280 Commits

Author	SHA1	Message	Date
claude-ceo-assistant	576166c8c3	Merge branch 'staging' into fix/saas-plugin-install-eic	2026-05-08 01:29:11 +00:00
devops-engineer	241859b552	fix(ci): handlers-postgres — sidestep port collision under host-network runner ... Class B Hongming-owned CICD red sweep. The Handlers Postgres Integration workflow has been silently failing on staging push and PRs ever since #92 fixed the IPv6 flake — the IPv6 fix correctly pinned 127.0.0.1, but unmasked a deeper issue: with our act_runner global container.network=host config, multiple concurrent runs of this workflow each tried to bind 0.0.0.0:5432 on the operator host. The first wins; subsequent postgres service containers exit with `FATAL: could not create any TCP/IP sockets` + `Address in use`. Docker auto-removes them (act_runner sets AutoRemove:true), so by the time `Apply migrations` runs `psql`, the container is gone — Connection refused, then `failed to remove container: No such container` at cleanup time. Per-job container.network override is silently ignored by act_runner (`--network and --net in the options will be ignored.`), so we sidestep `services:` entirely. The job container still uses host-net (required for cache server discovery on the operator's bridge IP). We launch a sibling postgres on the existing molecule-monorepo-net bridge with a unique name per run (run_id+run_attempt) and connect via the bridge IP read from `docker inspect`. Verified manually on operator host 2026-05-08: 2× postgres on host-net collides, but on the bridge with unique names + different IPs, both succeed and each is reachable from a host-net job container. Adds: - always()-cleanup step so containers don't leak on test failure - Diagnostic dump now includes the postgres container's docker logs - Runbook at docs/runbooks/ documenting the substrate behavior + the pattern future workflows should adopt for any `services:`-shaped need. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 18:21:12 -07:00
devops-engineer	09ec0b1b4a	chore: sync main → staging (auto, 068c9682)	2026-05-08 01:17:12 +00:00
claude-ceo-assistant	7f61206a18	Merge branch 'staging' into fix/saas-plugin-install-eic	2026-05-08 00:21:10 +00:00
devops-engineer	0bcf195fbc	docs(hermes): hermes-agent fork moved to Gitea (post-suspension) ... The `HongmingWang-Rabbit/hermes-agent` fork is no longer reachable on github.com (account suspended 2026-05-06). The patched fork now lives at https://git.moleculesai.app/molecule-ai/hermes-agent. Same SHAs, same branches — pure URL flip. See molecule-ai/internal#72 for the github.com fork shell decision. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 16:57:57 -07:00
devops-engineer	6d7554d282	chore: sync main → staging (auto, d84d88ad)	2026-05-07 23:38:08 +00:00
claude-ceo-assistant	6bb272360d	Merge branch 'main' into feat/issue-63-local-build-from-gitea-v2	2026-05-07 23:33:03 +00:00
devops-engineer	792bfdf8fd	chore: sync main → staging (auto, 0be89053)	2026-05-07 22:55:22 +00:00
security-auditor	62e793040e	chore(observability): edge-429 probe + ratelimit observability runbook ... Two artifacts that unblock the parked follow-ups from #59: 1. scripts/edge-429-probe.sh (closes the "operator-blocked" status of #62). An operator without CF/Vercel dashboard access can reproduce a canvas-sized burst against a tenant subdomain and read each 429's response shape — workspace-server bucket overflow (JSON body + X-RateLimit-* headers) is distinguishable from CF (cf-ray) and Vercel (x-vercel-id) by inspection of the report. Read-only, parallel via background subshells (no GNU parallel dependency), no credential use. Smoke-tested against example.com end-to-end. 2. docs/engineering/ratelimit-observability.md (closes the "metric-blocked" status of #64). The existing molecule_http_requests_total{path,status} counter + X-RateLimit-* response headers already cover #64's acceptance criterion ("watch metrics for two weeks"). The runbook collects the PromQL queries, a decision tree for the re-tune (keep / per-tenant override / change default), an alert rule template, and a hard "do not roll ad-hoc per-bucket-key exposure" note (in-memory map includes SHA-256 of bearer tokens — exposing it is a security review surface, file a follow-up if needed). Neither artifact changes runtime behaviour. Pure operational tooling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 15:48:34 -07:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	16868c4ec1	fix(plugins): SaaS (EC2-per-workspace) install/uninstall via EIC SSH ... Closes the 🔴 docker-only row in docs/architecture/backends.md. Plugin install on every SaaS tenant currently 503s with "workspace container not running" because the handler is hardcoded to Docker exec but SaaS workspaces live on per-workspace EC2s. Caught on hongming.moleculesai.app when canvas POST /workspaces/<id>/plugins surfaced the error. Mirrors the Files API PR #1702 pattern: dispatch on workspaces.instance_id in deliverToContainer (and Uninstall). When set, push the staged plugin tarball to the EC2 over the existing withEICTunnel primitive (template_files_eic.go) and unpack into the runtime's bind-mounted config dir (/configs for claude-code, /home/ubuntu/.hermes for hermes — see workspaceFilePathPrefix). chown 1000:1000 to match the docker path's agent-uid contract; restart via the existing dispatcher. Direct host write rather than docker-cp via SSH because the runtime's config dir is already bind-mounted into the workspace container — the runtime sees the files on next start with no additional plumbing. Adds InstanceIDLookup (parallel to RuntimeLookup) so unit tests don't need a DB; production wires it in router.go like templates.go does. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 15:42:51 -07:00
