quick-start
Launch post: https://moleculesai.app/blog/remote-workspaces-ga
```
---
## Slack — #devrel / #community (ecosystem channels)
```
Phase 30 is GA.
Two things that shipped that the agent ecosystem community might care about:
1. AGENTS.md is now auto-generated at workspace boot — implements the AAIF / Linux Foundation standard. Peer agents can discover each other's identity and tools without reading system prompts. PR: molecule-core#763
2. Cloudflare Artifacts git integration — every workspace can have a git repo for versioned state snapshots. Fork the repo to bootstrap a new agent from any checkpoint. PR: molecule-core#641
Working demos with full API examples: https://moleculesai.app/docs/marketing/demos
If you're building agent coordination tooling, these two features should make your life easier.
```
---
## Reddit — r/MachineLearning / r/LocalLLaMA (if applicable)
**Post title:** Molecule AI Phase 30: Remote Workspaces are GA — agents that run on your own infrastructure
**Body (adapt from HN submission above)** — keep it technical, no marketing language, short.
---
## Notes
- Post Discord/Slack announcements the morning of launch day (09:00 UTC window)
- Reddit posts should go up after Discord/Slack (don't want to look like spam across channels simultaneously)
- Customize [CHANNEL-WELCOME-TONE] per channel — `#general` should be accessible, `#engineering` can be more technical
- All links assume docs site is live — confirm before posting
---
*Drafted by DevRel. Customize sender name and channel-specific opening lines before posting.*

108
marketing/community/hacker-news-launch.md Normal file
View File

@ -0,0 +1,108 @@
# Phase 30 Launch — Hacker News Submission Guide
> **For:** DevRel / whoever submits | **Status:** Draft — submit when ready
> **Trigger:** After blog post is live on docs site
---
## Why HN?
Hacker News has a large developer and technical audience that overlaps with Molecule AI's target users: platform engineers, indie developers building with AI, and technical evaluators. A well-crafted HN post can drive significant docs traffic and signups.
---
## What to Submit
**URL:** The Phase 30 launch blog post at `https://moleculesai.app/blog/remote-workspaces-ga`
**Title options:**
| Option | Title | When to use |
|---|---|---|
| A | Show HN — Phase 30: run AI agents on your laptop, your cloud, anywhere | Standard launch |
| B | Show HN — Molecule AI launches Remote Workspaces (GA) | If the "Show HN" prefix is too meta |
| C | Show HN — We built a fleet management layer for AI agents | Developer-heavy audience, less marketing |
**Recommended:** Option A — HN readers respond well to technical products with a clear "what it does" title.
---
## What to Write in the HN Post Body
The blog post is the destination. The HN post body is a 23 paragraph pitch that earns the click. Write it yourself — don't paste the full blog post.
**Template:**
```
We just shipped Phase 30 — Remote Workspaces is now GA.
Most AI agent platforms assume all agents run inside the platform's infrastructure. Phase 30 lets agents run anywhere: your laptop, a VM in your own cloud account, an on-prem server. They register to the same org, appear in the same Canvas, and communicate via the same A2A protocol.
The governance is the same. The auth contract is the same. The only visible difference is a REMOTE badge on the workspace card.
Quickstart is under 5 minutes:
pip install molecule-sdk
python3 run.py --runtime remote
Docs, demo, and quickstart guide in the link.
(I'm [NAME] from the Molecule AI team — AMA.)
```
**Key HN-specific rules:**
- Don't use "I" too many times — but the "(I'm ... AMA)" close is expected and encouraged
- Don't hard-sell or use marketing language — just describe the product
- Be specific about what it does ("A2A protocol", "workspace auth tokens") — that signals technical depth
- Keep it short — 23 paragraphs, not an essay
---
## When to Submit
**Timing matters:**
- Submit when HN traffic is high but not oversaturated
- **Best window:** TuesdayThursday, 10:0013:00 UTC (roughly when US East Coast is morning and Europe is mid-day)
- **Avoid:** Mondays (low traffic), Fridays (weekend readers don't upvote), major news events
- **Recommended day:** Wednesday of launch week, 11:00 UTC
---
## What Happens After Submitting
1. **Monitor for 24 hours** after submission — respond to comments, answer technical questions
2. **Don't be defensive** if criticism comes — acknowledge legitimate issues, don't argue
3. **Upvote your own post once** — this is normal and expected on HN
4. **If it hits the front page:** brace for volume — keep at least one team member monitoring
---
## Comment Templates for Common Questions
**"How is this different from Modal / Railway?"**
> Modal and Railway run your code on their infrastructure. Molecule AI Remote Workspaces run on yours — you own the compute, the data stays on your machine. We're an orchestration layer, not an inference platform.
**"How is this different from Cursor / Copilot?"**
> Cursor and Copilot are individual developer tools — one human, one AI. Molecule AI is an agent orchestration platform — multiple autonomous agents coordinating with each other. Remote Workspaces are about running *agents* that collaborate, not just one developer and one AI pairing.
**"Why would I want agents on my laptop?"**
> Local iteration + debugging with your IDE, while the agent still participates in your org's task pipeline. Also useful for data-residency requirements — agent compute on your infrastructure while orchestration stays on the platform.
**"Is this production-ready?"**
> Yes — Phase 30 is generally available. Remote Workspaces are in the same GA release as container workspaces.
---
## Alternate: "Ask HN"
If the team prefers an "Ask HN" format (more engagement, more questions):
**Title:** Ask HN — What would you build with a remote AI agent that runs on your own infrastructure?
**Body:** Short framing paragraph + question. This format tends to get high comment volume. Risk: less control over the narrative.
**Recommended format for launch:** Standard URL submission. More traffic, cleaner signal.
---
*Replace [NAME] with actual submitter name before posting.*

76
marketing/copy/phase30-landing-copy.md Normal file
View File

@ -0,0 +1,76 @@
# Phase 30 — Remote Workspaces: Landing Page Copy
> **Cycle:** Marketing work cycle — offline content prep
> **Status:** Draft for Marketing Lead review
> **Placement:** Primary CTA section and benefit blocks on the Phase 30 landing page
---
## Hero Section
**Headline:** Agents that run where you need them.
**Subheadline:** Remote Workspaces let your AI agents operate on any machine — your laptop, a data-center VM, a customer environment — while staying fully managed in Molecule AI Canvas.
---
## Primary CTA Block
**Button:** Start with Remote Workspaces →
**Microcopy below button:** No credit card. 5-minute setup. Runs on any machine with outbound HTTPS.
---
## Benefit Block 1 — "Your environment. Your agents."
**Headline:** Works where your data lives.
**Body:** Remote Workspaces run on-premises or in your own cloud account. No data leaves your infrastructure — the platform only coordinates the agent. Ideal for regulated environments, on-prem workloads, and data-locality requirements.
---
## Benefit Block 2 — "One Canvas. Every runtime."
**Headline:** Mixed fleets without compromise.
**Body:** Run container workspaces for ephemeral tasks and remote workspaces for persistent, environment-specific agents — all visible in the same Canvas. A2A coordination works across runtimes without code changes.
---
## Benefit Block 3 — "Enterprise controls, everywhere."
**Headline:** Same governance, any infrastructure.
**Body:** MCP plugin allowlists, org-scoped API keys, workspace audit logs, and session-tier access controls apply to remote workspaces identically. The remote runtime is a transport — not a separate security model.
---
## Social Proof / Trust Bar
*For [Company] and [Company], data residency isn't optional.*
*Remote Workspaces keep agent compute on your infrastructure — while Canvas keeps you in control.*
---
## Bottom CTA
**Headline:** Ready to expand your fleet?
**Body:** Remote Workspaces are in GA. Self-serve setup in minutes. Talk to us if you need a custom enterprise deployment.
**Button:** Talk to Sales | View the Docs
---
## X/LinkedIn Short-form Variant
**Option A (technical audience):**
> Your agents. Your infra. Remote Workspaces are GA — run AI agents on any machine while Canvas keeps them coordinated. MCP governance travels with the agent. → [docs link]
**Option B (buyer audience):**
> Phase 30 is live: Remote Workspaces let your AI agents run where your data lives — on-prem, in your cloud, anywhere. One Canvas. Mixed fleet. Enterprise controls. → [link]
---
*Needs Marketing Lead review for brand voice consistency and competitive callouts.*

65
marketing/demos/README.md Normal file
View File

@ -0,0 +1,65 @@
# Phase 30 Demos — DevRel Package
Demo specs for two Phase 30-adjacent features requiring working demonstrations.
---
## Demo 1: #1172 — AGENTS.md Auto-Generation
**Issue:** `Molecule-AI/internal#1172`
**PR:** `molecule-core#763`
**Feature:** `workspace/agents_md.py` — auto-generates `AGENTS.md` at boot using the AAIF standard
**Acceptance:** working demo + repo link + 1-min screencast
### Files
| File | Description |
|---|---|
| `marketing/demos/agents-md-auto-generation/README.md` | Full working demo, API calls, screencast outline, TTS narration |
| `marketing/demos/agents-md-auto-generation/narration.mp3` | 30s narration audio |
### Screencast (1 min)
1. Canvas: pm-agent + researcher online
2. Terminal: read PM's AGENTS.md via platform files API
3. AGENTS.md output shown: role, A2A endpoint, tools
4. Researcher sends A2A task to PM using discovered endpoint
5. Canvas shows both active — close on "agents that can read each other"
### Repo link
`workspace/agents_md.py` on `molecule-core` main
Direct: `workspace/agents_md.py`
---
## Demo 2: #1173 — Cloudflare Artifacts Integration
**Issue:** `Molecule-AI/internal#1173`
**PR:** `molecule-core#641`
**Feature:** `POST/GET /workspaces/:id/artifacts`, fork, token endpoints — "Git for agents"
**Acceptance:** workspace snapshot to/from CF Artifacts + 1-min screencast
### Files
| File | Description |
|---|---|
| `marketing/demos/cloudflare-artifacts/README.md` | Full working demo, API calls, screencast outline, TTS narration |
| `marketing/demos/cloudflare-artifacts/narration.mp3` | 30s narration audio |
### Screencast (1 min)
1. Canvas: workspace online
2. Terminal: `POST /workspaces/:id/artifacts` — repo created, remote URL returned
3. Mint git credential, `git clone` with authenticated URL
4. Write snapshot, `git push` — push succeeds
5. Fork call: `POST /workspaces/:id/artifacts/fork` — new repo created
6. Close on "versioned agent state, built into the platform"
### Repo link
`workspace-server/internal/handlers/artifacts.go` on `molecule-core` main
Direct: `workspace-server/internal/handlers/artifacts.go`
---
## Audio Assets
| File | Duration | Voice | Description |
|---|---|---|---|
| `agents-md-auto-generation/narration.mp3` | ~30s | en-US-AriaNeural | AGENTS.md auto-generation narration |
| `cloudflare-artifacts/narration.mp3` | ~30s | en-US-AriaNeural | Cloudflare Artifacts narration |

178
marketing/demos/agents-md-auto-generation/README.md Normal file
View File

@ -0,0 +1,178 @@
# AGENTS.md Auto-Generation — Working Demo
> **PR:** #763 — AGENTS.md auto-generation for Molecule AI workspaces
> **What it ships:** `workspace/agents_md.py` — generates `AGENTS.md` at boot
> **Acceptance criteria:** working demo + repo link + 1-min screencast
---
## What This Demo Shows
An AI agent (the "coordinator") reads another agent's `AGENTS.md` file to discover its identity, A2A endpoint, and toolset — without reading the full system prompt. This is the AAIF / Linux Foundation AGENTS.md standard in action.
**The flow:**
1. A PM workspace starts up — `agents_md.py` auto-generates `AGENTS.md`
2. A researcher workspace starts up — same process
3. The researcher reads the PM's `AGENTS.md` to understand what tools it has and how to reach it
4. The researcher dispatches a task to the PM via A2A using the discovered endpoint
---
## Prerequisites
- Molecule AI platform running (`go run ./cmd/server` from `workspace-server/`)
- Canvas open at `http://localhost:3000`
- Two workspaces: one running as PM role, one as researcher
- For the script demo: `python3` and `requests`
---
## Working Demo Script
### 1. Check the AGENTS.md file on a running workspace
On the PM workspace container:
```bash
# Inside the PM workspace container
cat /workspace/AGENTS.md
```
Expected output:
```markdown
# pm-agent
**Role:** Project Manager
## Description
PM agent — coordinates tasks, dispatches to reports, manages timeline.
## A2A Endpoint
http://pm-workspace:8000/a2a
## MCP Tools
- delegate_to_workspace
- check_delegation_status
- commit_memory
- recall_memory
```
The file was generated automatically at boot by `agents_md.py`. It reflects the workspace `config.yaml` in real time — any change to the role, description, or plugins is reflected on the next regeneration.
---
### 2. See the generation in the workspace logs
The workspace startup log includes:
```
INFO agents_md: Generated AGENTS.md at /workspace/AGENTS.md for workspace 'pm-agent'
```
This confirms `generate_agents_md()` ran as part of `main.py` startup.
---
### 3. See the regeneration on config change
If you edit `config.yaml` and call `generate_agents_md()` again:
```bash
# On the PM workspace
python3 -c "
from agents_md import generate_agents_md
generate_agents_md('/configs', '/workspace/AGENTS.md')
print('Regenerated')
"
cat /workspace/AGENTS.md
```
The file reflects the updated role or description immediately.
---
### 4. See a peer agent read the AGENTS.md (demo scenario)
This is the coordination moment — the scenario from issue #1172.
```python
# Researcher workspace: read PM's AGENTS.md via the platform files API
import requests, base64
PLATFORM_URL = "http://localhost:8080"
WORKSPACE_TOKEN = "researcher-workspace-token"
# Get the PM workspace ID (known from canvas or registry)
# For this demo: PM workspace ID = ws-pm-123
# Read PM's AGENTS.md via the platform's file API
resp = requests.get(
f"{PLATFORM_URL}/workspaces/ws-pm-123/files/AGENTS.md",
headers={"Authorization": f"Bearer {WORKSPACE_TOKEN}"},
)
print(resp.json()["content"])
```
Parses the PM's `AGENTS.md`:
```markdown
# pm-agent
**Role:** Project Manager
## Description
PM agent — coordinates tasks, dispatches to reports, manages timeline.
