molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 133 Actions 80 Packages Projects Releases Wiki Activity
5,928 Commits 912 Branches 43 Tags 71 MiB
c0bbcb7756
Commit Graph

4 Commits

Author SHA1 Message Date
Molecule AI Core-DevOps
37b01b4e24 [core-devops-agent] fix: add HEALTHCHECK to workspace/Dockerfile
All checks were successful
sop-checklist / all-items-acked (pull_request) injected after rebase
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 38s
Details
CI / Detect changes (pull_request) Successful in 1m22s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m24s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m14s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 51s
Details
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 26s
Details
publish-runtime-autobump / pr-validate (pull_request) Successful in 54s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m32s
Details
gate-check-v3 / gate-check (pull_request) Successful in 22s
Details
qa-review / approved (pull_request) Successful in 20s
Details
security-review / approved (pull_request) Successful in 17s
Details
sop-checklist-gate / gate (pull_request) Successful in 15s
Details
audit-force-merge / audit (pull_request) Successful in 14s
Details
sop-tier-check / tier-check (pull_request) Successful in 19s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s
Details
CI / Platform (Go) (pull_request) Successful in 14s
Details
CI / Canvas (Next.js) (pull_request) Successful in 12s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 10s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 17s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m39s
Details
CI / Python Lint & Test (pull_request) Successful in 7m25s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 4s
Details 
Probe the A2A agent-card endpoint so orchestrators and container
runtimes can detect a live, responsive workspace agent without
requiring a registered agent token.

- Uses curl (present in python:3.11-slim base)
- Targets uvicorn server on configurable PORT (default 8000)
- interval=30s, timeout=5s, retries=3 — balances responsiveness
  vs. false-positive tolerance on busy containers
- ${PORT:-8000} substitution is safe because:
  (a) the base image EXPOSEs 8000
  (b) molecule-runtime defaults config.a2a.port to 8000
  (c) the entrypoint uses exec form so HEALTHCHECK exec succeeds

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-13 22:29:45 +00:00
Molecule AI Core-DevOps
1492b40b38 ci(docker): pin base image digests in all Dockerfiles
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 28s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 37s
Details 
Pins all FROM image tags to exact SHA256 digests for reproducible
builds. Without digest pinning, a registry push of a new image to the
same tag can silently change the layer content between builds — a
supply-chain risk especially for prod-deployed images.

Pinned images (7 Dockerfiles):
- golang:1.25-alpine → sha256:c4ea15b... (workspace-server/Dockerfile,
  Dockerfile.dev, Dockerfile.tenant, tests/harness/cp-stub/Dockerfile)
- alpine:3.20 → sha256:c64c687c... (workspace-server/Dockerfile,
  tests/harness/cp-stub/Dockerfile)
- node:20-alpine → sha256:afdf982... (workspace-server/Dockerfile.tenant)
- node:22-alpine → sha256:cb15fca... (canvas/Dockerfile)
- python:3.11-slim → sha256:e78299e... (workspace/Dockerfile)
- nginx:1.27-alpine → sha256:62223d6... (tests/harness/cf-proxy/Dockerfile)

Note: docker-compose.yml service images (postgres, redis, clickhouse,
litellm, ollama) are intentionally left on major-version tags — those
are runtime-pulled and updated regularly for local-dev ergonomics.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-09 23:56:39 +00:00
Hongming Wang
2885583d05 feat(workspace): 45-min gh-token refresh daemon + credential helper cache 
Extracted from the now-closed PR #1664 (Molecule-AI/molecule-core).

- New scripts/molecule-gh-token-refresh.sh background daemon — every
  45 min (TOKEN_REFRESH_INTERVAL_SEC) calls the credential helper's
  _refresh_gh action to keep both gh CLI auth and the on-disk cache
  fresh through the GitHub App installation token's ~60 min TTL.
- scripts/molecule-git-token-helper.sh rewritten with a ~50 min
  on-disk cache (${CACHE_DIR}/gh_installation_token + _expiry
  companion file), a cache > API > env-var fallback chain, a new
  _refresh_gh action (invoked by the daemon above), a _invalidate_cache
  action, and path references flipped from /workspace/scripts/... to
  /app/scripts/... to match the runtime image layout.
- Dockerfile copies the new refresh daemon and extends mkdir to
  create /home/agent/.molecule-token-cache at build time.
- entrypoint.sh configures the git credential helper for github.com
  while still root (so the global gitconfig is written before the
  gosu handoff), creates + chowns the token cache dir, then as agent
  starts the refresh daemon in the background and does an initial
  gh auth login from GITHUB_TOKEN/GH_TOKEN so gh works before the
  first refresh fires.

Dropped from PR #1664: cosmetic em-dash -> ASCII hyphen rewrites
(charset-normalizer noise) that would conflict with the repo's
existing em-dash convention used elsewhere in workspace/.
 2026-04-22 19:52:46 -07:00
Hongming Wang
d8026347e5 chore: open-source restructure — rename dirs, remove internal files, scrub secrets 
Renames:
- platform/ → workspace-server/ (Go module path stays as "platform" for
  external dep compat — will update after plugin module republish)
- workspace-template/ → workspace/

Removed (moved to separate repos or deleted):
- PLAN.md — internal roadmap (move to private project board)
- HANDOFF.md, AGENTS.md — one-time internal session docs
- .claude/ — gitignored entirely (local agent config)
- infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy
- org-templates/molecule-dev/ → standalone template repo
- .mcp-eval/ → molecule-mcp-server repo
- test-results/ — ephemeral, gitignored

Security scrubbing:
- Cloudflare account/zone/KV IDs → placeholders
- Real EC2 IPs → <EC2_IP> in all docs
- CF token prefix, Neon project ID, Fly app names → redacted
- Langfuse dev credentials → parameterized
- Personal runner username/machine name → generic

Community files:
- CONTRIBUTING.md — build, test, branch conventions
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1

All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml,
README, CLAUDE.md updated for new directory names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:24:44 -07:00