claude-ceo-assistant	d9e380c5bc	feat(workspace-server): local-dev provisioner builds from Gitea source when MOLECULE_IMAGE_REGISTRY is unset (#63, Task #194) ... OSS contributors who clone molecule-core and `go run ./workspace-server/cmd/server` now get a working end-to-end provision without authenticating to GHCR or AWS ECR. Pre-fix: with MOLECULE_IMAGE_REGISTRY unset, the provisioner attempted to pull ghcr.io/molecule-ai/workspace-template-<runtime>:latest, which has been returning 403 since the 2026-05-06 GitHub-org suspension. Post-fix: when MOLECULE_IMAGE_REGISTRY is unset, the provisioner switches to local-build mode — looks up the workspace-template-<runtime> repo's HEAD sha on Gitea via a single API call, shallow-clones into ~/.cache/molecule/, and runs `docker build --platform=linux/amd64`. SHA-pinned cache key skips the clone+build entirely on subsequent provisions. Production tenants are unaffected: every prod tenant sets the var to its private ECR mirror, so the SaaS pull path is byte-for-byte identical. SSOT for mode detection lives in Resolve() (registry_mode.go) returning a discriminated RegistrySource{Mode, Prefix} so call sites that branch on mode get a compile-time push instead of a string-equality footgun. Coverage: * registry_mode.go — new SSOT (Resolve, RegistryMode, IsKnownRuntime) * registry_mode_test.go — 8 tests pinning mode-decision contract * localbuild.go — clone+build pipeline (570 LOC, fully unit-tested) * localbuild_test.go — 22 tests covering happy/sad paths, fail-closed * provisioner.go — Start() inserts ensureLocalImageHook in local mode * docs/adr/ADR-002 — design rationale + alternatives + security review * docs/development/local-development.md — local-build flow + env overrides Security: * Allowlist-only runtime names (knownRuntimes) gate the clone path. * Repo prefix hardcoded to git.moleculesai.app/molecule-ai/molecule-ai-workspace-template-; forks via opt-in MOLECULE_LOCAL_TEMPLATE_REPO_PREFIX. * MOLECULE_GITEA_TOKEN masked in every log line via maskTokenInURL/maskTokenInString. * Fail-closed: Gitea unreachable / runtime not mirrored → clear error, never silently fall back to GHCR/ECR. * docker build invocation passes no --build-arg from external input. * HTTP body cap 64KB on Gitea API responses (defence vs malicious upstream). Closes #63 / Task #194. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 15:16:51 -07:00
devops-engineer	55689e0b10	fix(post-suspension): migrate github.com/Molecule-AI refs to git.moleculesai.app (Class G #168) ... The GitHub org Molecule-AI was suspended on 2026-05-06; canonical SCM is now Gitea at https://git.moleculesai.app/molecule-ai/. Stale github.com/Molecule-AI/... URLs return 404 and break tooling that clones / pip-installs / curls them. This bundles all non-Go-module URL fixes for this repo into a single PR. Go module path references (in *.go, go.mod, go.sum) are out of scope here -- tracked separately under Task #140. Token-auth clone URLs also flip ${GITHUB_TOKEN} -> ${GITEA_TOKEN} since the GitHub token does not auth against Gitea. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 13:08:15 -07:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	132f97d261	docs(README): comprehensive refresh — landing-page icon (SVG, light/dark) + 8 runtimes + Canvas v4 + Memory v2 + SaaS + channel plugin ... The README hadn't been refreshed since the v0 wave. Several major shipped surfaces weren't called out (Canvas v4 warm-paper theme, Memory v2 with pgvector, RFC #2967 typed-SSOT A2A response path, the SaaS control plane, the molecule-mcp-claude-channel plugin we just shipped via v0.4.0/0.4.1/0.4.2). The runtime list still said "6" when 8 are in production. The icon was a 1.3 MB PNG with no light-mode variant. - New `docs/assets/branding/molecule-icon.svg` matches the landing page's `public/favicon.svg` shape (5-spoke molecular graph) but carries `prefers-color-scheme` styles so it adapts to GitHub's light/dark modes. The PNG stays for back-compat with anything that hotlinks it. - `docs/assets/branding/molecule-logo.svg` adds a wordmark variant for places that want the brand name alongside the icon. - README hero replaces the PNG `<img>` with the SVG so contributors reading on GitHub light see a tinted version that doesn't blow out the page background. - **8 production runtimes** named explicitly throughout: Claude Code, Hermes, Gemini CLI, LangGraph, DeepAgents, CrewAI, AutoGen, OpenClaw. Comparison table grew Hermes 4 + Gemini CLI rows with the integration mechanism (Option B upstream hook, A2A bridge, multi-provider derivation). - **Canvas v4** — warm-paper theme system (light / dark / follow- system) called out alongside the existing Next.js 15 / React Flow / Zustand stack. - **Memory v2 backed by pgvector** — semantic recall callout in both the "memory model" pitch line and the runtime stack section. - **RFC #2967 typed-SSOT A2A response path** named in the platform ship list + architecture diagram. - **SaaS surface section** added — multi-tenant EC2 + Neon + Cloudflare Tunnels, WorkOS + Stripe, KMS envelope, tenant_resources audit + 30-min reconciler. Cross-links to molecule-controlplane. - **molecule-mcp-claude-channel plugin** added — entry point for Claude Code users to bridge A2A traffic into a local session via MCP. Documents the standard marketplace install flow + multi- tenant config. - **Architecture diagram** redrawn with Canvas → Platform → Postgres + Provisioner (Docker | EC2+SSM) layout, plus a SaaS control plane block. - **Quick Start** repo URL fixed (`molecule-monorepo` → `molecule-core`), Go version bumped to 1.25, Python ≥3.11 noted. - Deploy buttons + Quick Start URL all bump from the old `molecule-monorepo` name to the current `molecule-core`. Pre-fix these clicked through to a 404. The provisioner refactor (`registry.go` deletion + RegistryPrefix env-driven changes) that lived alongside an earlier draft of this README on the `docs/readme-refresh-2026-05-06` branch is OUT of this PR — that work shipped separately via #6. This branch is docs-only so the review surface is small and the merge is reversible. - `git diff staging --stat`: ``` README.md | 75 +++++++++++++++++++++++----------- docs/assets/branding/molecule-icon.svg | 28 +++++++++++++ docs/assets/branding/molecule-logo.svg | 17 ++++++++ 3 files changed, 97 insertions(+), 23 deletions(-) ``` - SVGs validated in a browser at light + dark `prefers-color-scheme`. - All linked docs (./docs/index.md, ./docs/quickstart.md, ./docs/ architecture/architecture.md, ./docs/api-protocol/platform-api.md, ./docs/agent-runtime/workspace-runtime.md, ./LICENSE, etc.) verified to exist on staging. - README.zh-CN.md mirror — non-trivial translation work; file as separate issue if mirror is wanted. - molecule-ai/.github org-profile README — Gitea has no equivalent to GitHub's org-profile surface, and the GitHub org is suspended. Skipped. 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-07 04:42:40 -07:00