## A2A Endpoint
http://pm-workspace:8000/a2a
## MCP Tools
- delegate_to_workspace
- check_delegation_status
```
Now the researcher knows:
- PM's role is "Project Manager" → it dispatches, not executes
- PM's A2A endpoint → where to send coordination requests
- PM has `delegate_to_workspace` tool → it can cascade tasks to reports
The researcher then uses this to coordinate: sends a status report to the PM, knowing the PM will route it up or dispatch a follow-up task.
---
## Screencast Outline (1 min)
**0:000:10** Canvas shows two workspaces online — pm-agent and researcher. Researcher node shows current task: "idle".
**0:100:25** Terminal on researcher workspace: `curl` or Python script reads PM's `AGENTS.md` via the platform files API. Output shows the PM's role, A2A endpoint, and tools.
**0:250:40** Researcher sends an A2A task to the PM: "Status: data pipeline complete, ready for review." PM receives it in its canvas chat.
**0:400:55** PM's `AGENTS.md` is shown briefly in the researcher terminal — the researcher used it to understand PM's capabilities before sending the task.
**0:551:00** Canvas shows both workspaces active. Narration: *"AGENTS.md means every agent knows what its peers can do — without reading system prompts."*
---
## Code Reference
| File | What it does |
|---|---|
| `workspace/agents_md.py` | `generate_agents_md()` — reads `config.yaml`, writes `AGENTS.md` |
| `workspace/main.py` | Calls `generate_agents_md()` at startup |
| `config.py` | `load_config()` — reads `config.yaml` |
**Source:** `workspace/agents_md.py` (PR #763)
```python
from agents_md import generate_agents_md
# Called automatically at startup; can be called again on config change
generate_agents_md(config_dir="/configs", output_path="/workspace/AGENTS.md")
```
---
## TTS Narration Script (30s)
> When a PM agent starts up in Molecule AI, it generates an AGENTS.md file automatically — not manually written, not kept in sync by hand. It reflects the workspace config in real time. Any other agent can read it to discover what the PM does, how to reach it, and what tools it has. No system prompts, no guessing. Just the facts. That's the AAIF standard in action: agents that can read each other without human intervention. AGENTS.md auto-generation, from Molecule AI workspace.

BIN
marketing/demos/agents-md-auto-generation/narration.mp3 Normal file
View File

Binary file not shown.

163
marketing/demos/agents-md-auto-generation/storyboard.md Normal file
View File

@ -0,0 +1,163 @@
# Screencast Storyboard — AGENTS.md Auto-Generation
> **PR:** #763 | **Feature:** `workspace/agents_md.py` | **Duration:** 60 seconds
> **Format:** Terminal-led with Canvas overlay cuts
---
## Pre-roll (0:000:03)
**Canvas — full screen**
Two workspace cards in Canvas: `pm-agent [ONLINE]` and `researcher [IDLE]`.
Narration (VO, 0:000:03):
> "Two agents. The PM coordinates. The researcher does the work. They need to talk to each other — without humans in the loop."
**Camera:** Static Canvas view. No cursor movement. Clean frame.
---
## Moment 1 — PM boots, AGENTS.md generated (0:030:12)
**Cut to:** Terminal window, terminal prompt: `agent@pm-workspace:~$`
```bash
# Simulate the workspace startup — truncated log
INFO main: Starting workspace pm-agent
INFO agents_md: Generating AGENTS.md for workspace 'pm-agent'
INFO agents_md: Generated AGENTS.md at /workspace/AGENTS.md
INFO a2a: A2A server listening on :8000
INFO main: Workspace 'pm-agent' online
```
**Camera:** Type-in animation. Cursor blinks. Text appears line by line (simulate with playback speed 2x).
Narration (0:060:12):
> "When the PM workspace starts up, AGENTS.md is generated automatically — from the config file, not a human."
**Highlight:** `INFO agents_md: Generated AGENTS.md at /workspace/AGENTS.md` — brief yellow highlight ring (1s).
---
## Moment 2 — Researcher reads PM's AGENTS.md (0:120:25)
**Cut to:** Second terminal tab. Prompt: `agent@researcher:~$`
```python
import requests
resp = requests.get(
"https://acme.moleculesai.app/workspaces/ws-pm-123/files/AGENTS.md",
headers={"Authorization": "Bearer researcher-token-xxx"},
)
print(resp.json()["content"])
```
**Cut to:** Terminal output (scroll):
```
# pm-agent
**Role:** Project Manager
## Description
PM agent — coordinates tasks, dispatches to reports, manages timeline.
## A2A Endpoint
http://pm-workspace:8000/a2a
## MCP Tools
- delegate_to_workspace
- check_delegation_status
```
**Camera:** Scroll to show the full file. Hold 2s.
Narration (0:140:22):
> "The researcher reads the PM's AGENTS.md — through the platform API. Instantly knows the PM's role, its A2A endpoint, and the tools it has."
**Highlight:** `A2A Endpoint` and `MCP Tools` lines — brief underline pulse.
**Callout text appears bottom-left:**
`No system prompts. No documentation lookup. Just the facts.`
---
## Moment 3 — Researcher dispatches A2A task (0:250:42)
**Terminal continues:**
```python
from a2a import A2ATask
task = A2ATask(
to="http://pm-workspace:8000/a2a",
type="status_report",
payload={
"milestone": "data-pipeline",
"status": "complete",
"artifacts": ["dataset-v3.parquet"],
}
)
result = task.send()
print(result)
```
**Terminal output:**
```
{"task_id": "task-abc-456", "status": "queued", "pm_receipt": "2026-04-21T00:00:22Z"}
```
**Camera:** Type-in animation. Brief hold on result JSON.
Narration (0:270:35):
> "Now the researcher has everything it needs. It sends an A2A task to the PM — using the endpoint it discovered from AGENTS.md. No hardcoded addresses."
---
## Moment 4 — PM receives task (0:420:52)
**Cut to:** Canvas — pm-agent card.
New message bubble appears in pm-agent's canvas chat:
`researcher: Status report — data-pipeline complete. 1 artifact ready.`
Below the message, status indicator changes: `pm-agent [ACTIVE]`
Researcher card shows: `researcher [DISPATCHED]`
Narration (0:420:48):
> "The PM receives it in Canvas. Status updated. The coordination happened without human input — AAIF in action."
---
## Close (0:521:00)
**Canvas — full frame.** Both cards visible. `pm-agent [ACTIVE]` + `researcher [DISPATCHED]`.
Narration (0:520:58):
> "AGENTS.md means every agent knows what its peers can do — without reading system prompts. Auto-generated. Always current. That's the AAIF standard, from Molecule AI."
**End card:**
```
AGENTS.md Auto-Generation
workspace/agents_md.py — molecule-core#763
```
**Fade to black.**
---
## Production Notes
- **Terminal theme:** Dark, monospace, minimal chrome. Use `ITerm2` profile "Molecule Dark" or equivalent.
- **Font:** SF Mono 14pt or JetBrains Mono 13pt.
- **Canvas cutaways:** Use the dev canvas at `localhost:3000` with two workspaces in active states. Pre-record these moments.
- **Camera:** Screenflow or Camtasia for macOS. Record at 1440×900, export at 1080p.
- **VO recording:** Record after final edit is locked. Use `en-US-AriaNeural` as reference voice for timing.
- **Narration pacing:** Read the script against the timeline before locking the VO session.
- **Music:** No music — keep it clean and technical. Consider a subtle 2s click sound at 0:03 (boot log) to anchor the start.
- **Highlights:** Use a yellow/amber ring `#E8A000` with 1s fade-in/out for callouts.
- **End card:** Centered, white text on dark background. 1080p canvas.

199
marketing/demos/cloudflare-artifacts/README.md Normal file
View File

@ -0,0 +1,199 @@
# Cloudflare Artifacts — Working Demo
> **PR:** #641 — Cloudflare Artifacts demo integration
> **What it ships:** `POST/GET /workspaces/:id/artifacts`, `POST /workspaces/:id/artifacts/fork`, `POST /workspaces/:id/artifacts/token`
> **Concept:** "Git for agents" — versioned workspace snapshot storage
> **Acceptance criteria:** working demo showing workspace snapshot to/from Cloudflare Artifacts + 1-min screencast
---
## What This Demo Shows
A workspace links to a Cloudflare Artifacts git repo. The agent can push snapshots (git commits) and later fork the repo to bootstrap a new workspace. This is versioned workspace state — like `git init` for agent memory.
**The flow:**
1. Attach a CF Artifacts repo to a workspace (or import an existing Git repo)
2. Mint a short-lived git credential via the platform
3. Agent clones the repo, writes a snapshot, pushes
4. Fork the repo to bootstrap a new workspace
---
## Prerequisites
- Molecule AI platform with `CF_ARTIFACTS_API_TOKEN` and `CF_ARTIFACTS_NAMESPACE` set
- A running workspace with a bearer token
- `git` and `curl` on the caller machine
---
## Working Demo Script
### 1. Attach / create a CF Artifacts repo to a workspace
```bash
# Admin token or workspace token
WORKSPACE_ID=ws-abc123
PLATFORM=https://acme.moleculesai.app
TOKEN=your-workspace-or-admin-token
# Create (or import) the repo
curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "my-workspace-snapshots",
"description": "Versioned snapshots of workspace state"
}' | jq
```
Response (201):
```json
{
"id": "art-uuid-456",
"workspace_id": "ws-abc123",
"cf_repo_name": "my-workspace-snapshots",
"cf_namespace": "my-namespace",
"remote_url": "https://hash.artifacts.cloudflare.net/git/my-workspace-snapshots.git",
"description": "Versioned snapshots of workspace state",
"created_at": "2026-04-20T12:00:00Z"
}
```
The repo was created in Cloudflare Artifacts and linked to the workspace. No separate CF dashboard login needed.
---
### 2. Import an existing GitHub repo instead
```bash
curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "researcher-agent",
"description": "Researcher agent workspace",
"import_url": "https://github.com/myorg/researcher-agent.git",
"import_branch": "main",
"import_depth": 1
}' | jq
```
The platform calls the CF Artifacts API to import the GitHub repo. The workspace now has a full git history of the agent's work.
---
### 3. Mint a git credential
```bash
curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts/token" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"scope": "write", "ttl": 3600}' | jq
```
Response:
```json
{
"token": "cf_at_xxxxx...xxxx",
"scope": "write",
"expires_at": "2026-04-20T13:00:00Z",
"clone_url": "https://x:cf_at_xxxxx...xxxx@artifacts.cloudflare.net/git/my-workspace-snapshots.git",
"message": "Save this token — it cannot be retrieved again."
}
```
The `clone_url` is the authenticated git remote. Use it directly:
```bash
git clone https://x:cf_at_xxxxx@artifacts.cloudflare.net/git/my-workspace-snapshots.git
```
The token is scoped to this workspace's repo only. It expires in 1 hour (configurable up to 7 days).
---
### 4. Clone, snapshot, push
```bash
# Clone the workspace repo
git clone "https://x:cf_at_xxxxx@artifacts.cloudflare.net/git/my-workspace-snapshots.git" \
/tmp/workspace-snapshots
cd /tmp/workspace-snapshots
# Agent writes a snapshot: memory dump, active task state, config
echo "current_task: researching competitor X" > snapshot.md
echo "uptime_seconds: 3600" >> snapshot.md
echo "memory_summary: analyzed 12 sources, 3 key findings" >> snapshot.md
git add snapshot.md
git commit -m "snapshot: researching competitor X — 3 findings ready"
git push origin main
```
The workspace state is now in Cloudflare Artifacts — versioned, accessible to other workspaces, recoverable.
---
### 5. Fork the repo for a new workspace
```bash
# Researcher wants to start from the PM's workspace snapshot
curl -s -X POST "$PLATFORM/workspaces/ws-pm-123/artifacts/fork" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "researcher-from-pm",
"description": "Forked from pm-agent workspace",
"default_branch_only": true
}' | jq
```
Response:
```json
{
"fork": {
"name": "researcher-from-pm",
"namespace": "my-namespace",
"remote_url": "https://hash2.artifacts.cloudflare.net/git/researcher-from-pm.git"
},
"object_count": 47,
"remote_url": "https://hash2.artifacts.cloudflare.net/git/researcher-from-pm.git"
}
```
The forked repo is a separate Cloudflare Artifacts repository with the full snapshot history. A new workspace can clone it and pick up where the PM left off.
---
## Screencast Outline (1 min)
**0:000:10** Canvas: a workspace is online. Terminal: `curl POST /workspaces/:id/artifacts` — repo created, response shows CF Artifacts remote URL.
**0:100:25** Terminal: mint a git credential. `clone_url` shown in response. `git clone` runs, repo clones in <5s.
**0:250:40** Agent writes a workspace snapshot to the repo. `echo``git add``git commit``git push`. Output shows the push succeeded.
**0:400:55** Canvas: fork call. `POST /workspaces/:id/artifacts/fork` → new repo created in CF Artifacts. The new workspace ID is returned.
**0:551:00** Narration: *"Every workspace can have its own git history. Snapshot state, version it, fork it into a new agent. Git for agents, built into the platform."*
---
## TTS Narration Script (30s)
> Cloudflare Artifacts turns your Molecule AI workspace into a versioned git repository. Attach a repo, mint a short-lived credential, and the agent can push snapshots — memory dumps, task state, config — and other agents can fork the history to bootstrap from the same point. No external git service configuration. No separate dashboard. The platform manages the credential lifecycle and the repo link. Versioned agent state, built into the platform. That's the first-mover advantage: Git for agents, from Molecule AI.
