Extracted from the now-closed PR #1664 (Molecule-AI/molecule-core).
- New scripts/molecule-gh-token-refresh.sh background daemon — every
45 min (TOKEN_REFRESH_INTERVAL_SEC) calls the credential helper's
_refresh_gh action to keep both gh CLI auth and the on-disk cache
fresh through the GitHub App installation token's ~60 min TTL.
- scripts/molecule-git-token-helper.sh rewritten with a ~50 min
on-disk cache (${CACHE_DIR}/gh_installation_token + _expiry
companion file), a cache > API > env-var fallback chain, a new
_refresh_gh action (invoked by the daemon above), a _invalidate_cache
action, and path references flipped from /workspace/scripts/... to
/app/scripts/... to match the runtime image layout.
- Dockerfile copies the new refresh daemon and extends mkdir to
create /home/agent/.molecule-token-cache at build time.
- entrypoint.sh configures the git credential helper for github.com
while still root (so the global gitconfig is written before the
gosu handoff), creates + chowns the token cache dir, then as agent
starts the refresh daemon in the background and does an initial
gh auth login from GITHUB_TOKEN/GH_TOKEN so gh works before the
first refresh fires.
Dropped from PR #1664: cosmetic em-dash -> ASCII hyphen rewrites
(charset-normalizer noise) that would conflict with the repo's
existing em-dash convention used elsewhere in workspace/.
- PLATFORM_URL: replace unreachable http://platform:8080 mesh-only default
with Docker-aware detection (host.docker.internal in containers,
localhost for local dev) across all workspace Python modules and the
git-token-helper shell script.
- WORKSPACE_ID: add fail-fast validation in main.py (SystemExit if empty)
consistent with coordinator.py / a2a_cli.py patterns already in place.
- INCIDENT_LOG.md: replace all 3 F1088 credential types with
***REDACTED*** (sk-cp- 2x, github_pat_ 2x, ADMIN_TOKEN base64 3x).
Fixes#1124, #1333.
Co-authored-by: Molecule AI Dev Lead <dev-lead@agents.moleculesai.app>
PR #729 tightened AdminAuth to require ADMIN_TOKEN, breaking the
workspace credential helper which called /admin/github-installation-token
with a workspace bearer token. Tokens expired after 60 min with no refresh.
Fix: Add /workspaces/:id/github-installation-token under WorkspaceAuth
so any authenticated workspace can refresh its GitHub token. Keep the
admin path as backward-compatible alias.
Update molecule-git-token-helper.sh to use the workspace-scoped path
when WORKSPACE_ID is set.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