claude-ceo-assistant	422360b912	Merge pull request 'docs(workspace-runtime): migrate github.com refs at source (#41)' (#15) from docs/workspace-runtime-readme-source-edit into staging	2026-05-07 09:25:28 +00:00
documentation-specialist	26afbbfdf4	docs(internal): bulk-sed molecule-core .md docs → Gitea (#37 final molecule-core sweep) ... Mass-sed across 17 files / 38 active refs in molecule-core .md docs (README + CONTRIBUTING + docs/architecture/ + docs/blog/ + docs/guides/ + docs/integrations/ + docs/quickstart.md + scripts/README.md). Driver: /tmp/sweep_core.py — same pattern set as the internal-marketing bulk-sed (PR #50). 4 url-substitution patterns + SKIP_PATTERN preserves /pull/<n> /issues/<n> /commit/<sha> /releases/... historical refs. Files NOT touched in this PR: - docs/workspace-runtime-package.md — owned by molecule-core#15 (workspace-runtime source-edit per #41). Reverted my bulk-sed of that file to avoid merge conflict. - 2 Go-import-path refs in docs/memory-plugins/testing-your-plugin.md (github.com/Molecule-AI/molecule-monorepo/platform/internal/...) — Q5 cross-repo Go-module migration territory. - 1 GitHub Gist link in docs/guides/external-workspace-quickstart.md (gist.github.com/molecule-ai/...) — no Gitea equivalent; consistent with the same handling in docs#1. Manual fixes (2): - docs/blog/2026-04-20-chrome-devtools-mcp-seo/index.md:306 — GitHub Discussions (no Gitea equivalent) → issue tracker link - docs/guides/external-workspace-quickstart.md:218 — tracking-issue ?q= query-string url (regex didn't catch) → reformulated text + Gitea search-by-query approach Pattern matches my docs#1 (public docs site) PR + internal#50 (internal/marketing bulk-sed). Standard substitutions: - https://github.com/Molecule-AI/<repo> → https://git.moleculesai.app/molecule-ai/<repo> - /blob/<branch>/ + /tree/<branch>/ → /src/branch/<branch>/ Refs: molecule-ai/internal#37, molecule-ai/internal#38	2026-05-07 01:27:50 -07:00
documentation-specialist	bd145dcec6	docs(workspace-runtime): migrate github.com refs at source so mirror inherits Gitea links (internal#41) ... The molecule-ai-workspace-runtime mirror is regenerated on every runtime-v* tag from this monorepo's workspace/. Per saved memory reference_runtime_repo_is_mirror_only, mirror-guard rejects direct PRs to the mirror; edit at source. Source-side files that propagate to the mirror's published README + read by users of the in-monorepo workspace-runtime docs: - scripts/build_runtime_package.py (the README generator): * line 281 README_TEMPLATE: 'Shared workspace runtime for Molecule AI' link → Gitea * line 399 doc-link to workspace-runtime-package.md → Gitea path (with /src/branch/main/ shape) LEFT AS-IS (per Q3 audit-trail decision): * lines 379, 392 historical issue cross-refs (#2936, #2937) - workspace/build-all.sh:5 — comment block linking to template-* repos. Migrated to Gitea path-shape. - docs/workspace-runtime-package.md: * lines 101-108 adapter→repo table (8 templates, all PUBLIC on Gitea) — Gitea URLs * line 247 starter-repo link — substituted host + added inline note that starter doesn't survive the suspension migration (recreation pending; cross-link to this issue) * line 259 generic git clone command for new templates → Gitea * line 289 second starter mention — same handling as 247 Files NOT touched in this PR: - workspace/ Python source code (.py files) — those use github paths in docstrings + a few log strings; fix bundled with the cross-repo Go-module-style migration (per #37 Q5 + parked follow-ups). - 'Writing a new adapter' section's `gh repo create` command (line 254-256) — gh CLI doesn't talk to Gitea (per #45 parked follow-up). - 'Writing a new adapter' section's ghcr.io image ref (line 276) — per #46 ghcr→ECR migration (separate concern). After this PR merges to staging + a runtime-v* tag is pushed, the mirror's published README will inherit the Gitea link. Until then the mirror's README continues to reference github.com/Molecule-AI (stale but historical-marker-correct since the mirror existed pre-suspension). Refs: molecule-ai/internal#41, molecule-ai/internal#37, molecule-ai/internal#38, molecule-ai/internal#42, molecule-ai/internal#45, molecule-ai/internal#46	2026-05-07 00:48:04 -07:00
Hongming Wang	cb70d3d437	docs: callout Python>=3.11 requirement on Universal MCP install snippet ... User-reported friction: pip install molecule-ai-workspace-runtime on a 3.10 interpreter fails with "Could not find a version that satisfies the requirement (from versions: none)" — pip's requires_python filter silently drops the only available artifact before attempting install, so the error doesn't mention Python at all. Operators see "package missing", file a bug, and chase a phantom CDN/visibility issue. Two changes mirror the requirement at the two operator-touch surfaces: 1. workspace-server/internal/handlers/external_connection.go: the externalUniversalMcpTemplate snippet (rendered into the canvas Connect-External-Agent modal) now leads with a brief "Requires Python >= 3.11" block + diagnostic + upgrade paths. 2. docs/workspace-runtime-package.md: same callout at the top of the doc, before the Overview, so anyone landing here from search gets the answer immediately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 13:44:25 -07:00
Hongming Wang	eec4ea2e7d	chore: delete TeamHandler.Collapse + docs cleanup (closes #2864) ... Multi-model retrospective review of #2856 (Phase 1 Expand removal) flagged that TeamHandler.Collapse is unreachable from the canvas UI: the "Collapse Team" button calls PATCH /workspaces/:id { collapsed } (visual flag toggle on canvas_layouts), NOT POST /workspaces/:id/collapse. The destructive POST route — which stops EC2s, marks children removed, and deletes layouts — has zero UI callers (verified via grep across canvas/, scripts/, and the MCP tool registry; only docs referenced it). Two semantically different operations had been sharing the word "Collapse": - Visual collapse (canvas) → PATCH { collapsed: true }. Hides children visually. Reversible. UI-only. - Destructive collapse (POST /collapse) → Stops + marks removed. Irreversible. No caller. Deleting the destructive one + its supporting machinery: - workspace-server/internal/handlers/team.go (entirely) - workspace-server/internal/handlers/team_test.go (entirely) - POST /collapse route + teamh init in router.go - findTemplateDirByName helper (zero non-test callers after Expand was deleted in #2856; package-private so no out-of-package consumers) - NewTeamHandler constructor (no callers after route removed) Plus stale doc references (the most dangerous was the MCP wrapper mapping in mcp-server-setup.md — anyone generating MCP tool wrappers from that table was wiring a 404): - docs/agent-runtime/team-expansion.md (deleted entirely — whole guide taught the deleted flow) - docs/api-reference.md (dropped two team.go rows) - docs/api-protocol/platform-api.md (dropped /expand + /collapse rows) - docs/architecture/molecule-technical-doc.md (dropped /expand + /collapse rows) - docs/guides/mcp-server-setup.md (dropped expand_team + collapse_team MCP wrapper mappings) - docs/glossary.md (dropped "(org template expand_team)" parenthetical) - docs/frontend/canvas.md (dropped broken link to deleted team-expansion.md) Kept: docs/architecture/backends.md mention of "TeamHandler.Expand (#2367) bypassed routing on Start" — correct historical context for the AST gate's existence, no live route reference. Visual-collapse path unaffected: canvas/src/components/ContextMenu.tsx:227 → api.patch — unchanged canvas/src/components/WorkspaceNode.tsx:128 → api.patch — unchanged go vet ./... clean. go test ./internal/handlers/ -count 1 — all green (4.3s, no regression). Net: -388/+10 = ~378 lines removed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 11:59:43 -07:00
Hongming Wang	b037d555fa	Merge pull request #2828 from Molecule-AI/docs/abstraction-pattern-1777951500 ... docs(backends): document Auto-dispatcher SoT pattern + source-level pins (closes #10)	2026-05-05 03:30:56 +00:00
Hongming Wang	62fc25757c	docs(backends): document Auto-dispatcher SoT pattern + source-level pins ... Closes #10. The 2026-05-05 hongming silent-drop incident shipped because the backends.md parity matrix didn't enforce a "go through the dispatcher" rule — three handlers (TeamHandler.Expand, OrgHandler.createWorkspaceTree, workspace_crud.go's stopAndRemove) silently bypassed routing on SaaS for ~6 months across two distinct verbs. This doc pass: - Adds a "How to dispatch" section that's the canonical answer to "where do I call Start / Stop / Has from?". Names the three dispatchers (provisionWorkspaceAuto, StopWorkspaceAuto, HasProvisioner), their fallbacks, and the allowed exceptions. - Updates the matrix lifecycle rows so every dispatched operation points at the dispatcher source, not the per-backend bodies. - Adds Org-import + Team-collapse rows so the bulk paths are visible to anyone scanning for parity gaps. - Lists the source-level pins (4 of them) under Enforcement so future contributors see them as load-bearing tests, not noise. - Adds a "When you add a NEW dispatch site" section so the next verb (Pause / Hibernate / Snapshot) lands as a dispatcher mirror, not as another bespoke handler that drifts from the existing two. - Refreshes Last audit to 2026-05-05. No code change; doc-only. The SoT abstractions described here landed in PRs #2811 + #2824. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 20:25:10 -07:00
Hongming Wang	7cc1c39c49	ci: e2e coverage matrix + branch-protection-as-code ... Closes #9. Three pieces, all small: 1. **docs/e2e-coverage.md** — source of truth for which E2E suites guard which surfaces. Today three were running but informational only on staging; that's how the org-import silent-drop bug shipped without a test catching it pre-merge. Now the matrix shows what's required where + a follow-up note for the two suites that need an always-emit refactor before they can be required. 2. **tools/branch-protection/apply.sh** — branch protection as code. Lets `staging` and `main` required-checks live in a reviewable shell script instead of UI clicks that get lost between admins. This PR's net change: add `E2E API Smoke Test` and `Canvas tabs E2E` as required on staging. Both already use the always-emit path-filter pattern (no-op step emits SUCCESS when the workflow's paths weren't touched), so making them required can't deadlock unrelated PRs. 3. **branch-protection-drift.yml** — daily cron + drift_check.sh that compares live protection against apply.sh's desired state. Catches out-of-band UI edits before they drift further. Fails the workflow on mismatch; ops re-runs apply.sh or updates the script. Out of scope (filed as follow-ups): - e2e-staging-saas + e2e-staging-external use plain `paths:` filters and never trigger when paths are unchanged. They need refactoring to the always-emit shape (same as e2e-api / e2e-staging-canvas) before they can be required. - main branch protection mirrors staging here; if main wants the E2E SaaS / External added later, do it in apply.sh and rerun. Operator must apply once after merge: bash tools/branch-protection/apply.sh The drift check picks it up from there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 20:21:59 -07:00
Hongming Wang	2f7beb9bce	feat: drop shared_context — use memory v2 team namespace instead ... Parent → child knowledge sharing previously lived behind a `shared_context` list in config.yaml: at boot, every child workspace HTTP-fetched its parent's listed files via GET /workspaces/:id/shared-context and prepended them as a "## Parent Context" block. That paid the full transfer cost on every boot regardless of whether the agent needed it, single-parent SPOF, no team or org scope, and broken if the parent was unreachable. Replace with memory v2's team:<id> namespace: agents call recall_memory on demand. For large blob-shaped artefacts see RFC #2789 (platform-owned shared file storage). Removed: - workspace/coordinator.py: get_parent_context() - workspace/prompt.py: parent_context arg + injection block - workspace/adapter_base.py: import + call + arg pass - workspace/config.py: shared_context field + parser entry - workspace-server/internal/handlers/templates.go: SharedContext handler - workspace-server/internal/router/router.go: GET /shared-context route - canvas/src/components/tabs/ConfigTab.tsx: Shared Context tag input - canvas/src/components/tabs/config/form-inputs.tsx: schema field + default - canvas/src/components/tabs/config/yaml-utils.ts: serializer entry - 6 tests pinning the removed behavior; 5 doc references Added regression gates so any reintroduction is loud: - workspace/tests/test_prompt.py: build_system_prompt must NOT emit "## Parent Context" - workspace/tests/test_config.py: legacy YAML key loads cleanly but shared_context attr must NOT exist on WorkspaceConfig - tests/e2e/test_staging_full_saas.sh §9d: GET /shared-context must NOT return 200 against a live tenant Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 16:30:26 -07:00