---
## API Reference
| Method | Path | What |
|---|---|---|
| `POST` | `/workspaces/:id/artifacts` | Attach/create CF Artifacts repo |
| `GET` | `/workspaces/:id/artifacts` | Get linked repo info |
| `POST` | `/workspaces/:id/artifacts/fork` | Fork repo to new workspace |
| `POST` | `/workspaces/:id/artifacts/token` | Mint short-lived git credential |
**Source:** `workspace-server/internal/handlers/artifacts.go` (PR #641)

BIN
marketing/demos/cloudflare-artifacts/narration.mp3 Normal file
View File

Binary file not shown.

201
marketing/demos/cloudflare-artifacts/storyboard.md Normal file
View File

@ -0,0 +1,201 @@
# Screencast Storyboard — Cloudflare Artifacts Integration
> **PR:** #641 | **Feature:** `POST/GET /workspaces/:id/artifacts`, `/artifacts/fork`, `/artifacts/token` | **Duration:** 60 seconds
> **Format:** Terminal-led, clean dark theme
---
## Pre-roll (0:000:04)
**Canvas — full screen**
Single workspace card in Canvas: `data-agent [ONLINE]`. Status: `idle`.
Narration (0:000:04):
> "This data-agent has been running for three hours. It has context, task state, memory. What happens when it disconnects?"
**Camera:** Static Canvas frame. 3-second hold. No cursor.
---
## Moment 1 — Attach a CF Artifacts repo (0:040:16)
**Cut to:** Terminal window, dark theme.
Prompt: `agent@data-agent:~$`
```bash
WORKSPACE_ID="ws-data-agent-001"
PLATFORM="https://acme.moleculesai.app"
TOKEN="Bearer ws-token-xxx"
curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts" \
-H "Authorization: $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "data-agent-snapshots",
"description": "Versioned snapshots of data-agent workspace"
}' | jq
```
**Terminal output (JSON, formatted):**
```json
{
"id": "art-uuid-789",
"workspace_id": "ws-data-agent-001",
"cf_repo_name": "data-agent-snapshots",
"cf_namespace": "acme-production",
"remote_url": "https://hash.artifacts.cloudflare.net/git/data-agent-snapshots.git",
"created_at": "2026-04-21T00:00:10Z"
}
```
**Camera:** Cursor to `remote_url` field, highlight ring. Hold 1s.
Narration (0:060:14):
> "One API call attaches a Cloudflare Artifacts git repo to the workspace. A remote URL is returned — no CF dashboard required."
**Callout text (bottom-left):**
`Git for agents. No separate setup.`
---
## Moment 2 — Mint a credential, clone the repo (0:160:28)
**Terminal continues:**
```bash
# Mint a short-lived git credential
TOKEN_RESP=$(curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts/token" \
-H "Authorization: $TOKEN" \
-H "Content-Type: application/json" \
-d '{"scope": "write", "ttl": 3600}')
CLONE_URL=$(echo $TOKEN_RESP | jq -r '.clone_url')
# Clone the workspace repo
git clone "$CLONE_URL" /tmp/data-agent-snapshots
```
**Terminal output:**
```
Cloning into '/tmp/data-agent-snapshots'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% | (12/12), done.
Receiving objects: 100% | (12/12), 12.00 KiB, done.
```
**Camera:** Scroll through git clone output. Brief hold on `Receiving objects: 100%`. Clean finish.
Narration (0:180:26):
> "A short-lived git credential is minted — valid for one hour. The agent clones the repo. Cloudflare Artifacts handles the git transport."
---
## Moment 3 — Agent writes a snapshot (0:280:44)
**Terminal continues:**
```bash
cd /tmp/data-agent-snapshots
# Agent writes its state to the repo
echo "# Workspace State — 2026-04-21" > snapshot.md
echo "current_task: analyzing sales pipeline Q1" >> snapshot.md
echo "data_sources_analyzed: 8" >> snapshot.md
echo "key_findings: [revenue-drop-may, churn-signal-3pc, upsell-opportunity]" >> snapshot.md
echo "uptime_seconds: 10800" >> snapshot.md
echo "last_status: COMPLETE" >> snapshot.md
git add snapshot.md
git commit -m "snapshot: pipeline analysis complete — 3 key findings"
git push origin main
```
**Terminal output:**
```
[main abc1234] snapshot: pipeline analysis complete — 3 key findings
1 file changed, 5 insertions(+)
Counting objects: 100% | (3/3), done.
Writing objects: 100% | (3/3), done.
remote: success
```
**Camera:** Full commit → push sequence. Hold on `remote: success`. Green checkmark indicator.
Narration (0:300:40):
> "The agent writes a snapshot — current task, data sources, key findings — commits and pushes. The state is now in Cloudflare Artifacts. Versioned. Recoverable."
**Callout text:**
`Versioned agent state — every push is a checkpoint.`
---
## Moment 4 — Fork the repo for a new workspace (0:440:54)
**Terminal:**
```bash
# A new researcher workspace forks the data-agent's repo
curl -s -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/artifacts/fork" \
-H "Authorization: $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "researcher-from-data-agent",
"description": "Forked from data-agent workspace",
"default_branch_only": true
}' | jq
```
**Terminal output:**
```json
{
"fork": {
"name": "researcher-from-data-agent",
"namespace": "acme-production",
"remote_url": "https://hash2.artifacts.cloudflare.net/git/researcher-from-data-agent.git"
},
"object_count": 47,
"remote_url": "https://hash2.artifacts.cloudflare.net/git/researcher-from-data-agent.git"
}
```
**Camera:** Highlight the `remote_url` and `object_count` fields. Hold 2s.
Narration (0:450:52):
> "Another agent forks the repo — a separate, isolated copy. 47 objects transferred. The new workspace can clone it and continue from the same point."
---
## Close (0:541:00)
**Terminal clean frame.** Cursor at prompt.
Narration (0:540:58):
> "Every workspace can have its own git history. Snapshot state, version it, fork it into a new agent. Git for agents, built into the platform."
**End card:**
```
Cloudflare Artifacts Integration
workspace-server/internal/handlers/artifacts.go — molecule-core#641
```
**Fade to black.**
---
## Production Notes
- **Terminal theme:** Same as AGENTS.md storyboard — dark, SF Mono / JetBrains Mono 14pt.
- **Canvas cutaway (pre-roll + close):** Use dev canvas with one workspace in active state. Pre-record before the session.
- **Camera:** Screenflow / Camtasia. 1440×900 record → 1080p export.
- **Callout text:** Amber ring `#E8A000`, 1s fade-in/out, positioned bottom-left at 90% opacity on semi-transparent dark background.
- **Green success indicator:** On the `git push` moment, use a green ring pulse (`#22C55E`) for the `remote: success` line — 1.5s hold.
- **JSON jq output:** Use `jq` with a custom `.絹` (color) filter or `--monochrome-output` to keep it clean and readable in dark theme.
- **VO recording:** Match VO session with AGENTS.md storyboard — use the same voice talent and consistent pacing.
- **Music:** No music. Consider a subtle single-tone click at 0:04 (repo attached) and 0:54 (end card) for visual rhythm.
- **Speed:** The curl/git clone/push sequence should run at 2x playback in moments 14 for pacing. VO rides over the cuts.

178
marketing/devrel/asset-inventory.md Normal file
View File

@ -0,0 +1,178 @@
# Phase 30 Launch — DevRel Asset Inventory
> **Cycle:** Marketing work cycle — offline asset tracking
> **Status:** Master list, update as content ships
> **Branch:** `content/blog/memory-backup-restore` (9 commits ahead of main; push blocked on GH_TOKEN)
Use this as the source of truth for what DevRel has produced this cycle, what's pending review, what's staged, and what's blocked.
---
## How to Read This Doc
- **✅ LIVE** — published to docs site or social channels
- **🔍 REVIEW** — written, needs eyes from Marketing Lead / Doc Specialist / Support
- **📦 STAGED** — committed to `content/blog/memory-backup-restore`, ready to push
- **🔒 BLOCKED** — requires action (GH_TOKEN refresh, design team screenshot, PMM asset)
---
## Blog Posts
| File | Status | Owner | Needs |
|---|---|---|---|
| `docs/blog/2026-04-20-remote-workspaces/index.md` | 📦 STAGED | DevRel | Marketing Lead final read |
| `docs/blog/2026-04-20-chrome-devtools-mcp/index.md` | 📦 STAGED | DevRel | Technical accuracy check |
| `docs/blog/2026-04-20-container-vs-remote/index.md` | 📦 STAGED | DevRel | Marketing Lead voice review |
| `docs/blog/2026-04-20-secure-by-design/index.md` | 📦 STAGED | DevRel | Security Lead accuracy review |
| `docs/blog/2026-04-17-deploy-anywhere/index.md` | ✅ pre-existing | — | — |
---
## Docs & Guides
| File | Status | Owner | Needs |
|---|---|---|---|
| `docs/guides/remote-workspaces.md` | 📦 STAGED | DevRel | Doc Specialist final review |
| `docs/guides/same-origin-canvas-fetches.md` | 📦 STAGED | DevRel | Security Lead sign-off on `/cp/*` allowlist section |
| `docs/guides/remote-workspaces-faq.md` | 📦 STAGED | DevRel | Marketing Lead (voice), Doc Specialist (technical), Support (troubleshooting) |
| `docs/marketing/seo/keywords.md` | 🔍 REVIEW | SEO Analyst | SEO Analyst to surface and publish |
---
## Marketing / Social Copy
| File | Status | Owner | Needs |
|---|---|---|---|
| `marketing/devrel/phase30-social-copy.md` | 📦 STAGED | DevRel | PMM or CM to schedule posts (X all 4 versions, LinkedIn) |
| `marketing/devrel/chrome-devtools-mcp-social-copy.md` | 📦 STAGED | DevRel | CM to schedule alongside blog post |
| `marketing/copy/phase30-landing-copy.md` | 📦 STAGED | DevRel | Marketing Lead brand voice review |
---
## Demos — Working Demos + Screencasts
### Demo 1: AGENTS.md Auto-Generation (#1172, PR #763)
| Asset | Status | Notes |
|---|---|---|
| `marketing/demos/agents-md-auto-generation/README.md` | 📦 STAGED | 4 scenario working demo + 1-min screencast outline + TTS script |
| `marketing/demos/agents-md-auto-generation/storyboard.md` | 📦 STAGED | Full production storyboard (camera, VO pacing, highlights, 4 moments) |
| `marketing/demos/agents-md-auto-generation/narration.mp3` | 📦 STAGED | 30s TTS (en-US-AriaNeural) |
| Repo link | 📦 STAGED | `workspace/agents_md.py` on `molecule-core` main |
| **GitHub issue comment** | 🔒 BLOCKED | `comment-1172.json` staged; `post-issue-comments.sh` ready; GH_TOKEN must refresh |
| ASSET: Canvas screenshot (pm-agent + researcher) | 🔒 BLOCKED | Design team needs live canvas + ngrok access |
### Demo 2: Cloudflare Artifacts (#1173, PR #641)
| Asset | Status | Notes |
|---|---|---|
| `marketing/demos/cloudflare-artifacts/README.md` | 📦 STAGED | 5 scenario working demo + 1-min screencast outline + TTS script |
| `marketing/demos/cloudflare-artifacts/storyboard.md` | 📦 STAGED | Full production storyboard (camera, VO pacing, green success pulse, 4 moments) |
| `marketing/demos/cloudflare-artifacts/narration.mp3` | 📦 STAGED | 30s TTS (en-US-AriaNeural) |
| Repo link | 📦 STAGED | `workspace-server/internal/handlers/artifacts.go` on `molecule-core` main |
| **GitHub issue comment** | 🔒 BLOCKED | `comment-1173.json` staged; GH_TOKEN must refresh |
---
## Audio / Video Assets
| File | Duration | Voice | Status | Needs |
|---|---|---|---|---|
| `marketing/audio/phase30-announce.mp3` | ~30s | en-US-AriaNeural | 📦 STAGED | CM to pair with social copy |
| `marketing/audio/phase30-video-vo.mp3` | ~6775s | en-US-AriaNeural | 📦 STAGED | Video Editor to lock against timeline |
| `marketing/audio/phase30-video-vo-mandarin.mp3` | ~70s | zh-CN-XiaoxiaoNeural | 📦 STAGED | PMM to confirm authoritative script |
| `marketing/audio/chrome-devtools-mcp-summary.mp3` | ~77s | en-US-AriaNeural (+30%) | 📦 STAGED | Slightly over 6575s target; trim 2s if needed |
| `marketing/audio/quickstart-audio.mp3` | ~6775s | en-US-AriaNeural | 📦 STAGED | CM to pair with quickstart guide |
| `marketing/audio/phase30-video-vo-mandarin-script.txt` | 188 chars | — | 📦 STAGED | PMM to confirm path + authoritative script |
---
## Visual Assets
| File | Status | Notes |
|---|---|---|
| `marketing/assets/phase30-fleet-diagram.png` | 📦 STAGED | 126KB matplotlib; dark navy, purple REMOTE, blue platform; design notes in `phase30-fleet-diagram-notes.txt` |
| ASSET: Canvas screenshot (remote badge) | 🔒 BLOCKED | Design team needs live canvas + ngrok |
| ASSET: `phase30-canvas-remote-badge.png` | 🔒 BLOCKED | Same blocker as above |
---
## Launch Execution
| File | Status | Notes |
|---|---|---|
| `marketing/drip/post-push-checklist.md` | 📦 STAGED | 6-phase sequencing: push → PR → docs → social → email → verify |
| `marketing/drip/phase30-email-drip.md` | 📦 STAGED | 3-email CRM sequence (Day 1/34/7) with placeholders |
| `marketing/community/hacker-news-launch.md` | 📦 STAGED | HN guide, 3 title options, post body template, comment responses |
| `marketing/community/community-announcements.md` | 📦 STAGED | Discord + Slack + Reddit copy, channel-by-channel |
## Sales Enablement
| File | Status | Notes |
|---|---|---|
| `marketing/sales/phase30-sales-enablement.md` | 📦 STAGED | 4 competitive battlecards, 5 objection handlers, 3-min demo script |
| `marketing/sales/phase30-one-pager.md` | 📦 STAGED | 1-page PDF-ready asset with feature table, pricing, quick-start |
---
## Scripts & Helpers
| File | Status | Notes |
|---|---|---|
| `marketing/demos/post-issue-comments.sh` | 📦 STAGED | curl-based helper to post comments to #1172 + #1173 once GH_TOKEN refreshes |
| `comment-1172.json` | 📦 STAGED | Raw JSON body for #1172 comment |
| `comment-1173.json` | 📦 STAGED | Raw JSON body for #1173 comment |
---
## Pending Actions by Owner
### DevRel (this workspace)
- [ ] None currently — all deliverables committed
### Marketing Lead
- [ ] Review `docs/guides/remote-workspaces-faq.md` — voice + technical accuracy
- [ ] Review `marketing/copy/phase30-landing-copy.md` — brand voice
- [ ] Review `docs/blog/2026-04-20-remote-workspaces/index.md` — final read before publish
- [ ] Post `phase30-social-copy.md` — schedule X posts (all 4 versions) + LinkedIn post
- [ ] Post `chrome-devtools-mcp-social-copy.md` — schedule alongside blog post
- [ ] Schedule 3-email drip sequence after blog post is live
- [ ] Submit or assign Hacker News post (see `hacker-news-launch.md`)
### Community Manager
- [ ] Schedule social copy posts (see Marketing Lead row)
- [ ] Post community announcements per `community-announcements.md`
### Video Editor
- [ ] Begin Phase 30 video assembly per `phase30-video-production.md`
### Sales / Solutions Engineering
- [ ] Review `phase30-sales-enablement.md` — customize talk tracks to seller voice
- [ ] Review `phase30-one-pager.md` — replace link placeholders before distributing
### PMM
- [ ] Confirm authoritative path for `marketing/social/phase30-launch-plan.md` (currently confirmed missing from internal repo)
- [ ] Confirm `phase30-video-vo-mandarin-script.txt` is the right script (188-char DevRel-authored placeholder)
- [ ] Supply canvas screenshot (`phase30-canvas-remote-badge.png`) using live canvas + ngrok
### Design Team
- [ ] Capture canvas screenshot showing REMOTE badge on workspace card
- [ ] Refine `phase30-fleet-diagram.png` per `phase30-fleet-diagram-notes.txt` design checklist
### SEO Analyst
- [ ] Surface and publish `docs/marketing/seo/keywords.md`
### Support
- [ ] Review troubleshooting section of `docs/guides/remote-workspaces-faq.md`
### Security Lead
- [ ] Review `/cp/*` allowlist section in `docs/guides/same-origin-canvas-fetches.md`
- [ ] Review `docs/blog/2026-04-20-secure-by-design/index.md`
### CEO / Token Owner
- [ ] **CRITICAL:** Refresh `GH_TOKEN` — all pushes and issue comments are blocked until this is done
---
*Maintained by DevRel. Update status columns as content ships or blockers clear.*

76
marketing/devrel/chrome-devtools-mcp-social-copy.md Normal file
View File

@ -0,0 +1,76 @@
# Chrome DevTools MCP — Social Copy
Short-form content for X and LinkedIn accompanying the Chrome DevTools MCP governance blog post.
