molecule-core

molecule-ai/molecule-core

Fork 2

Commit Graph

Author	SHA1	Message	Date
documentation-specialist	26afbbfdf4	docs(internal): bulk-sed molecule-core .md docs → Gitea (#37 final molecule-core sweep) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s Details CI / Detect changes (pull_request) Successful in 5s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 6s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 6s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 5s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s Details CI / Platform (Go) (pull_request) Successful in 3s Details CI / Canvas (Next.js) (pull_request) Successful in 5s Details CI / Python Lint & Test (pull_request) Successful in 3s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 12s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 51s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m20s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m20s Details Mass-sed across 17 files / 38 active refs in molecule-core .md docs (README + CONTRIBUTING + docs/architecture/ + docs/blog/ + docs/guides/ + docs/integrations/ + docs/quickstart.md + scripts/README.md). Driver: /tmp/sweep_core.py — same pattern set as the internal-marketing bulk-sed (PR #50). 4 url-substitution patterns + SKIP_PATTERN preserves /pull/<n> /issues/<n> /commit/<sha> /releases/... historical refs. Files NOT touched in this PR: - docs/workspace-runtime-package.md — owned by molecule-core#15 (workspace-runtime source-edit per #41). Reverted my bulk-sed of that file to avoid merge conflict. - 2 Go-import-path refs in docs/memory-plugins/testing-your-plugin.md (github.com/Molecule-AI/molecule-monorepo/platform/internal/...) — Q5 cross-repo Go-module migration territory. - 1 GitHub Gist link in docs/guides/external-workspace-quickstart.md (gist.github.com/molecule-ai/...) — no Gitea equivalent; consistent with the same handling in docs#1. Manual fixes (2): - docs/blog/2026-04-20-chrome-devtools-mcp-seo/index.md:306 — GitHub Discussions (no Gitea equivalent) → issue tracker link - docs/guides/external-workspace-quickstart.md:218 — tracking-issue ?q= query-string url (regex didn't catch) → reformulated text + Gitea search-by-query approach Pattern matches my docs#1 (public docs site) PR + internal#50 (internal/marketing bulk-sed). Standard substitutions: - https://github.com/Molecule-AI/<repo> → https://git.moleculesai.app/molecule-ai/<repo> - /blob/<branch>/ + /tree/<branch>/ → /src/branch/<branch>/ Refs: molecule-ai/internal#37, molecule-ai/internal#38	2026-05-07 01:27:50 -07:00
rabbitblood	262a52a32c	docs(security): document the KMS-rooted custody chain for SECRETS_ENCRYPTION_KEY External architecture review flagged the SECRETS_ENCRYPTION_KEY env var on the platform as encryption-at-rest theater. The reviewer read only the platform repo and missed that the master key actually lives in AWS KMS at the control plane layer, with envelope encryption wrapping each tenant secret blob. Adds docs/architecture/secrets-key-custody.md as the canonical source of truth for the full chain: - Two-mode envelope (KMS_KEY_ARN vs static-key fallback) - Per-blob AES-256-GCM with KMS-wrapped DEKs - Where each key actually lives (KMS, CP env, tenant env) - Threat model per attacker capability - Rotation story (annual KMS CMK rotation, manual DEK rotation on incident) - Audit posture (SOC2 / ISO 27001 questionnaire bullets) Patches three downstream docs that previously stopped at the env-var level and link them to the new custody doc: - development/constraints-and-rules.md (Rule 11) - architecture/database-schema.md (workspace_secrets paragraph) - architecture/molecule-technical-doc.md (env-vars table) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 11:29:16 -07:00

Author

SHA1

Message

Date

documentation-specialist

26afbbfdf4

docs(internal): bulk-sed molecule-core .md docs → Gitea (#37 final molecule-core sweep)

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 5s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 6s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 6s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 5s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s

Details

CI / Platform (Go) (pull_request) Successful in 3s

Details

CI / Canvas (Next.js) (pull_request) Successful in 5s

Details

CI / Python Lint & Test (pull_request) Successful in 3s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 12s

Details

CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 51s

Details

CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m20s

Details

CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m20s

Details

Mass-sed across 17 files / 38 active refs in molecule-core .md docs
(README + CONTRIBUTING + docs/architecture/ + docs/blog/ + docs/guides/
+ docs/integrations/ + docs/quickstart.md + scripts/README.md).

Driver: /tmp/sweep_core.py — same pattern set as the
internal-marketing bulk-sed (PR #50). 4 url-substitution patterns +
SKIP_PATTERN preserves /pull/<n> /issues/<n> /commit/<sha>
/releases/... historical refs.

Files NOT touched in this PR:
- docs/workspace-runtime-package.md — owned by molecule-core#15
  (workspace-runtime source-edit per #41). Reverted my bulk-sed of
  that file to avoid merge conflict.
- 2 Go-import-path refs in docs/memory-plugins/testing-your-plugin.md
  (github.com/Molecule-AI/molecule-monorepo/platform/internal/...) —
  Q5 cross-repo Go-module migration territory.
- 1 GitHub Gist link in docs/guides/external-workspace-quickstart.md
  (gist.github.com/molecule-ai/...) — no Gitea equivalent;
  consistent with the same handling in docs#1.

Manual fixes (2):
- docs/blog/2026-04-20-chrome-devtools-mcp-seo/index.md:306 —
  GitHub Discussions (no Gitea equivalent) → issue tracker link
- docs/guides/external-workspace-quickstart.md:218 — tracking-issue
  ?q= query-string url (regex didn't catch) → reformulated text +
  Gitea search-by-query approach

Pattern matches my docs#1 (public docs site) PR + internal#50
(internal/marketing bulk-sed). Standard substitutions:
- https://github.com/Molecule-AI/<repo> → https://git.moleculesai.app/molecule-ai/<repo>
- /blob/<branch>/ + /tree/<branch>/ → /src/branch/<branch>/

Refs: molecule-ai/internal#37, molecule-ai/internal#38

2026-05-07 01:27:50 -07:00

rabbitblood

262a52a32c

docs(security): document the KMS-rooted custody chain for SECRETS_ENCRYPTION_KEY

External architecture review flagged the SECRETS_ENCRYPTION_KEY env var
on the platform as encryption-at-rest theater. The reviewer read only
the platform repo and missed that the master key actually lives in AWS
KMS at the control plane layer, with envelope encryption wrapping each
tenant secret blob.

Adds docs/architecture/secrets-key-custody.md as the canonical source
of truth for the full chain:

- Two-mode envelope (KMS_KEY_ARN vs static-key fallback)
- Per-blob AES-256-GCM with KMS-wrapped DEKs
- Where each key actually lives (KMS, CP env, tenant env)
- Threat model per attacker capability
- Rotation story (annual KMS CMK rotation, manual DEK rotation on incident)
- Audit posture (SOC2 / ISO 27001 questionnaire bullets)

Patches three downstream docs that previously stopped at the env-var
level and link them to the new custody doc:

- development/constraints-and-rules.md (Rule 11)
- architecture/database-schema.md (workspace_secrets paragraph)
- architecture/molecule-technical-doc.md (env-vars table)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-26 11:29:16 -07:00

2 Commits