Hongming Wang	2d783b5ca6	Memory v2 docs update: idempotency key + verify mode + cutover runbook ... Updates plugin-author and operator docs to reflect the four fixup PRs (C1, C2, I1, I4) for self-review findings. Stacked on C1+C2 so the docs reference behavior that lands in the same wave; rebases to staging once those merge. What changes: * docs/memory-plugins/README.md - New "Memory idempotency" section explaining MemoryWrite.id contract: omit → plugin generates UUID; supplied → upsert - "Replacing the built-in plugin" rewritten as a 6-step operator runbook with concrete commands for -dry-run / -apply / -verify / MEMORY_V2_CUTOVER, including the failure path ("if -verify reports mismatches, do not flip the cutover flag") - Added link to new CHANGELOG.md * docs/memory-plugins/testing-your-plugin.md - New TestMyPlugin_IDIsIdempotencyKey example: write same id twice, assert single row + updated content - "What the harness does NOT cover" expanded with two new operational gates: backfill twice → no double; verify-mode reports zero mismatches * docs/memory-plugins/pinecone-example/README.md - Wire-mapping table updated: id (caller-supplied) → Pinecone vector id (upsert); id (omitted) → plugin-generated UUID - Production-hardening checklist gained an idempotency-key item * docs/memory-plugins/CHANGELOG.md (new) - Captures the four fixup PRs in one place with severity-ordered summary, plugin-author action items, and remaining open follow-ups (#289, #291, #293) for transparency No code changes. Docs-only PR.	2026-05-04 09:08:28 -07:00
Hongming Wang	1e97fb9a16	Memory v2 fixup C1: backfill idempotency via MemoryWrite.id ... Self-review (post-merge) flagged that the backfill claimed to be idempotent on re-run but actually duplicates every row because the plugin's INSERT uses gen_random_uuid() and ignores any id passed in. Fix is contract-level: extend MemoryWrite with an optional `id` idempotency key. When supplied, the plugin MUST treat the write as upsert keyed on this id; when omitted, the plugin generates a fresh UUID (production agent commits keep working unchanged). Changes: * docs/api-protocol/memory-plugin-v1.yaml: add id field with description that flags it as idempotency key * internal/memory/contract/contract.go: add ID to MemoryWrite struct, update memory_write_minimal golden vector * internal/memory/pgplugin/store.go: split CommitMemory into two paths — upsert when body.ID set (INSERT ... ON CONFLICT (id) DO UPDATE), plain INSERT otherwise * cmd/memory-backfill/main.go: pass agent_memories.id to MemoryWrite, fix the false comment about 409 deduplication New tests: * pgplugin: TestCommitMemory_WithIDUpserts pins the upsert SQL is used when id is set; TestCommitMemory_UpsertScanError covers the error branch * backfill: TestBackfill_PassesSourceUUIDAsIdempotencyKey pins the forwarding behavior; TestBackfill_RerunIsIdempotent simulates a retry and asserts both runs pass the same uuid (plugin upsert is what makes this safe) Why this matters: operators retrying a failed backfill (which they will — networks fail, transactions abort) would otherwise create N duplicates per memory. The duplicates aren't visible until search results show obvious dupes — debugging that under prod load is bad. Production agent commits are unaffected: they leave id empty, the plugin generates a fresh UUID via gen_random_uuid(), zero behavior change for the hot path.	2026-05-04 08:54:13 -07:00
Hongming Wang	8417bce50d	Memory v2 PR-10: operator docs for writing a custom memory plugin ... Builds on merged PR-1..7 (PR-8 in queue). Pure docs; no code. What ships: * docs/memory-plugins/README.md — contract overview, capability negotiation, deployment models, replacement workflow * docs/memory-plugins/testing-your-plugin.md — using the contract test harness to validate wire compatibility, what the harness DOES NOT cover (capability accuracy, TTL eviction, concurrency) * docs/memory-plugins/pinecone-example/README.md — worked example of a Pinecone-backed plugin: capability mapping (only embedding, no FTS), wire mapping (memory → vector + metadata), production- hardening checklist Documentation strategy: * Lead with what workspace-server takes care of (security perimeter, redaction, ACL, GLOBAL audit, prompt-injection wrap) so plugin authors don't reimplement those layers * Show three deployment models (same machine / separate container / self-managed) so operators see their topology * Capability table makes it explicit what each capability gates so a plugin that supports only one (e.g. semantic search) is still a useful plugin * Pinecone example is honest: shows the skeleton, the wire mapping, and explicitly calls out what's MISSING from the sketch (batch commits, TTL janitor, circuit breaker, metrics)	2026-05-04 08:17:03 -07:00
Hongming Wang	53d823e719	Memory v2 PR-1: OpenAPI plugin contract + Go bindings ... First of 11 PRs implementing the memory-system plugin refactor (RFC #2728). This PR is pure additive scaffolding — no behavior change, no integration yet. It defines the wire shape between workspace-server and a memory plugin so PR-2 (HTTP client) and PR-3 (built-in postgres plugin) can be built against a single source of truth. What ships: - docs/api-protocol/memory-plugin-v1.yaml: OpenAPI 3.0.3 spec covering /v1/health, namespace upsert/patch/delete, memory commit, search, forget. Auth-free (private network only); workspace-server is the only sanctioned client and the security perimeter. - workspace-server/internal/memory/contract: typed Go bindings with Validate() methods on every wire object so both client (PR-2) and server (PR-3) self-check at the boundary. - Round-trip JSON tests for every type (catch asymmetric tag bugs). - 5 golden vector files under testdata/ pinning the exact wire shape; update via UPDATE_GOLDENS=1. Coverage: 100% of statements in contract.go. The validation rules encode design decisions worth flagging in review: - SearchRequest with empty Namespaces is REJECTED at plugin level — workspace-server is required to intersect the readable set server-side; an empty list reaching the plugin is a bug. - NamespacePatch with no fields is REJECTED — empty patches are pointless round-trips. - MemoryWrite with whitespace-only Content is REJECTED — zero-info memories pollute search results. No code yet calls into this package; integration starts in PR-2.	2026-05-04 06:45:52 -07:00