---
## X (140280 chars)
### Version A — Governance angle
```
Chrome DevTools MCP gives agents full browser control. Screenshot, DOM, JS execution — all through a standard interface.
Raw CDP is all-or-nothing. Molecule AI adds the governance layer: which agents get access, what they can do, how to revoke it.
Audit trail included.
```
### Version B — Production use cases
```
Three things you couldn't automate before Chrome DevTools MCP + Molecule AI governance:
1. Lighthouse CI/CD audits — agent opens Chrome, runs Lighthouse, posts score to PR
2. Visual regression testing — screenshot diffs across agent workflow runs
3. Authenticated session scraping — agent behind a login with managed cookies
All with org API key audit trail.
```
### Version C — Problem framing
```
Chrome DevTools MCP: browser automation as a first-class MCP tool.
For prototypes: great. For production: you need something between no browser and full admin. That's the gap Molecule AI's MCP governance fills.
```
---
## LinkedIn (100200 words)
```
Chrome DevTools MCP shipped in early 2026 — and browser automation is now a standard tool for any compatible AI agent.
Screenshot. DOM inspection. Network interception. JavaScript execution. No custom wrappers, no browser-driver installation.
That's the prototype story. For production — especially anything touching customer-facing workflows or authenticated sessions — all-or-nothing CDP access is a governance gap.
Molecule AI's MCP governance layer answers the production questions:
- Which agents can open a browser?
- What can they do with it?
- How do you revoke access?
- When something goes wrong, who accessed what session data?
Real-world use cases the layer enables: automated Lighthouse performance audits in CI/CD, screenshot-based visual regression testing, and authenticated session scraping — agents operating behind a login with cookies managed through the platform's secrets system.
Every action is logged. Every browser operation is attributed to an org API key and workspace ID.
Chrome DevTools MCP plus Molecule AI's governance layer: browser automation that meets production standards.
```
---
## Image suggestions
| Post | Image |
|---|---|
| X Version A | Fleet diagram: `marketing/assets/phase30-fleet-diagram.png` (reusable) |
| X Version B | Custom: 3-item checklist graphic — "Lighthouse / Regression / Auth Scraping" |
| X Version C | Quote card: "something between no browser and full admin" |
| LinkedIn | Quote card or the checklist graphic |
---
## Hashtags
`#MCP` `#BrowserAutomation` `#AIAgents` `#MoleculeAI` `#DevOps` `#QA` `#CI/CD`

428
marketing/devrel/phase30-demo-spec.md Normal file
View File

@ -0,0 +1,428 @@
# Phase 30 Demo Spec — Remote Workspaces & Cross-Network Federation
> For: DevRel + Marketing | Status: DRAFT | Phase 30 GA target
>
> **Issue:** attaches to [`Molecule-AI/internal#2`](https://github.com/Molecule-AI/internal/issues/2)
> — `devrel: remote agent fleet demo for Phase 30`
>
> **Technical reference:** [`docs/guides/external-agent-registration.md`](https://github.com/Molecule-AI/molecule-core/blob/main/docs/guides/external-agent-registration.md)
> — full endpoint reference used throughout this spec.
>
> **Social launch plan:** `marketing/social/phase30-launch-plan.md` (PMM-owned) — Section 5 TTS script
> is the authoritative source for `phase30-video-vo.mp3`.
---
## 1. Demo Scenario
**Title:** *"Your Agent. Your Laptop. On the Canvas."*
**Premise:** A developer runs a Python agent on their laptop, connected to the internet, registering to a Molecule AI org running on a cloud platform. A parent PM agent on the canvas dispatches a research task. The remote agent receives it via A2A, processes it, and returns the result — all visible in real time on the canvas.
**Audience:** Indie developers evaluating Molecule AI, enterprise teams evaluating multi-cloud agent deployment.
**Duration:** 810 minutes live, 3 minutes narrated.
---
### Full Walkthrough (Live Demo Steps)
**Setup (done before recording, shown as screenshots):**
1. Dev has a Molecule AI platform running at `https://acme.moleculesai.app`
2. Canvas shows a PM workspace ("pm-agent") already online
3. Dev's laptop is on a different network — no shared Docker network, no VPN
**On screen (live or narrated):**
```
DEVELOPER LAPTOP MOLECULE AI PLATFORM
| |
| 1. POST /workspaces |
| {"name":"researcher", |
| "runtime":"external", |
| "url":"https://laptop:5000"} |
| ─────────────────────────────────────────► |
| ←─ 201 {"id":"ws-abc123", ...} |
| |
| 2. POST /registry/register |
| {id:"ws-abc123", url:"...", |
| agent_card:{name:"researcher", |
| skills:["research","web-search"]}} |
| ─────────────────────────────────────────► |
| ←─ 200 {"status":"registered", |
| "auth_token":"mol_..."} ← SAVE |
| |
| 3. GET /workspaces/ws-abc123/secrets/values |
| Authorization: Bearer mol_... |
| ─────────────────────────────────────────► |
| ←─ 200 {"OPENAI_API_KEY":"sk-..."} |
| |
| 4. POST /registry/heartbeat every 30s |
| Authorization: Bearer mol_... |
| ─────────────────────────────────────────► |
| Canvas shows: researcher = ONLINE (REMOTE)|
| |
| 5. PM agent dispatches task via A2A |
| Canvas My Chat → "Research competitor X" |
| ─────────────────────────────────────────► |
| Platform proxies → POST laptop:5000/a2a |
| ←─ 200 {"result":{"message":{...}}} |
| |
| 6. Researcher result shown in Canvas |
| Researcher chat tab shows full reply |
```
---
## 2. Minimum Viable Demo (Under 10 Minutes)
**What to prep before the demo:**
- Running platform (self-hosted or SaaS beta)
- `pip install requests` on laptop
- `ghcr.io/molecule-ai/workspace-template` image available (for platform side)
- ngrok or Cloudflare Tunnel running on laptop: `ngrok http 5000`
- Write down the `WORKSPACE_ID` and `PLATFORM_URL`
**Script for the MVP (5 minutes live):**
```bash
# STEP 1 — Create the workspace (platform side, admin token)
PLATFORM=https://acme.moleculesai.app
ADMIN_TOKEN=mol_admin_...
WORKSPACE_NAME=researcher
WORKSPACE_RESP=$(curl -s -X POST $PLATFORM/workspaces \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"name\":\"$WORKSPACE_NAME\",\"runtime\":\"external\",\"tier\":2}")
echo $WORKSPACE_RESP | jq
WORKSPACE_ID=$(echo $WORKSPACE_RESP | jq -r '.id')
# STEP 2 — Seed a secret so pull_secrets has something to show
curl -s -X POST $PLATFORM/workspaces/$WORKSPACE_ID/secrets \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"key":"MODEL_NAME","value":"gpt-4o"}'
# STEP 3 — On laptop: run the remote-agent demo
# (uses RemoteAgentClient from molecule-sdk-python)
export WORKSPACE_ID=$WORKSPACE_ID
export PLATFORM_URL=$PLATFORM
export MAX_ITERATIONS=20
python3 run.py
# STEP 4 — Show canvas: workspace appears as REMOTE badge
# Canvas → researcher node → Online → Chat tab
```
**What to narrate at each step:**
1. "This workspace was created with `runtime: external` — no Docker provisioning happens. The platform just registers the row and waits for the agent to call home."
2. "The auth token was returned once, at registration. It's saved to disk. Every subsequent call — secrets, heartbeat, A2A — is authenticated with it."
3. "The agent pulls its API keys from the platform. No env vars baked into the container. Rotate the secret in the UI, the agent picks it up on next pull."
4. "Canvas shows a purple REMOTE badge. Same status, same chat, same terminal access as any Docker workspace — the deployment location is invisible to the rest of the org."
5. "The PM dispatches a task. The platform proxies it to the laptop's endpoint. No Docker bridge, no shared network — it works because the agent registered its URL and keeps a heartbeat alive."
---
## 3. Screencast Outline (5 Key Moments)
### Moment 1: Platform empty state → PM workspace online (0:000:20)
**What to show:** Canvas with a PM workspace (already set up as org template). Brief zoom on the node — status, role, chat tab. The org is a skeleton at this point: one PM, no reports.
**Narration:** *"Molecule AI runs a PM agent on a cloud platform. The team is small — one PM, one canvas, everything in one place. Now let's add a researcher running on a laptop across the internet."*
---
### Moment 2: ngrok tunnel + workspace creation (0:201:00)
**What to show:** Terminal on laptop. `ngrok http 5000` running. `curl` creating the external workspace. Workspace ID copied.
**Narration:** *"The agent creates a workspace row with `runtime: external`. No Docker involved — the platform just records the identity and waits for it to call home."*
**Visual:** Highlight `runtime: "external"` in the curl command.
---
### Moment 3: Registration + token cache (1:001:45)
**What to show:** `python3 run.py` starting. Registration log line. Token saved to `~/.molecule/<id>/.auth_token`. Secrets pulled. Heartbeat loop starting.
**Narration:** *"The SDK registers with the platform, receives a 256-bit auth token, and caches it to disk. That token is the agent's identity — it's how the platform knows this is the researcher workspace, not an imposter. The agent then pulls its secrets — API keys, model names — without any baked-in environment variables. And it starts its heartbeat loop, every 30 seconds."*
**Visual:** Show `~/.molecule/` directory with token file. Show the secret keys returned.
---
### Moment 4: Canvas update — REMOTE badge appears (1:452:15)
**What to show:** Canvas, live refresh. Researcher node appears under PM. Purple REMOTE badge. Status: online. Current task: "remote-agent demo idle". Ping the activity panel to show heartbeat activity.
**Narration:** *"Back on the canvas — the researcher is online. Purple badge means it's remote — not a Docker container on this platform. Same status indicator as any other workspace. Same chat tab. The platform doesn't care where it's running."*
**Visual:** Circle the REMOTE badge. Show the heartbeat tick in the activity log.
---
### Moment 5: Task dispatch and result (2:153:00)
**What to show:** PM's My Chat input: "Research Anthropic's latest model release and summarize in 3 bullet points." Send. Canvas shows "current task: researching" on researcher node. Researcher replies. Result appears in PM's chat.
**Narration:** *"The PM dispatches a task. The platform routes it to the laptop — same A2A protocol used for every agent call, regardless of where the target runs. The laptop processes it, returns the result, and it appears in the PM's chat. No special configuration on either side — the platform's A2A proxy handles the routing."*
**Visual:** A2A JSON-RPC payload shown briefly in researcher terminal. Canvas showing result.
---
## 3b. Visual Assets Required (from PMM social launch plan)
These assets are produced by the design team. The screencast and guide reference them at the moments noted.
### ASSET 1 — Canvas screenshot: REMOTE badge visible alongside Docker agents
**Description:** Screenshot of the Molecule AI canvas showing a mixed fleet: one Docker-provisioned workspace (e.g. "pm-agent", standard runtime pill) and one remote workspace (e.g. "researcher", purple REMOTE badge) visible simultaneously. Both should show status "online".
