From df632aeab5d671dab2c9e9a87b7f3ac1f53058a7 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Sat, 18 Apr 2026 12:04:49 -0700 Subject: [PATCH] =?UTF-8?q?docs(opencode):=20RFC=202119=20=E2=80=94=20'sho?= =?UTF-8?q?uld=20not'=20=E2=86=92=20'must=20not'=20for=20SAFE-T1201=20warn?= =?UTF-8?q?ing=20(closes=20#861)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/integrations/opencode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/opencode.md b/docs/integrations/opencode.md index 741be90c..4d69ef72 100644 --- a/docs/integrations/opencode.md +++ b/docs/integrations/opencode.md @@ -77,7 +77,7 @@ opencode sends this tool call to the Molecule MCP endpoint. The platform routes `list_peers` returns the full set of workspace names and roles visible to your workspace. This is intentional: provisioned agents need to know their peers to delegate effectively. Be aware that any opencode agent with a valid `MOLECULE_MCP_TOKEN` can enumerate your org topology. ### SAFE-T1201 — tool surface audit pending -The full `@molecule-ai/mcp-server` npm package exposes additional tools beyond those listed above. These are pending a SAFE-T1201 security audit (tracked in #747 follow-on) and **should not be exposed to external agents in production** until that audit completes. +The full `@molecule-ai/mcp-server` npm package exposes additional tools beyond those listed above. These are pending a SAFE-T1201 security audit (tracked in #747 follow-on) and **must not be exposed to external agents in production** until that audit completes. ### Token scoping Issue tokens with the minimum required scopes (`mcp:read`, `mcp:delegate`). Rotate tokens regularly. Revoke via `DELETE /workspaces/:id/tokens/:token_id`.