Hongming Wang	f8b40d8d73	docs(skills): document SKILL.md runtime field + AST coverage gate (#119 PR-4) ... Closes the documentation + audit gap for declarative skill-compat. The plumbing has been live since PR #117 (RuntimeCapabilities) and skill_loader's `_normalize_runtime_field` has been emitting filter decisions for weeks, but: - No public doc explained the `runtime` frontmatter field, so skill authors didn't know how to opt in / opt out. - No structural gate ensured every load_skills() call site threads current_runtime — a future caller forgetting the kwarg silently force-loads runtime-incompatible skills (no AttributeError, just a delayed crash on first tool invocation). Two changes: 1. docs/agent-runtime/skills.md - Adds `runtime`, `tags`, `examples` to the Frontmatter Fields table. - Adds a Runtime Compatibility section with example, accepted shapes (universal default, list, string sugar), and the "logged + omitted, not crashed" failure mode. Notes that match values come from each adapter's name() (the same string in config.yaml's runtime: field). 2. workspace/tests/test_load_skills_call_sites.py - Static AST gate: walks every workspace/*.py (excluding tests), finds load_skills(...) Call nodes, fails if any lacks current_runtime= as a keyword. - Defense-in-depth `test_known_call_sites_present` — pins that the scan actually sees the two known callers (adapter_base, skill_loader.watcher) so a refactor that moves them is loud. - Sanity-checked the matcher against a synthetic violating module. Same-shape pattern as PR #2358 (tenant_resources audit-coverage AST gate, #150) — pin the contract structurally, not just behaviorally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 01:22:34 -07:00
Hongming Wang	2dd5684e73	docs(integrations): update hermes plugin path status to post-merge ... PR #32 (workspace template) merged 2026-05-02; image rebuild succeeded. Plugin baked in. Local full-chain E2E green; caught + fixed a real KeyError in upstream hermes_cli/tools_config.py. Upstream PR #18775 still OPEN/CONFLICTING — not on critical path. Also rewrites hermes-platform-plugins-upstream-pr.md to reflect the final landing shape (existing hermes_cli/plugins.py, not a new plugins/platforms/ system). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 04:42:00 -07:00
Hongming Wang	7224276de0	feat: register codex runtime + runtime native-MCP design docs ... Adds the OpenAI Codex CLI as a Molecule workspace runtime and lands the design docs that drove the runtime native-MCP push parity work across claude-code, hermes, openclaw, and codex. manifest.json: - Adds `codex` workspace_template entry pointing at the new Molecule-AI/molecule-ai-workspace-template-codex repo (initial commit landed there in parallel; 14 files / 1411 LOC). The workspace-server runtime registry already had `codex` in its fallback set — this entry makes it manifest-reachable in prod. docs/integrations/: - runtime-native-mcp-status.md — index across all four runtime streams - codex-app-server-adapter-design.md — full design including v2 RPC sequence, executor skeleton, schema-vs-runtime drift findings (real codex 0.72 returns thread.id, schema says thread.threadId) - hermes-platform-plugins-upstream-pr.md — pre-submission draft of the hermes-agent upstream PR Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 02:21:11 -07:00
Hongming Wang	b54968878a	docs(internal): refresh runtime-package mirror policy + parity matrix + dead-link fix ... - workspace-runtime-package.md: add explicit "Where to make changes" section documenting the mirror-only policy on Molecule-AI/molecule-ai-workspace-runtime — direct PRs are auto-rejected by mirror-guard CI; staging push regenerates both the mirror and the PyPI wheel via .github/workflows/publish-runtime.yml. - infra/workspace-terminal.md: replace dead molecule-core#1528 reference (repo renamed to molecule-monorepo, no longer accepting issues at the old name) with a forward-pointer to monorepo + molecule-controlplane issue trackers. - architecture/backends.md: bump audit date to 2026-05-02 and add rows for channel envelope enrichment (#2471), chat_history MCP tool (#2474), /activity before_ts paging (#2476), /activity peer_id filter (#2472), runtime_wedge smoke gate (#2473 + #2475), and the canvas-E2E state-file requirement (#2327). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:06:06 -07:00
Hongming Wang	f2c3594abc	feat(dev-start): true single-command spinup — infra + templates + auth posture ... Manual fresh-user clean-slate test surfaced three friction points in the existing dev-start.sh: 1. The script ran docker compose -f docker-compose.infra.yml directly, bypassing infra/scripts/setup.sh — so the workspace template registry was never populated and the canvas template palette came up empty (the "Template palette is empty" troubleshooting hit). 2. ADMIN_TOKEN was not handled at all. Without it, the AdminAuth fail-open gate worked initially but slammed shut the moment the first workspace registered a token — at which point the canvas could no longer call /workspaces or /templates. New users hit 401s with no obvious next step. 3. The script wasn't mentioned in docs/quickstart.md. New users followed the documented 4-step manual flow and never discovered the single command existed. Fixes: - dev-start.sh now calls infra/scripts/setup.sh, which brings up full infra (postgres + redis + langfuse + clickhouse + temporal) AND populates the template/plugin registry from manifest.json. - On first run, dev-start.sh writes MOLECULE_ENV=development to .env. This activates middleware.isDevModeFailOpen() which lets the canvas keep calling admin endpoints without a bearer (the intended local-dev escape hatch). The .env is preserved on re-runs and sourced before the platform launches. - The script intentionally does NOT auto-generate an ADMIN_TOKEN. A first attempt did, and broke the canvas because isDevModeFailOpen requires ADMIN_TOKEN empty AND