**When it's used:** Moment 4 of the screencast — the payoff shot. Also used as the hero image in the `docs/guides/remote-workspaces.md` guide.
**Capture instructions:**
1. Spin up a Docker workspace on the platform (use the `claude-code-default` template)
2. Spin up a remote workspace (see Section 2 — run `python3 run.py` on laptop with ngrok)
3. Arrange both nodes visible on canvas at the same time
4. Screenshot at ~1440px wide; include the side panel closed so the canvas is unobstructed
5. Crop to show the org topology clearly; do not crop out the REMOTE badge on the researcher node
**File:** `marketing/assets/phase30-canvas-remote-badge.png`
---
### ASSET 2 — Fleet diagram: AWS / GCP / on-prem → A2A proxy → single canvas
**Description:** Clean infrastructure diagram showing three remote agent nodes (AWS, GCP, on-premises datacenter) each running an agent on their own infrastructure. Each agent connects via HTTPS to the Molecule AI platform's A2A proxy. The platform connects via WebSocket to a single canvas browser. All agents appear as workspaces on the same canvas, side by side.
**Style:** Molecule AI brand — dark background (#0A0E1A or similar), consistent iconography, thin connector lines, no heavy borders. Same visual language as the architecture diagrams in `docs/architecture/architecture.md`.
**Include labels:**
- Each agent node: runtime label (e.g. "Claude Code / laptop", "LangGraph / AWS EC2", "CrewAI / on-prem")
- A2A proxy: `POST /workspaces/:id/a2a` (label on the connector)
- WebSocket fanout: labeled `WS fanout` between platform and canvas
- Canvas: single browser icon with "One canvas. All agents."
**When it's used:** Guide hero image (`docs/guides/remote-workspaces.md`), Phase 30 blog post hero, social card.
**File:** `marketing/assets/phase30-fleet-diagram.png`
---
### ASSET 3 (Optional) — 10-second GIF: registration → canvas → A2A message flow
**Description:** Short looping animated GIF showing the end-to-end flow in real time:
1. Terminal: `python3 run.py` starts, logs scroll
2. Canvas: researcher node fades in under PM with REMOTE badge
3. Canvas chat: PM types a task, hits send
4. Terminal: A2A JSON-RPC `message/send` received, response returned
5. Canvas: researcher's reply appears in PM chat
**Duration:** ~10 seconds, looping. No audio. Time labels optional.
**When it's used:** Social media embed (X, LinkedIn), landing page. Lower priority than ASSET 1 and 2.
**Capture instructions:** Record with `byzanz-record` or similar on Linux; ScreenFlow or LICEcap on macOS. Export as GIF at 10fps, max 2 MB.
**File:** `marketing/assets/phase30-registration-flow.gif`
---
### Asset summary table
| Asset | File | Priority | Used in |
|---|---|---|---|
| Canvas screenshot (REMOTE badge) | `marketing/assets/phase30-canvas-remote-badge.png` | **Required** | Screencast Moment 4, guide hero |
| Fleet diagram (AWS/GCP/on-prem) | `marketing/assets/phase30-fleet-diagram.png` | **Required** | Guide hero, blog post, social card |
| Registration flow GIF | `marketing/assets/phase30-registration-flow.gif` | Optional | Social embed |
---
## 4. docs/guides/remote-workspaces.md — Draft Intro + Prerequisites
```markdown
# Remote Workspaces — Run Agents Anywhere, Govern From One Platform
> Phase 30: agents running outside the platform's Docker network can now join
> your Molecule AI org, appear on the canvas, receive A2A tasks from parent
> agents, and report status — all with the same auth, lifecycle, and
> observability as containerized workspaces.
**Phase 30 GA:** 2026-04-20 | PRs: #1075#1083, #1085#1100
---
## What Problem This Solves
Most agent platforms assume all agents run in the same environment as the
control plane. Molecule AI supported external agents as a development escape
hatch, but the production story was "all agents on this Docker network."
Phase 30 changes that. Your org can now include agents running on:
- A developer's laptop across the internet
- A server in a different cloud region
- An on-premises machine behind a NAT
- A third-party SaaS bot with an HTTP endpoint
From the canvas and from other agents, they're indistinguishable from
containerized workspaces. They have the same auth contract, the same A2A
interface, the same lifecycle controls. Where they run is a deployment
detail — not an architectural constraint.
---
## Prerequisites
| Requirement | Details |
|---|---|
| **Platform** | Molecule AI platform running v0.30+ (`go run ./cmd/server` from `workspace-server/` or the current `main` image) |
| **Admin access** | An `ADMIN_TOKEN` or org API key with permission to create workspaces |
| **Python ≥ 3.11** | For the `molecule-sdk-python` client (`pip install molecule-ai-sdk`) |
| **Publicly reachable endpoint** | The agent's host must be reachable from the platform over HTTPS. If behind NAT, use [ngrok](https://ngrok.com) or [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/). |
| **Network** | Outbound HTTPS from the agent to the platform; inbound HTTPS from the platform to the agent's A2A endpoint |
### SDK Installation
```bash
pip install molecule-ai-sdk
```
Or from the repo checkout:
```bash
pip install -e sdk/python/
```
The SDK includes `RemoteAgentClient` — a dependency-light Python client (only `requests`) that wraps all Phase 30 endpoints.
---
## Architecture at a Glance
```
Laptop (remote agent) Molecule AI Platform
│ │
│ POST /workspaces │
│ POST /registry/register ────────────► │ ← admin token (one-time)
│ ←─ auth_token (256-bit) ◄────────── │ ← shown once, saved to disk
│ │
│ GET /workspaces/:id/secrets/values │ ← bearer: auth_token
│ POST /registry/heartbeat (30s loop) │
│ GET /workspaces/:id/state (30s loop)│
│ │
│ ◄── A2A task dispatch ────────────── │ ← platform → laptop (HTTPS)
│ ──► A2A response ──────────────────► │ ← laptop → platform
│ │
Canvas (any browser) ◄── WebSocket ─────► Platform
│ fanout
└─── sees: researcher [ONLINE] [REMOTE] badge
```
**Key properties:**
- The agent **pulls** its secrets at boot (not baked into the container at provision time)
- Liveness is maintained by **heartbeat + state polling** (no WebSocket required from the agent side)
- The platform **proxies A2A calls** to the agent's registered URL — no inbound firewall rules on the platform
- The auth token is **workspace-scoped**: a leaked token can't impersonate another workspace
---
## Quick Start
```bash
# 1. Create the workspace (admin side)
WORKSPACE=$(curl -s -X POST https://acme.moleculesai.app/workspaces \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"researcher","runtime":"external","tier":2}')
WORKSPACE_ID=$(echo $WORKSPACE | jq -r '.id')
# 2. Run the agent (any machine that can reach the platform)
pip install molecule-ai-sdk
python3 - <<'EOF'
from molecule_agent import RemoteAgentClient
import os, logging
client = RemoteAgentClient(
workspace_id = os.environ["WORKSPACE_ID"],
platform_url = os.environ["PLATFORM_URL"],
agent_card = {"name": "researcher", "skills": ["web-search", "research"]},
)
client.register() # Phase 30.1 — get + cache token
secrets = client.pull_secrets() # Phase 30.2 — decrypt API keys
print("Secrets:", list(secrets.keys()))
# Keep alive + respond to platform commands
client.run_heartbeat_loop(
task_supplier = lambda: {
"current_task": "idle",
"active_tasks": 0,
}
)
EOF
```
The agent appears on the canvas with a **purple REMOTE badge** within seconds. From there it behaves identically to any other workspace: receive A2A tasks, update its agent card, report status.
---
## What Phase 30 Covers
| Phase | What shipped | Endpoint |
|---|---|---|
| 30.1 | Workspace auth tokens | `POST /registry/register`, `POST /registry/heartbeat` |
| 30.2 | Token-gated secrets pull | `GET /workspaces/:id/secrets/values` |
| 30.3 | Plugin tarball download (remote install) | `GET /plugins/:name/download` |
| 30.4 | Workspace state polling (no WebSocket needed) | `GET /workspaces/:id/state` |
| 30.5 | A2A proxy enforces caller token | `POST /workspaces/:id/a2a` |
| 30.6 | Sibling discovery + URL caching | `GET /registry/:id/peers` |
| 30.7 | Poll-liveness for external runtime | Redis TTL (90s timeout) |
| 30.8 | Remote-agent SDK + docs | `molecule-sdk-python` |
---
## Next Steps
- **[External Agent Registration Guide →](/docs/guides/external-agent-registration)** — full endpoint reference, Python + Node.js examples, troubleshooting
- **[molecule-sdk-python →](https://github.com/Molecule-AI/molecule-sdk-python)** — SDK source, `RemoteAgentClient` API docs
- **[SDK Examples →](https://github.com/Molecule-AI/molecule-sdk-python/tree/main/examples/remote-agent)** — `run.py` demo script, annotated walkthrough
```
---
## 5. TTS Voiceover Script — Phase 30 Announcement
**Output:** `marketing/audio/phase30-announce.mp3`
**Output (social cut):** `marketing/audio/phase30-video-vo.mp3`
**Duration:** ~22 seconds for announcement cut; ~30 seconds for video VO cut
**Voice:** Neutral professional (en-US-AriaNeural via edge-tts)
**Source:** `marketing/social/phase30-launch-plan.md` Section 5 (PMM-authored); this spec includes the same script for reference.
> **Note:** If `marketing/social/phase30-launch-plan.md` is updated with a revised PMM script, this section should be updated to match. The authoritative source is the PMM's social launch plan.
**Script — read verbatim:**
---
---
> Molecule AI ships Phase 30 today — Remote Workspaces is generally available.
>
> Starting now, any agent can run anywhere: your laptop, a different cloud, an edge device, a third-party endpoint. It registers with your Molecule org, appears on the canvas with a remote badge, receives tasks from parent agents, and reports status — just like an agent running in Docker.
>
> The auth contract is the same. The A2A protocol is the same. The canvas experience is the same. The only difference is where the agent's process lives.
>
> Here's what Phase 30 delivers. Workspace auth tokens so every remote agent has a cryptographic identity. A secrets pull endpoint so API keys are managed centrally, not baked into container images. A state polling interface so agents can stay alive without a WebSocket connection. And an SDK — Python, dependency-light, just requests — that wraps all of it.
>
> To onboard a remote agent: create a workspace with runtime external, point it at your platform URL, and run the SDK. Within seconds it shows up on the canvas, purple badge and all.
>
> Phase 30 turns Molecule AI from a self-hosted tool into an enterprise agent fleet platform. Agents run anywhere. Governance stays in one place.
>
> Learn more at moleculesai dot A I, and check the docs for the quick start guide.
---
*Script word count: 253 words → ~60 seconds at 140 WPM delivery pace.*

96
marketing/devrel/phase30-social-copy.md Normal file
View File

@ -0,0 +1,96 @@
# Phase 30 — Short-Form Social Copy
X / LinkedIn posts for the Phase 30 Remote Workspaces GA launch.
Variations AD: different angles (technical, product, developer, enterprise).
Post all four or select the best fit per channel.
---
## X (140280 chars)
### Version A — Technical
```
Phase 30 ships: Molecule AI remote workspaces are GA.
Agents running on your laptop, AWS, GCP, or on-prem now register to the same org as your Docker agents. Same A2A. Same auth. Same canvas.
Remote badge. That's the only difference.
→ docs: https://moleculesai.app/docs/guides/remote-workspaces
```
### Version B — Product
```
Your laptop is now a valid Molecule AI runtime.
One org. Mixed fleet: Docker agents on the platform, remote agents wherever your infrastructure lives. One canvas. One audit trail.
Phase 30 is live.
```
### Version C — Developer
```
How to run a Molecule AI agent on your laptop in 3 steps:
1. Create a workspace (runtime: external)
2. Run the Python SDK
3. Watch it appear on the canvas
That's it. Phase 30 is live.
docs → https://moleculesai.app/docs/guides/remote-workspaces
```
### Version D — Enterprise
```
Multi-cloud AI agent fleets, single governance plane.
Phase 30: agents on AWS, GCP, on-prem, your laptop — all visible in one canvas, all governed by the same platform auth, all auditable.
GA today.
```
---
## LinkedIn (150300 words)
### Post — Enterprise / Platform angle
```
We're launching Phase 30: Remote Workspaces.
Most AI agent platforms assume all agents run in the same environment as the control plane. Molecule AI didn't — but until today, that's where the story ended.
Phase 30 changes that. Your agent can now run anywhere:
- On a developer's laptop, for local iteration and debugging
- On AWS or GCP, for production workloads in your cloud
- On an on-premises server, for enterprise environments with data residency requirements
- On a third-party endpoint, for existing SaaS integrations
And from the canvas, you can't tell the difference. Same workspace card. Same status. Same chat tab. Same audit trail. The only visible signal: a purple REMOTE badge.
The governance is the same. The A2A protocol is the same. The auth contract is the same. Where the agent runs is a deployment detail — not an architectural constraint.
Phase 30 is generally available today.
See the quick start → [link]
Read the guide → [link]
```
---
## Image suggestions per post
| Post | Best image |
|---|---|
| X Version A (Technical) | Fleet diagram: `marketing/assets/phase30-fleet-diagram.png` |
| X Version B (Product) | Canvas screenshot: `marketing/assets/phase30-canvas-remote-badge.png` (once captured) |
| X Version C (Developer) | Terminal screenshot: `python3 run.py` + canvas showing REMOTE badge |
| X Version D (Enterprise) | Fleet diagram (same as A) |
| LinkedIn | Fleet diagram OR canvas screenshot |
---
## Hashtag suggestions
`#MoleculeAI` `#RemoteWorkspaces` `#AIAgents` `#AgentFleet` `#AIPlatform`
`#MCP` `#A2AProtocol` `#MultiCloud`

114
marketing/devrel/phase30-video-production.md Normal file
View File

@ -0,0 +1,114 @@
# Phase 30 Launch Video — Video Editor Production Package
> **For:** Video Editor | **Cycle:** Marketing work cycle
> **Status:** Ready for production
> **Branch:** `content/blog/memory-backup-restore` (10 commits; push blocked on GH_TOKEN)
This doc tells the video editor how to assemble the Phase 30 launch video from existing DevRel assets. All source files are in the repo. No new recording needed.
---
## Assembled Video: "Agents That Run Where You Need Them"
**Target length:** 6090 seconds
**Purpose:** Hero launch video for docs site, social, and email campaign
**Tone:** Clean, confident, technical-but-accessible. Not salesy. Show, then tell.
---
## Video Structure (3 Acts)
### Act 1 — The Fleet (0:000:20)
**Visual:** `phase30-fleet-diagram.png` — the matplotlib diagram we already generated.
Dark navy background, purple REMOTE workspace boxes, blue platform, green canvas.
**Animation suggestion:** Fade in platform first (0:000:03), then platform connections draw in (0:030:08), then REMOTE boxes slide in from right edge (0:080:15), then canvas at bottom fades in (0:150:20). Total build: ~20s.
**VO:** `phase30-video-vo.mp3` plays over the full sequence (6775s). Use the script at `marketing/audio/phase30-video-vo-script.txt` as the narration lock.
**Narration start (approx 0:000:20 passage):**
> "Most AI agent platforms assume all agents run inside the platform. Molecule AI didn't."
---
### Act 2 — The Detail (0:200:50)
**Visual:** A split or sequence showing:
1. Terminal window — `python3 run.py` + agent registration output (show the `INFO workspace: registered` log line)
2. Canvas — workspace card with REMOTE badge in purple
3. Same card, active — A2A message incoming
**How to capture these:**
- Use the dev canvas at `localhost:3000` with a remote workspace in active state
- Record the registration log output from a terminal running the Python SDK
- Cut between the three frames at 0:20 / 0:35 / 0:45 marks
**VO continues:** Middle section of `phase30-video-vo.mp3`. The narration covers the mixed-fleet story (see script).
---
### Act 3 — The Close (0:500:75)
**Visual:** Return to the fleet diagram — fully built, all connections lit.
**Animation:** A gentle pulse along one A2A connection line (simulate a task dispatch).
**VO:** Final passage of `phase30-video-vo.mp3`:
> "Phase 30. Remote Workspaces. Your agents. Your infrastructure. One canvas."
**End card:** Molecule AI logo + "Phase 30 — Now GA" + link: `moleculesai.app/docs/guides/remote-workspaces`
**Duration:** 2s hold, 1s fade to black.
---
## Asset Checklist
| Asset | Location | Status | Notes |
|---|---|---|---|
| Fleet diagram (PNG) | `marketing/assets/phase30-fleet-diagram.png` | ✅ Ready | 126KB, dark navy. Use for Act 1 + Act 3 return. |
| VO track (EN) | `marketing/audio/phase30-video-vo.mp3` | ✅ Ready | 6775s, en-US-AriaNeural. Lock against timeline. |
| VO track (ZH) | `marketing/audio/phase30-video-vo-mandarin.mp3` | ✅ Ready | ~70s, zh-CN-XiaoxiaoNeural. For Mandarin cut. |
| VO script (EN) | `marketing/audio/phase30-video-vo-script.txt` | ✅ Ready | Reference for timing and lock-points. |
| VO script (ZH) | `marketing/audio/phase30-video-vo-mandarin-script.txt` | ✅ Ready | 188-char Mandarin. |
| Phase 30 blog post | `docs/blog/2026-04-20-remote-workspaces/index.md` | 📦 STAGED | Link in end card. |
| Quickstart guide | `docs/guides/remote-workspaces.md` | 📦 STAGED | Secondary link in end card. |
| Announcement audio | `marketing/audio/phase30-announce.mp3` | 📦 STAGED | 30s. Use for social cut-down (0:000:30 of X clip). |
---
## Specs for Editor
- **Format:** 1080p H.264, 30fps (social) / 24fps (docs site)
- **Aspect ratios needed:** 16:9 (docs site + YouTube), 9:16 (X/TikTok Reel), 1:1 (LinkedIn)
- **Music:** No music in primary cut. Consider a light ambient bed (6075bpm, non-melodic) for the 9:16 social cut only — keep VO clean in primary cut.
- **Color grade:** Match fleet diagram's dark navy + purple palette. Avoid blowing out the canvas screenshots — keep them readable against dark background.
- **Captions:** Burn in captions for the VO (for muted playback on social). Use `en-US-AriaNeural` timing from `phase30-video-vo-script.txt` for sync.
- **Muting:** Primary cut (docs site) can run without captions if VO is present. Social cut (X) must have captions burned in — most users watch muted.
---
## Alt Cuts
### Short Announcement (30s) — X/TikTok Reel
**Source assets:** `phase30-announce.mp3` (30s VO) + fleet diagram + REMOTE badge screenshot
**Structure:** Fleet diagram build (0:000:15) → REMOTE badge screenshot (0:150:20) → End card (0:200:30)
**Use for:** X timeline, TikTok, Instagram Reels
### Mandarin Cut (6075s)
**Source assets:** `phase30-video-vo-mandarin.mp3` + same visuals as primary cut
**VO script:** `phase30-video-vo-mandarin-script.txt` (188 chars)
**Use for:** WeChat, Chinese-language social channels, LinkedIn (zh-CN audience)
---
## Review Checklist (before publishing)
- [ ] VO is locked and plays cleanly over fleet diagram build
- [ ] REMOTE badge is visible in the canvas cutaways
- [ ] End card links are correct (live URLs, not localhost)
- [ ] Captions are synced for muted playback
- [ ] Alt cuts export cleanly at correct aspect ratios
- [ ] Blog post `docs/blog/2026-04-20-remote-workspaces/index.md` is published before the video goes live (avoid broken link in end card)
---
*Source files: repo at `content/blog/memory-backup-restore`. All assets committed. Push pending on GH_TOKEN refresh — video editor can begin assembly now using staged files.*

139
marketing/devrel/roadmap-brief.md Normal file
View File

@ -0,0 +1,139 @@
# Phase 30 + Roadmap Context Brief — DevRel
> **Sourced from:** `Molecule-AI/internal``PLAN.md` (via GitHub API, read-only token)
> **Purpose:** Keep DevRel aligned with roadmap so content and demos anticipate what's coming
---
## Phase 30: Remote Workspaces — What's Shipped
Phase 30 shipped 8 sub-features (30.130.8), all GA as of 2026-04-20:
| Sub-feature | What it does |
|---|---|
| 30.1 Workspace auth tokens | 256-bit bearer tokens, minted at registration. Prevents spoofing. |
| 30.2 Secrets pull endpoint | `GET /workspaces/:id/secrets/values` — gated by auth token |
| 30.3 Plugin tarball download | `GET /plugins/:name/download` — remote agent plugin install |
| 30.4 Workspace state polling | `GET /workspaces/:id/state` — fallback for agents behind NAT |
| 30.5 A2A proxy token validation | Mutual auth on `POST /workspaces/:id/a2a` |
| 30.6 Sibling discovery + URL caching | `GET /registry/{parent_id}/peers`, cache sibling URLs |
| 30.7 Poll-liveness for external runtime | 90s offline threshold, behind `REMOTE_LIVENESS_POLLING_ENABLED` |
| 30.8 Remote-agent SDK + docs | `sdk/python/examples/remote-agent/`, Python thin client |
**Out of scope for Phase 30:**
- Mutual TLS from agent → platform (deferred)
- Agent-to-agent mesh across NATs (needs relay — deferred to Phase 31)
- Platform-managed persistent state for remote agents
---
## Phase 31 — Quality + Infra Pass — SHIPPED 2026-04-13
Completed in PRs #1#8:
- Brand migration (Molecule → Molecule AI)
- Repo structural cleanup
- MCP per-domain split (1697 → 89 lines, 87 tools)
- Canvas dialog unification
- Platform handler decomposition (+47 Go tests, coverage 56.1% → 57.6%)
- Env-var documentation (all 21 vars now documented)
- E2E hardening + CI (`test_api.sh` 62/62, `test_comprehensive_e2e.sh` 67/67)
---
## Phase 32 — Cloud SaaS Launch (2026-Q2/Q3) — IN PROGRESS
**Goal:** Ship Molecule AI as a multi-tenant cloud SaaS (not just self-hosted per-customer).
**Live infrastructure (as of 2026-04-15):**
- Control plane: `https://molecule-cp.fly.dev`
- Tenant app: `molecule-tenant` (Fly)
- Database: **Neon** serverless Postgres (branch-per-org)
- Cache: **Upstash** Redis
- Auth: **WorkOS AuthKit** (`/cp/auth/{signup,login,callback,signout,me}`)
- Billing: Stripe scaffold deployed (no live keys yet — pending Stripe Atlas)
- Registry: `registry.fly.io/molecule-tenant:latest`
- Domain: `moleculesai.app` (Cloudflare routing, DNS pending)
- First real tenant provisioned: org `acme`
**Phase status:**
- A — Foundation (accounts, tokens, domain) ✅
- B — Fly provisioner + Neon branching ✅
- C — WorkOS AuthKit scaffold ✅
- D — Stripe billing scaffold ✅ (live keys pending Stripe Atlas)
- E — Cloudflare + DNS + per-tenant Vercel canvas ✅
- F — Sign-up UX + onboarding ✅ (basic flow done; polish + email pending)
- G — Observability + quotas + admin ✅
- H — Hardening ⏳ partial (KMS envelope encryption ✅, tenant-isolation CI ✅, legal pages ✅; load test + Stripe Atlas + status page custom domain pending)
- I — Launch ⏳ pending Stripe Atlas (~2 week lead)
**Architectural decisions relevant to DevRel messaging:**
- **Open-core split:** `Molecule-AI/molecule-controlplane` (private) handles orgs/signup/billing/provisioner/routing. This public repo stays OSS (tenant binary + plugins + channels).
- **Firecracker > Docker socket:** Fly Machines API replaces raw Docker socket for multi-tenant isolation. Docker path stays for local dev only.
- **Companion repo:** `molecule-controlplane/PLAN.md` has the private roadmap.
**Tier 1 blockers before first external user:**
- Multi-tenancy: `org_id` filter on every row-returning handler
- Human auth + orgs via WorkOS (separate from Phase 30.1 agent bearer tokens)
- Container isolation via Fly Machines (Firecracker microVMs)
- Stripe billing (subscriptions + usage metering)
- Per-org resource quotas
- Managed Postgres (Neon) + Redis (Upstash)
- Secrets at rest via AWS/GCP KMS
- Migration runner extraction (goose as release step)
---
## Upcoming: Phase 33+
**What to watch for:** The backlog (PLAN.md) lists:
- Canvas: Org template import, Workspace search (Cmd+K), Batch operations
- Sandbox: Firecracker/E2B backends
- SDK follow-ups: live tool-call visibility, cost telemetry, cancel UX
- Real webhook mode for channels (webhook vs. polling)
- More channel adapters: Slack (OAuth), Discord (Bot + Gateway), WhatsApp
---
## Known Issues (from `known-issues.md`)
Three issues tracked internally, not yet filed as GitHub issues:
**KI-001 — Telegram `kicked` event doesn't persist disabled state**
- File: `telegram.go:596`
- Severity: Medium
- When the bot is removed from a chat, it keeps retrying sends indefinitely
- Fix: set `enabled = false` on `workspace_channels` row
**KI-002 — Delegation system has no idempotency guard**
- File: `delegation.go`
- Severity: Medium
- Container restart mid-delegation → double execution risk
- Fix: add optional `idempotency_key` to `POST /workspaces/:id/delegate`
**KI-003 — `commit_memory` not surfaced in `activity_logs`**
- File: `memory.py` + `activity.go`
- Severity: Low (debugging quality)
- Memory writes invisible in Canvas "Agent Comms" tab
- Fix: emit `activity_log` entry of type `tool_call` for `commit_memory`
---
## Backlog Highlights for DevRel
The backlog has direct marketing angles:
1. **Canvas: Org template import** — no-code org deployment from Canvas UI (Phase 20.3)
2. **SDK follow-ups** — cost telemetry + live tool-call visibility → enterprise governance story
3. **Delegations list endpoint**`GET /workspaces/:id/delegations` returns `[]` while `check_delegation_status` shows active. One source of truth needed.
4. **Per-agent repo access**`workspace_access: none|read_only|read_write` in `org.yaml` — eliminates the "PM couriers documents to reports" workaround
5. **SDK executor stderr swallowing** — every CLI failure is opaque; fix captures stderr, includes first ~1 KB in A2A error response. High priority per PLAN.md.
---
## Ecosystem Watch
`docs/ecosystem-watch.md` is the canonical starting point for research agents doing competitive analysis. Notable projects to track: Holaboss, Hermes, gstack, Letta, Trigger.dev.
---
*Update this doc after token refresh — check PLAN.md for Phase 32 content.*

118
marketing/drip/phase30-email-drip.md Normal file
View File

@ -0,0 +1,118 @@
# Phase 30 — Email Drip Sequence
> **For:** Marketing Lead + Email/CRM team | **Status:** Draft
> **Trigger:** After blog post and guides are live
3-email sequence designed to move developers and platform evaluators from "heard of it" to "tried it."
---
## Email 1 — Launch Announcement (Day 1, Launch Morning)
**Subject line:** Your laptop is now a valid Molecule AI runtime
**Subject line alt:** Phase 30: Remote Workspaces is generally available
**Preview text:** Agents can now run on any machine — your laptop, a VM, on-prem — and appear in Canvas like every other workspace.
**Body:**
> Hi {{first_name}},
>
> Most AI agent platforms assume your agents run in the same place as the control plane.
>
> Phase 30 changes that.
>
> Starting today, any Python agent — running on your laptop, a cloud instance, or an on-premises server — can register with your Molecule AI org and appear in Canvas as a first-class workspace. Same auth. Same A2A protocol. Same audit trail.