MOLECULE_ENV=development together. Setting ADMIN_TOKEN in dev would close the hatch and the canvas has no way to read that token in a dev build (no NEXT_PUBLIC_ADMIN_TOKEN bake step here). The .env comment block explicitly warns future contributors not to add it. - Both processes' logs go to /tmp/molecule-{platform,canvas}.log instead of stdout-mixed so the readiness banner stays clean. - Health-poll loops cap at 30s with a clear timeout error pointing to the log file, instead of hanging forever. - The readiness banner now lists the log paths AND tells the user the next step is "open localhost:3000 → add API key in Config → Secrets & API Keys → Global", instead of just listing service URLs. Quickstart doc rewrite leads with: git clone ... cd molecule-monorepo ./scripts/dev-start.sh The 4-step manual flow is preserved as "Manual setup (advanced)" for contributors who want per-component logs. Verified end-to-end from clean Docker (no containers, no volumes, no .env) three times: total wall-clock ~12s for a re-run with cached npm/docker layers. Platform's HTTP 200 on /workspaces without a bearer confirms the dev-mode auth hatch is active.	2026-04-27 16:29:37 -07:00
Hongming Wang	8d77de68c4	docs: update ecosystem-watch date to 2026-04-27	2026-04-27 14:39:35 -07:00
Hongming Wang	49ded74876	docs(cli-runtime): use module-form invocation, drop dead shell-alias claim ... Same root cause as the workspace/molecule_ai_status.py docstring fix in this PR: this doc claimed `molecule-monorepo-status` was a usable shell alias and `from molecule_ai_status import set_status` was a usable Python import. Both worked under the pre-#87 monolithic-template layout (where workspace/Dockerfile created the symlink and COPY'd the modules into /app/) but neither works in current standalone template images that install the runtime as a wheel: - `which molecule-monorepo-status` errors — only `a2a-db` and `molecule-runtime` are registered console scripts. - `from molecule_ai_status` raises ImportError — modules are under the `molecule_runtime` package now. Switched both examples to the canonical `python3 -m molecule_runtime.molecule_ai_status` form (CLI) and `from molecule_runtime.molecule_ai_status import set_status` (Python). Same form the runtime ships in its own usage banner, so anyone discovering this doc gets a runnable example. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 12:27:50 -07:00
Hongming Wang	3679a6eff6	docs(saas-federation): fix workspace-limit response code (409, not 402) (#1754) ... Quota gates are resource-state conflicts, not payment failures — RFC 9110 reserves 402 for billing/payment failures specifically. The canonical Molecule-AI/docs PR #82 already shipped the corrected text; this brings the molecule-core copy of the tutorial in line. The inline parenthetical "(not 402 Payment Required — quota gates are resource-state conflicts, not payment failures, per RFC 9110)" doubles as a regression anchor: a future edit that flips 409 back to 402 would have to also reword that explanation, making the change a deliberate two-step act rather than a casual oversight. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 04:30:46 -07:00
Hongming Wang	9375e3d4ee	feat(workspace-server): GHCR digest watcher closes runtime CD chain (#2114) ... Adds an opt-in goroutine that polls GHCR every 5 minutes for digest changes on each workspace-template-*:latest tag and invokes the same refresh logic /admin/workspace-images/refresh exposes. With this, the chain from "merge runtime PR" to "containers running new code" is fully hands-off — no operator step between auto-tag → publish-runtime → cascade → template image rebuild → host pull + recreate. Opt-in via IMAGE_AUTO_REFRESH=true. SaaS deploys whose pipeline already pulls every release should leave it off (would be redundant work); self-hosters get true zero-touch. Why a refactor of admin_workspace_images.go is in this PR: The HTTP handler held all the refresh logic inline. To share it with the new watcher without HTTP loopback, extracted WorkspaceImageService with a Refresh(ctx, runtimes, recreate) (RefreshResult, error) shape. HTTP handler is now a thin wrapper; behavior is preserved (same JSON response, same 500-on-list-failure, same per-runtime soft-fail). Watcher design notes: - Last-observed digest tracked in memory (not persisted). On boot the first observation per runtime is seed-only — no spurious refresh fires on every restart. - On Refresh error, the seen digest rolls back so the next tick retries. Without this rollback a transient Docker glitch would convince the watcher the work was done. - Per-runtime fetch errors don't block other runtimes (one template's brief 500 doesn't pause the others). - digestFetcher injection seam in tick() lets unit tests cover all bookkeeping branches without standing up an httptest GHCR server. Verified live: probed GHCR's /token + manifest HEAD against workspace-template-claude-code; got HTTP 200 + a real Docker-Content-Digest. Same calls the watcher makes. Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 13:36:26 -07:00
Hongming Wang	168d6ec8d9	docs: point new-runtime-template flow at the GitHub template repo (#2111) ... * docs: point new-runtime-template flow at the GitHub template repo The 'Writing a new adapter' section was a 6-step manual checklist that re-derived the canonical shape every time. Now that Molecule-AI/molecule-ai-workspace-template-starter exists as a GitHub template, the flow collapses to: gh repo create ... --template Molecule-AI/molecule-ai-workspace-template-starter Plus a fill-in-the-TODO-markers table. Why this matters: the starter ships with the 'repository_dispatch: [runtime-published]' cascade receiver pre-wired, which means new templates pick up runtime PyPI publishes automatically without the one-time setup PR each existing template needed (PRs #6-#22 across the 8 template repos that we just opened to retrofit). At 'hundreds of runtimes' scale this is the difference between linear PR- toil and zero PR-toil per template addition. Also adds: 'When the starter itself needs to evolve' — explicit pattern for keeping the canonical shape in one place when it changes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) * docs(workspace-runtime): drop PYPI_TOKEN refs — OIDC is the new auth Reflects PR #2113 (PyPI Trusted Publisher / OIDC migration). No static PyPI token exists in the repo anymore, so the docs shouldn't claim one does. Replaces the PYPI_TOKEN row in the Required Secrets table with an "Auth" section pointing at the OIDC config; TEMPLATE_DISPATCH_TOKEN is still the only repo secret the cascade needs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 13:15:13 -07:00