>
> **The only visible difference: a purple REMOTE badge.**
>
> We call it Remote Workspaces. Here's why it matters:
>
> - **Developers** — run an agent on your laptop, debug it with your IDE, and have it participate in your org's task pipeline simultaneously
> - **Platform teams** — deploy agents in your own cloud account without changing your Molecule AI workflow
> - **Enterprise** — meet data-residency requirements by keeping agent compute on your infrastructure
>
> Phase 30 is generally available today. Self-serve setup in under 5 minutes.
>
> [Get started →](/docs/guides/remote-workspaces)
> [Read the launch post →](/blog/remote-workspaces-ga)
> [Quickstart guide →](/docs/guides/remote-workspaces#quick-start)
>
> — The Molecule AI team
---
## Email 2 — Feature Deep Dive (Day 34)
**Subject line:** The AGENTS.md trick that makes multi-agent coordination just work
**Subject line alt:** Two things that make Remote Workspaces different
**Preview text:** Auto-generated agent manifests and versioned workspace snapshots ship with Phase 30.
**Body:**
> Hi {{first_name}},
>
> A quick follow-up on Phase 30. Two things that shipped with Remote Workspaces that deserve their own explanation:
>
> **1. AGENTS.md auto-generation**
>
> Every Molecule AI workspace now generates an `AGENTS.md` file at boot — automatically. It reflects the workspace config: role, A2A endpoint, available tools. Any peer agent can read it to understand what another agent does and how to reach it, without reading system prompts.
>
> This is the AAIF / Linux Foundation AGENTS.md standard, implemented as a first-class platform feature.
>
> **2. Versioned workspace state with Cloudflare Artifacts**
>
> Every workspace can now be linked to a Cloudflare Artifacts git repo. The agent can push snapshots — current task state, memory dumps, config — and other agents can fork the repo to continue from the same point.
>
> Git for agents, built into the platform. No separate dashboard, no external git service setup.
>
> [See the working demos →](/marketing/demos) *(after docs go live, update to public URL)*
> [Phase 30 launch post →](/blog/remote-workspaces-ga)
>
> Questions? Reply to this email — we read them.
>
> — The Molecule AI team
---
## Email 3 — Social Proof / CTA (Day 7)
**Subject line:** What developers are building with Remote Workspaces
**Subject line alt:** One week in: what the community is doing with Phase 30
**Preview text:** Data residency, multi-cloud fleets, and local debugging — the first week of Phase 30.
**Body:**
> Hi {{first_name}},
>
> One week in, here's what we're seeing from teams using Phase 30 Remote Workspaces:
>
> **A data engineering team** is running a pipeline agent on a GPU instance in their own AWS account — keeping raw data on their infrastructure while using the platform for orchestration. Data residency solved.
>
> **A developer relations team** is running a local agent on their laptops for quick iteration — debugging agent behavior in their IDE, then pointing the same agent at the org for production tasks. No switching environments.
>
> **An enterprise platform team** is running agents across three clouds — GCP, AWS, and a private cloud — visible in one Canvas, governed by the same org auth. Multi-cloud fleet, single governance plane.
>
> If you've been evaluating AI agent platforms and hesitated because "my data can't leave my infrastructure," Phase 30 was built for you.
>
> [Talk to our team →](/contact) *(replace with actual sales link)*
> [Read the docs →](/docs/guides/remote-workspaces)
> [See working demos →](/marketing/demos)
>
> — The Molecule AI team
---
## Notes for CRM team
- Send from `team@moleculesai.app` or a named sender (CEO or Marketing Lead name)
- Segment by: existing customers (already on platform) vs. evaluators (visited docs, not yet a customer) — Email 2 + 3 copy can be swapped for evaluators vs. customers
- Unsubscribe link required in every email
- All internal link placeholders (`/docs/...`, `/blog/...`) must be resolved to live URLs before send
- Phase 2 + Phase 3 email body copy can be A/B tested with the alt subject lines
---
*CRM placeholders: `{{first_name}}`, `{{contact}}`, `{{sales_link}}` — resolve before launch.*

187
marketing/drip/post-push-checklist.md Normal file
View File

@ -0,0 +1,187 @@
# Phase 30 Launch — Post-Push Execution Checklist
> **For:** DevRel + Marketing Lead | **Trigger:** After GH_TOKEN refreshes + push completes
> **Purpose:** Step-by-step sequencing so nothing gets missed on launch day
---
## Phase 1 — Push & Validation (Do First)
### 1.1 Push the branch
```bash
git -C /workspace/repo push origin content/blog/memory-backup-restore
```
### 1.2 Verify all 11 commits landed
```bash
gh api repos/Molecule-AI/internal/commits --jq '.[0:11] | .[].commit.message' \
--param per_page=15 2>&1 | head -30
```
Look for the expected commit messages in reverse chronological order.
### 1.3 Post GitHub issue comments
```bash
bash /workspace/repo/marketing/demos/post-issue-comments.sh
```
This posts completion comments on `#1172` and `#1173` using the staged JSON payloads.
### 1.4 Verify comments posted
```bash
gh issue comment list 1172 --repo Molecule-AI/internal 2>&1
gh issue comment list 1173 --repo Molecule-AI/internal 2>&1
```
Confirm both return the DevRel completion text.
---
## Phase 2 — Docs Site Publish
### 2.1 Submit PR from the branch
```bash
gh pr create \
--repo Molecule-AI/internal \
--base main \
--head content/blog/memory-backup-restore \
--title "docs(marketing): Phase 30 launch — Remote Workspaces GA, demos, and supporting content" \
--body "$(cat <<'EOF'
## Summary
- Phase 30 Remote Workspaces GA blog post
- Phase 30 user guide and FAQ
- /cp/* same-origin proxy guide
- Chrome DevTools MCP governance blog post
- Container vs Remote decision guide
- Secure by Design blog post (beta auth launch)
- AGENTS.md auto-generation working demo + screencast spec (#1172)
- Cloudflare Artifacts working demo + screencast spec (#1173)
- Phase 30 social copy (X: 4 versions, LinkedIn)
- Chrome DevTools MCP social copy
- Phase 30 video production package (for Video Editor)
- Phase 30 DevRel asset inventory
- Fleet diagram, TTS audio files, VO scripts
## Test plan
- [ ] Review each guide for technical accuracy before merge
- [ ] Confirm all internal links resolve
- [ ] Confirm blog post dates are correct (2026-04-20)
- [ ] Verify TTS audio files play (mp3)
- [ ] Run docs link audit (all 34 links verified on disk)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
EOF
)"
```
### 2.2 Get PR reviewed and merged
Hand off to whoever can approve — Marketing Lead or a tech lead.
### 2.3 After merge: verify docs site publishes
```bash
curl -s https://moleculesai.app/docs/guides/remote-workspaces.md | head -20
curl -s https://moleculesai.app/docs/guides/remote-workspaces-faq.md | head -10
```
Confirm both return 200 with correct frontmatter.
---
## Phase 3 — Social Posts (After PR Merges)
### 3.1 X (Twitter) — Phase 30 launch
Post all 4 versions from `marketing/devrel/phase30-social-copy.md`, spaced ~3 hours apart:
| # | Version | Angle | Post time |
|---|---|---|---|
| 1 | Version A | Technical | Launch day, 09:00 UTC |
| 2 | Version B | Product | Launch day, 12:00 UTC |
| 3 | Version C | Developer | Launch day, 15:00 UTC |
| 4 | Version D | Enterprise | Launch day, 18:00 UTC |
**Images:** Attach `marketing/assets/phase30-fleet-diagram.png` to Version A and D. For C, use a terminal screenshot.
### 3.2 LinkedIn — Phase 30 launch
Post the enterprise/platform post from `phase30-social-copy.md`. Attach fleet diagram.
### 3.3 X — Chrome DevTools MCP
Post Version A from `marketing/devrel/chrome-devtools-mcp-social-copy.md`. Attach fleet diagram.
### 3.4 LinkedIn — Chrome DevTools MCP
Post the full LinkedIn block from `chrome-devtools-mcp-social-copy.md`. Attach checklist graphic or quote card.
### 3.5 Schedule cadence
Use Buffer/Hootsuite or schedule manually. All copy is pre-written — no drafting needed at post time.
---
## Phase 4 — Email Campaign
After social posts are live, trigger the email drip sequence (see `marketing/drip/phase30-email-drip.md`).
### 3-step sequence:
1. **Day 1 (launch morning):** Announcement — "Phase 30 is GA" + blog link + quickstart guide
2. **Day 34:** Feature deep dive — pick the strongest sub-feature (AGENTS.md or CF Artifacts)
3. **Day 7:** Social proof / case study or customer quote (coordinate with Sales)
---
## Phase 5 — Community & Devrel
### 5.1 Hacker News
See `marketing/community/hacker-news-launch.md` — submit when ready, monitor comments for 46 hours.
### 5.2 Discord / Slack announcements
Post in relevant channels. Copy is in `marketing/community/community-announcements.md`.
### 5.3 DevRel outreach
If any开发者 advocates or agent ecosystem influencers should know about Phase 30, pre-write outreach DMs now (coordinate with Marketing Lead).
---
## Phase 6 — Verify Live Assets (Day 2+)
```bash
# Blog posts
curl -s -o /dev/null -w "%{http_code}" https://moleculesai.app/blog/remote-workspaces-ga
curl -s -o /dev/null -w "%{http_code}" https://moleculesai.app/blog/chrome-devtools-mcp-governance
# Guides
curl -s -o /dev/null -w "%{http_code}" https://moleculesai.app/docs/guides/remote-workspaces
curl -s -o /dev/null -w "%{http_code}" https://moleculesai.app/docs/guides/remote-workspaces-faq
# Audio (if hosted)
curl -s -o /dev/null -w "%{http_code}" https://moleculesai.app/audio/phase30-announce.mp3
```
All should return 200.
---
## Known Blockers to Communicate
| Blocker | Owner | Status |
|---|---|---|
| GH_TOKEN must refresh before push | CEO | ⏳ Waiting |
| PR must be reviewed and merged before docs go live | Marketing Lead / Tech Lead | ⏳ Waiting |
| Canvas screenshot (REMOTE badge) not yet captured | Design Team | ⏳ Waiting |
| PMM path for `phase30-launch-plan.md` unconfirmed | PMM | ⏳ Waiting |
---
*Update this doc as items complete. Check off each step after execution.*

82
marketing/press/phase30-press-release.md Normal file
View File

@ -0,0 +1,82 @@
# FOR IMMEDIATE RELEASE
## Molecule AI Launches Phase 30: Remote Workspaces Bring AI Agent Fleets to Any Infrastructure
*Platform update enables enterprises to run autonomous AI agents on-premises, in any cloud, or on a developer's laptop — while maintaining single-pane-of-glass orchestration and governance*
**[Date: April 20, 2026] — Molecule AI** today announced the general availability of Phase 30: Remote Workspaces, a platform update that allows AI agents to run on any infrastructure — a developer's laptop, a cloud VM, or an on-premises server — while remaining fully visible and governed within the Molecule AI platform.
Until now, Molecule AI customers who wanted the platform's agent orchestration, A2A coordination, and governance features had to run agents on the platform's infrastructure. Phase 30 removes that constraint. Agents can now register to a Molecule AI org from external machines using a lightweight, outbound-only connection, and appear in Canvas alongside managed (container) workspaces — with no code changes required.
---
### What Phase 30 Ships
Phase 30 is eight bounded improvements packaged as one coherent feature:
- **Remote runtime** — Agent binary connects via WSS. No inbound ports, no VPN. Outbound HTTPS to the platform only.
- **Workspace auth tokens** — Cryptographic 256-bit bearer identities, minted at registration. No shared secrets.
- **Token-gated secrets pull** — Agents pull API keys from the platform at boot. No credentials in container images.
- **Mixed-fleet Canvas** — Container and remote workspaces appear in the same Canvas. Same status, same chat, same audit trail.
- **A2A across runtimes** — Agents on different runtimes communicate via A2A without code changes.
- **AGENTS.md auto-generation** — Every workspace generates a machine-readable agent manifest at boot. Peer agents can discover each other's identity and tools without reading system prompts. (AAIF / Linux Foundation standard.)
- **Cloudflare Artifacts integration** — Every workspace can be linked to a git repo for versioned state snapshots. Agents can fork repos to bootstrap from any checkpoint.
- **`/cp/*` reverse proxy** — Allowlist-based same-origin access for internal APIs. Fail-closed.
---
### Why It Matters
The enterprise AI agent landscape is fragmenting along infrastructure lines. Some teams need agents that run on-premises due to data-residency requirements. Others need agents that run in their own cloud accounts. Many want the ability to debug agents locally before promoting them to production. Phase 30 was designed for all three scenarios simultaneously — without forcing customers to choose between platform convenience and infrastructure control.
"With Phase 30, we made the infrastructure choice optional," said [NAME, TITLE]. "Where the agent runs is now a deployment decision — not an architectural constraint. Customers can run managed agents for standard tasks and remote agents for data-locality or environment-specific requirements, in the same Canvas, with the same governance."
---
### Use Cases
- **Data residency** — Run agent compute on-premises or in a private cloud account. Raw data never touches the Molecule AI platform.
- **Developer iteration** — Run an agent locally for debugging with an IDE, then point the same agent at the org for production tasks.
- **Multi-cloud fleet management** — Run agents across AWS, GCP, and on-premises simultaneously. Visible in one Canvas, governed by one auth system.
- **Existing agent integrations** — Register an existing agent with the org without containerizing and redeploying it.
---
### Availability
Phase 30: Remote Workspaces is generally available as of April 20, 2026. Remote workspaces are priced identically to container workspaces at GA. Self-serve setup takes under five minutes.