rabbitblood	262a52a32c	docs(security): document the KMS-rooted custody chain for SECRETS_ENCRYPTION_KEY ... External architecture review flagged the SECRETS_ENCRYPTION_KEY env var on the platform as encryption-at-rest theater. The reviewer read only the platform repo and missed that the master key actually lives in AWS KMS at the control plane layer, with envelope encryption wrapping each tenant secret blob. Adds docs/architecture/secrets-key-custody.md as the canonical source of truth for the full chain: - Two-mode envelope (KMS_KEY_ARN vs static-key fallback) - Per-blob AES-256-GCM with KMS-wrapped DEKs - Where each key actually lives (KMS, CP env, tenant env) - Threat model per attacker capability - Rotation story (annual KMS CMK rotation, manual DEK rotation on incident) - Audit posture (SOC2 / ISO 27001 questionnaire bullets) Patches three downstream docs that previously stopped at the env-var level and link them to the new custody doc: - development/constraints-and-rules.md (Rule 11) - architecture/database-schema.md (workspace_secrets paragraph) - architecture/molecule-technical-doc.md (env-vars table) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 11:29:16 -07:00
Hongming Wang	0de67cd379	feat(platform/admin): /admin/workspace-images/refresh + Docker SDK + GHCR auth ... The production-side end of the runtime CD chain. Operators (or the post- publish CI workflow) hit this after a runtime release to pull the latest workspace-template-* images from GHCR and recreate any running ws-* containers so they adopt the new image. Without this, freshly-published runtime sat in the registry but containers kept the old image until naturally cycled. Implementation notes: - Uses Docker SDK ImagePull rather than shelling out to docker CLI — the alpine platform container has no docker CLI installed. - ghcrAuthHeader() reads GHCR_USER + GHCR_TOKEN env, builds the base64- encoded JSON payload Docker engine expects in PullOptions.RegistryAuth. Both empty → public/cached images only; both set → private GHCR pulls. - Container matching uses ContainerInspect (NOT ContainerList) because ContainerList returns the resolved digest in .Image, not the human tag. Inspect surfaces .Config.Image which is what we need. - Provisioner.DefaultImagePlatform() exported so admin handler picks the same Apple-Silicon-needs-amd64 platform as the provisioner — single source of truth for the multi-arch override. Local-dev companion: scripts/refresh-workspace-images.sh runs on the host and inherits the host's docker keychain auth — alternate path for when GHCR_USER/TOKEN aren't set in the platform env. 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-04-26 10:17:21 -07:00
Molecule AI App & Docs Lead	561b1c2c0d	chore: remove all forbidden marketing/docs/marketing paths from staging ... 71 files across docs/marketing/ and marketing/ are blocked by the Block-internal-flavored-paths CI gate (CEO directive 2026-04-23). These paths must live in Molecule-AI/internal, not the public monorepo. Unblocks PR #1981 (staging→main sync). Public-facing blog/devrel content should be re-added via correct paths: docs/blog/<slug>.md, docs/devrel/<slug>.md, docs/tutorials/<slug>.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-24 07:52:04 +00:00
Hongming Wang	757337d644	Merge pull request #1613 from Molecule-AI/docs/saas-federation-tutorial ... docs(tutorial): SaaS federation — multi-tenant control plane setup	2026-04-24 07:21:39 +00:00
Hongming Wang	f46844d6b0	Merge pull request #1923 from Molecule-AI/docs/mcp-server-list-og-v2 ... docs(blog + assets): MCP Server List blog post + OG image (1200×630 dark tech)	2026-04-24 07:05:54 +00:00
molecule-ai[bot]	a92d32f320	Merge pull request #1860 from Molecule-AI/docs/phase34-community-launch ... docs(community): Phase 34 launch content — Reddit/HN/Discord posts + FAQ	2026-04-24 07:05:54 +00:00
molecule-ai[bot]	82d15f4d33	Merge pull request #1859 from Molecule-AI/content-marketer/phase34-launch-post-v2 ... docs(marketing): Phase 34 launch post v2 — governance-first + tool trace	2026-04-24 07:05:54 +00:00
Hongming Wang	0166aaad93	Merge pull request #1988 from Molecule-AI/docs/a2a-v1-production-reference-blog ... docs(blog): A2A v1.0 production reference — migration guide from 0.3.x	2026-04-24 06:57:15 +00:00
molecule-ai[bot]	63c9d07a01	Merge branch 'staging' into content/a2a-v1-deep-dive	2026-04-24 06:28:16 +00:00
molecule-ai[bot]	078ab61458	docs(blog): A2A v1.0 production reference — migration from 0.3.x, 6 files, 8 smoke scenarios	2026-04-24 05:33:37 +00:00
Molecule AI Documentation Specialist	1da9759d0d	Merge remote-tracking branch 'origin/staging' into fix/blog-ai-agents-org-scoped-keys-missing-endpoint	2026-04-24 05:09:39 +00:00
Molecule AI Community Manager	9320b8c7e4	docs(community): Phase 34 community announcement — final draft ... Discord-format announcement for Phase 34 GA (April 30, 2026). All four features: Tool Trace, Platform Instructions, Partner API Keys, SaaS Federation v2. ~550 words, community-native tone. Address: Molecule-AI/molecule-core#1836 Co-Authored-By: Claude Community Manager <noreply@anthropic.com>	2026-04-24 01:44:26 +00:00
Molecule AI Community Manager	84f676f85c	docs(community): Phase 34 Discord-style community announcement ... Community announcement for Phase 34 GA (April 30, 2026). Four features: Tool Trace, Platform Instructions, Partner API Keys, SaaS Federation v2. Discord-format, ~550 words, community-native tone. Addresses Molecule-AI/molecule-core#1836. Co-Authored-By: Claude Community Manager <noreply@anthropic.com>	2026-04-24 01:44:26 +00:00
Molecule AI Community Manager	899eeabacf	docs(community): Phase 34 Discord-style community announcement ... Community announcement for Phase 34 GA (April 30, 2026). Four features: Tool Trace, Platform Instructions, Partner API Keys, SaaS Federation v2. Discord-format, ~550 words, community-native tone. Addresses Molecule-AI/molecule-core#1836. Co-Authored-By: Claude Community Manager <noreply@anthropic.com>	2026-04-24 01:44:26 +00:00