- **Docs:** https://moleculesai.app/docs/guides/remote-workspaces
- **Quickstart:** https://moleculesai.app/docs/guides/remote-workspaces#quick-start
- **Launch post:** https://moleculesai.app/blog/remote-workspaces-ga
- **Working demos:** https://moleculesai.app/docs/marketing/demos
---
### About Molecule AI
Molecule AI is an agent orchestration platform for autonomous AI agent fleets. The platform provides A2A task dispatch, multi-workspace Canvas, org-scoped auth, and MCP governance. Used by platform engineering teams, data engineering teams, and enterprise organizations running multi-agent workflows.
---
## Media Contact
[NAME]
[EMAIL]
[moleculesai.app](https://moleculesai.app)
---
## Notes for PR team
- **[Date]** field: replace with actual press release publish date
- **[NAME, TITLE]** field: replace with quote attribution from CEO or CTO
- **[MEDIA CONTACT]** fields: replace with actual PR contact details
- Embargo: confirm whether this should be under embargo until a specific time
- Distribution: wire services (PR Newswire, Business Wire) or direct media outreach
- Follow-up: schedule analyst briefing for enterprise-focused analysts (Gartner, Forrester if applicable)
- Links assume docs site is live — confirm before finalizing
---
*Replace `[BRACKETED]` placeholders before distribution. Check all links for live URLs.*

98
marketing/sales/phase30-one-pager.md Normal file
View File

@ -0,0 +1,98 @@
# Phase 30 Remote Workspaces — One-Pager
> **For:** Sales + prospects | **Length:** 1 page | **Format:** PDF-ready
---
## What it is
Remote Workspaces let you run Molecule AI agents on your own infrastructure — your laptop, a cloud VM, an on-premises server. They register to your Molecule AI org and appear in Canvas alongside your managed (container) workspaces. Same auth. Same A2A protocol. Same governance.
**The only visible difference:** a purple REMOTE badge on the workspace card.
---
## What changes for the buyer
| | Before Phase 30 | After Phase 30 |
|---|---|---|
| Agent runtime | Platform-managed only | Platform-managed OR self-hosted |
| Fleet visibility | Container workspaces only | Mixed fleet, one Canvas |
| Data residency | Agent compute on Molecule AI infra | Agent compute on your infra |
| Governance model | Identical across runtimes | Identical across runtimes |
---
## What this enables (real use cases)
**Developer teams:** Run a local agent on your laptop for debugging with your IDE, then point the same agent at the org for production tasks. No environment switching.
**Data engineering teams:** Keep raw data on your own AWS/GCP/on-prem infrastructure while using the platform for orchestration. Data residency requirement solved.
**Enterprise platform teams:** Run agents across three clouds — visible in one Canvas, governed by the same org auth. Multi-cloud fleet, single governance plane.
**Existing agent integrations:** Don't want to containerize and redeploy? Register your existing agent with the org. It appears in Canvas without code changes.
---
## What ships with Phase 30
1. **Workspace auth tokens** — 256-bit bearer tokens, minted at registration. No shared secrets.
2. **Token-gated secrets pull** — API keys pulled at boot from the platform. No credentials baked into images.
3. **Reverse proxy (`/cp/*`)** — Allowlist-based same-origin access for internal APIs. Fail-closed.
4. **AdminAuth WorkOS session tier** — 30s positive / 5s negative cache. Tenant-scoped.
5. **AGENTS.md auto-generation** — Auto-generated agent manifest at workspace boot. Peer agents can read each other's identity without system prompts. (AAIF standard.)
6. **Cloudflare Artifacts integration** — Workspace git repos, snapshot/push, fork. "Git for agents."
7. **Remote runtime** — Agent binary connects via WSS. No inbound ports, no VPN. Outbound HTTPS only.
8. **Mixed-fleet Canvas** — Container + remote workspaces visible together, real-time status.
---
## What stays the same
- A2A protocol works across container/remote without code changes
- MCP governance (plugin allowlists, org API keys, audit logs) applies identically
- Org-scoped auth and session-tier controls apply identically
- Canvas, task dispatch, and parent/child relationships work across runtimes
---
## Pricing
Remote workspaces = container workspace pricing at GA. No premium for the remote runtime.
---
## Quick start
```bash
# 1. Install
curl -sSL https://get.moleculesai.app | bash
# 2. Authenticate
molecule login --org your-org
# 3. Bootstrap
molecule workspace init --name my-agent --runtime remote
# 4. It appears in Canvas in ~10 seconds
```
**Docs:** `moleculesai.app/docs/guides/remote-workspaces`
**Launch post:** `moleculesai.app/blog/remote-workspaces-ga`
**Demos:** `moleculesai.app/docs/marketing/demos`
---
## Competitive differentiation
| Competitor | Their claim | Our answer |
|---|---|---|
| Modal / Railway | "Managed infra" | They own compute; we let you own yours |
| Cursor / Copilot | "AI coding assistant" | Single-agent; we do multi-agent coordination |
| CrewAI / Autogen | "Open-source agents" | DIY infra + governance; we give you the platform day one |
| Windsurf / Devin | "Autonomous coding agent" | No org-level governance; we have it built in |
---
*Replace docs links with live URLs before distributing.*

181
marketing/sales/phase30-sales-enablement.md Normal file
View File

@ -0,0 +1,181 @@
# Phase 30 — Sales Enablement Package
> **For:** Sales + Solutions Engineering | **Status:** Draft
> **Purpose:** Equip sellers with competitive battlecards, objection handlers, and demo talking points for Phase 30 Remote Workspaces
---
## Competitive Battlecards
### Battlecard 1: Molecule AI vs. Modal / Railway
**Their pitch:** "We handle the infra so you don't have to."
**Decision-maker's concern:** "You mean I give up control of my data?"
| Dimension | Molecule AI Phase 30 | Modal / Railway |
|---|---|---|
| **Compute ownership** | You own it — run on your laptop, your cloud, on-prem | They own it — serverless, you don't control the machine |
| **Data residency** | Agent compute stays on your infrastructure | Data processed on their infrastructure |
| **Multi-agent coordination** | A2A protocol, Canvas, org-scoped auth | Single-function inference calls |
| **Orchestration layer** | Yes — task dispatch, parent/child relationships | No — just inference |
| **Use case fit** | Agent fleets, coordination, autonomous pipelines | Short-lived inference jobs, batch processing |
**Winning talk track:**
> "Modal and Railway are inference platforms — they run your code on their infrastructure. Molecule AI is an orchestration layer — it runs on yours. If your concern is data residency or keeping compute on-premises, that's a fundamentally different category. We're not competing with Modal. We're solving a different problem."
---
### Battlecard 2: Molecule AI vs. Cursor / Copilot
**Their pitch:** "AI coding assistant built in to your IDE."
**Decision-maker's concern:** "Our team is already using Cursor. Why do we need this?"
| Dimension | Molecule AI Phase 30 | Cursor / Copilot |
|---|---|---|
| **Use case** | Autonomous multi-agent pipelines | One human + one AI pairing |
| **Agent autonomy** | Agents act without a human in the loop | Human drives every decision |
| **Coordination** | A2A, parent/child task dispatch | No coordination layer |
| **Scale** | Fleet of agents, mixed runtimes | Individual developer sessions |
| **Enterprise governance** | Org API keys, audit logs, MCP allowlists | Developer tool, no org-level controls |
**Winning talk track:**
> "Cursor and Copilot are incredible developer tools — one human, one AI, great for coding assistance. Molecule AI is an agent orchestration platform. When you want multiple autonomous agents that coordinate with each other — dispatching tasks, reporting status, working in parallel — that's a different product category. Phase 30 Remote Workspaces means you can run those agents wherever your compute lives. If your roadmap involves multi-agent systems, that's where we come in."
---
### Battlecard 3: Molecule AI vs. CrewAI / Autogen (open-source frameworks)
**Their pitch:** "Build multi-agent systems with open-source Python."
**Decision-maker's concern:** "Why pay for something we can build ourselves?"
| Dimension | Molecule AI Phase 30 | CrewAI / Autogen |
|---|---|---|
| **Operational burden** | Zero — platform manages infra, auth, heartbeat | You manage all of it — servers, scaling, auth |
| **Governance** | Org API keys, MCP allowlists, workspace audit logs | Diy — you build it yourself |
| **Canvas / observability** | Real-time workspace visibility, status, chat | No UI — code and logs only |
| **Deployment model** | Hybrid — container + remote, same org | Self-hosted only |
| **Time to value** | Hours | Weeks (to build the same capability) |
| **Maintenance** | Platform team owns uptime and updates | Your team maintains everything |
**Winning talk track:**
> "CrewAI and Autogen are solid frameworks for prototyping multi-agent systems. The problem is what comes after prototype: who maintains the servers, how do you add auth, where's the observability, how do you govern what agents can do. That's a significant engineering investment before you get to production. Molecule AI gives you the coordination layer on day one. Phase 30 means you can even run the agents on your own infrastructure if that's a requirement. The open-source framework gets you to prototype faster. We get you to production faster."
---
### Battlecard 4: Molecule AI vs. Windsurf / Devin
**Their pitch:** "Autonomous coding agent."
**Decision-maker's concern:** "Autonomous agents sound good but they scare my security team."
| Dimension | Molecule AI Phase 30 | Windsurf / Devin |
|---|---|---|
| **Governance** | MCP allowlists, org API keys, audit trail | No org-level governance model |
| **Browser access** | Chrome DevTools MCP + Molecule AI governance layer | Raw CDP, no control layer |
| **Multi-agent fleet** | Yes — full A2A coordination | Single-agent only |
| **Observability** | Canvas, real-time status, task chat | Developer tool UI only |
| **Enterprise readiness** | SOC 2-ready, org-scoped auth, session tier | Early-stage, not enterprise-hardened |
**Winning talk track:**
> "The autonomous coding agents are getting good — but they're a single-agent paradigm. When you want a fleet of agents, or when your security team needs to control what an agent can do with a browser or an API key, you need a governance layer on top. That's what Molecule AI adds. Phase 30's Chrome DevTools MCP integration, for example, gives an agent browser access through your org's MCP allowlist — with a full audit trail. That's not something you get with a standalone autonomous coding tool."
---
## Objection Responses
### "Our data can't leave our infrastructure."
**Response:**
> "Phase 30 was built for exactly that requirement. Remote Workspaces let you run the agent on your own machine, your own cloud account, your on-premises server. The platform handles orchestration and coordination — the agent compute runs where your data lives. This isn't a workaround. It's the primary deployment model."
**Proof point:** "A data engineering team is currently using this for a pipeline agent running in their own AWS account — raw data never touches the Molecule AI platform."
---
### "This sounds complicated. Our team doesn't want to manage more infrastructure."
**Response:**
> "There's two ways to run it. Container workspaces are fully managed — you don't touch the infra. Remote Workspaces are for when you specifically need the agent to run elsewhere. Most teams use both: managed agents for standard tasks, remote agents for data-locality or environment-specific requirements."
**Proof point:** "The mixed-fleet pattern means you only manage what you need to manage. Canvas shows everything in one view regardless of runtime."
---
### "We already have a team that manages agent infrastructure. Why would we add Molecule AI?"
**Response:**
> "Because you're managing the orchestration layer yourself. Molecule AI replaces the custom coordination code — A2A task dispatch, parent/child relationships, auth, heartbeat, observability. That's nontrivial to build and maintain. We give you the platform; your team focuses on what the agents actually do."
---
### "How is this different from just running agents in Kubernetes?"
**Response:**
> "Kubernetes manages containers. It doesn't manage agent identity, task dispatch, or coordination. With Remote Workspaces, you get the platform layer — Canvas, A2A, org-scoped auth, audit logs — without needing a custom-built orchestration system. The agent still runs on your infra, but it's registered to the platform."
---
### "What's the pricing difference between remote and container workspaces?"
**Response:**
> "At GA launch, remote and container workspaces are priced identically. Future tiers may differentiate on egress or storage, but that's not in the current release. There's no premium for the remote runtime specifically."
---
## Demo Talking Points — Phase 30 (3-minute live demo script)
### Opening (30s)
> "I'm going to show you two things today: how an agent runs on my laptop, and how it coordinates with agents running on the platform — same Canvas, same A2A, same auth."
**Do:** Open Canvas, show one container workspace + one remote workspace both online.
---
### Setup moment (60s)
> "This agent is running on my local machine. I installed it with a single command. It registered with the org and appeared here within 10 seconds. No inbound ports, no VPN — just outbound HTTPS to the platform."
**Do:** Terminal — run `python3 run.py` show registration output, cut to Canvas showing REMOTE badge.
---
### Coordination moment (60s)
> "Now I'm going to dispatch a task from the PM agent — which is running in a container on the platform — to the remote agent on my laptop. Watch Canvas."
**Do:** PM dispatches task, researcher on remote laptop receives and executes, result returned to PM, Canvas shows both active during coordination.
---
### Close (30s)
> "Two runtimes, one Canvas. Same auth, same A2A protocol. Where the agent runs is a deployment choice — not an architectural constraint."
**Do:** Canvas full screen, both agents active. Point to REMOTE badge.
---
## Quick-Start Checklist for Sales Engineers
Before a remote workspace demo, verify:
- [ ] Agent binary installed on demo machine (`curl -sSL https://get.moleculesai.app | bash`)
- [ ] `molecule login --org [customer-org]` authenticated
- [ ] `molecule workspace init --name demo-agent --runtime remote` created
- [ ] Workspace appears in Canvas within 10s of startup
- [ ] REMOTE badge visible on workspace card
- [ ] A2A messages route successfully to/from remote workspace
- [ ] Cloudflare Artifacts repo can be attached (if demoing the feature)
---
## Objection → Champion Mapping
Use this to help your champion build internal arguments:
| Objection | Internal argument to make |
|---|---|
| "Data residency" | Phase 30 is the only platform with remote runtime + data residency |
| "Too complex" | Mixed fleet means you only use remote when you need it |
| "Why not just use Kubernetes" | We handle orchestration — they handle compute |
| "Price" | Remote = container pricing at GA; no premium |
| "Security" | MCP governance + org API keys apply to remote identically |
---
*Drafted by DevRel. Sales Engineers should customize the talk tracks to their own voice before customer calls.*