molecule-core

molecule-ai/molecule-core

Fork 2

Commit Graph

Author	SHA1	Message	Date
rabbitblood	cf9d2acbf9	chore(template): address review feedback — scrub token from .git/config + document env vars Addresses FLAG 1 and FLAG 2 from the 7-Gate review on PR #20. FLAG 1 (token persisted on disk): Previous: `git clone https://x-access-token:${GITHUB_TOKEN}@github.com/...` wrote the full tokenized URL into /workspace/repo/.git/config as `[remote "origin"] url = …`. Token survived container restarts on any bind-mounted workspace_dir. Fix: after clone, `git remote set-url origin https://github.com/${GITHUB_REPO}.git` scrubs the token from the remote URL. Token is only in the clone command's argv (transient) and not persisted on disk. Falls back to anonymous for public repos. FLAG 2 (docs not updated): Added GITHUB_REPO and GITHUB_TOKEN entries under a new 'GitHub' section in .env.example with notes about (a) what they're read for, (b) that GITHUB_TOKEN should be registered as a global secret via POST /admin/secrets, (c) how it's handled to avoid on-disk persistence. FLAG 3 (per-workspace gating) is deferred to a separate issue — it's a platform design question about secret scope/ACLs, not a template fix.	2026-04-13 21:07:26 -07:00
Hongming Wang	74e2da8b92	chore: quality pass — native dialogs, env sync, Go handler splits Three parallel cleanups driven by the second code-review pass. ## Native dialogs → ConfirmDialog (7 sites) Violated the standing feedback_no_native_dialogs rule. - ChannelsTab: confirm() → ConfirmDialog danger variant with pendingDelete state - ScheduleTab: window.confirm() → ConfirmDialog danger - ChatTab: confirm("Restart...") → ConfirmDialog warning (restart is recoverable) - TemplatePalette: two alert() sites collapsed into a single notice state + ConfirmDialog as OK-only info toast - ErrorBoundary: dropped both window.alert calls entirely. Clipboard-copy click is self-evident; console.error already captures the fallback. ## .env.example ↔ Go env var sync Added 11 previously-undocumented env vars grouped into 6 new sections: - Platform: PLATFORM_URL, MOLECULE_URL, WORKSPACE_DIR, MOLECULE_ENV - CORS / rate limiting: CORS_ORIGINS, RATE_LIMIT - Activity retention: ACTIVITY_RETENTION_DAYS, ACTIVITY_CLEANUP_INTERVAL_HOURS - Container detection: MOLECULE_IN_DOCKER (moved to dedup) - Observability: AWARENESS_URL - Webhooks: GITHUB_WEBHOOK_SECRET - CLI: MOLECLI_URL All 21 distinct os.Getenv / envx.* keys (excluding HOME) now documented. Zero orphans in the other direction. ## Go handler function splits (4 funcs, pure refactor) No behavior change; same tests pass. \| Function \| Before \| After \| Helpers \| \|---------------------------\|-------:\|------:\|---------------------------------------------------------------\| \| proxyA2ARequest \| 257 \| 56 \| resolveAgentURL, normalizeA2APayload, dispatchA2A, \| \| \| \| \| handleA2ADispatchError, maybeMarkContainerDead, \| \| \| \| \| logA2AFailure, logA2ASuccess \| \| Delegate \| 127 \| 60 \| bindDelegateRequest, lookupIdempotentDelegation, \| \| \| \| \| insertDelegationRow \| \| Discover \| 125 \| 40 \| discoverWorkspacePeer, writeExternalWorkspaceURL, \| \| \| \| \| discoverHostPeer \| \| SessionSearch \| 109 \| 24 \| parseSessionSearchParams, buildSessionSearchQuery, \| \| \| \| \| scanSessionSearchRows \| Preserved exact error semantics, log.Printf calls, status codes, and response shapes. Introduced a proxyDispatchBuildError sentinel in a2a_proxy so the orchestrator can distinguish "couldn't build the request" from "Do() failed" without changing existing branches. ## Verification - go build ./... clean - go vet ./... clean - go test -race ./internal/... — all pass - canvas npm run build — clean - canvas npm test -- --run — 352/352 pass - grep window.confirm\|window.alert\|window.prompt in canvas/src — 0 matches - every platform os.Getenv key present in .env.example Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-13 14:36:30 -07:00
Hongming Wang	24fec62d7f	initial commit — Molecule AI platform Forked clean from public hackathon repo (Starfire-AgentTeam, BSL 1.1) with full rebrand to Molecule AI under github.com/Molecule-AI/molecule-monorepo. Brand: Starfire → Molecule AI. Slug: starfire / agent-molecule → molecule. Env vars: STARFIRE_* → MOLECULE_*. Go module: github.com/agent-molecule/platform → github.com/Molecule-AI/molecule-monorepo/platform. Python packages: starfire_plugin → molecule_plugin, starfire_agent → molecule_agent. DB: agentmolecule → molecule. History truncated; see public repo for prior commits and contributor attribution. Verified green: go test -race ./... (platform), pytest (workspace-template 1129 + sdk 132), vitest (canvas 352), build (mcp). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-13 11:55:37 -07:00

Author

SHA1

Message

Date

rabbitblood

cf9d2acbf9

chore(template): address review feedback — scrub token from .git/config + document env vars

Addresses FLAG 1 and FLAG 2 from the 7-Gate review on PR #20.

FLAG 1 (token persisted on disk):
Previous: `git clone https://x-access-token:${GITHUB_TOKEN}@github.com/...` wrote
the full tokenized URL into /workspace/repo/.git/config as `[remote "origin"] url = …`.
Token survived container restarts on any bind-mounted workspace_dir.

Fix: after clone, `git remote set-url origin https://github.com/${GITHUB_REPO}.git`
scrubs the token from the remote URL. Token is only in the clone command's argv
(transient) and not persisted on disk. Falls back to anonymous for public repos.

FLAG 2 (docs not updated):
Added GITHUB_REPO and GITHUB_TOKEN entries under a new 'GitHub' section in
.env.example with notes about (a) what they're read for, (b) that GITHUB_TOKEN
should be registered as a global secret via POST /admin/secrets, (c) how it's
handled to avoid on-disk persistence.

FLAG 3 (per-workspace gating) is deferred to a separate issue — it's a platform
design question about secret scope/ACLs, not a template fix.

2026-04-13 21:07:26 -07:00

Hongming Wang

74e2da8b92

chore: quality pass — native dialogs, env sync, Go handler splits

Three parallel cleanups driven by the second code-review pass.

## Native dialogs → ConfirmDialog (7 sites)

Violated the standing feedback_no_native_dialogs rule.

- ChannelsTab: confirm() → ConfirmDialog danger variant with pendingDelete state
- ScheduleTab: window.confirm() → ConfirmDialog danger
- ChatTab: confirm("Restart...") → ConfirmDialog warning (restart is recoverable)
- TemplatePalette: two alert() sites collapsed into a single notice state +
  ConfirmDialog as OK-only info toast
- ErrorBoundary: dropped both window.alert calls entirely. Clipboard-copy
  click is self-evident; console.error already captures the fallback.

## .env.example ↔ Go env var sync

Added 11 previously-undocumented env vars grouped into 6 new sections:

- Platform: PLATFORM_URL, MOLECULE_URL, WORKSPACE_DIR, MOLECULE_ENV
- CORS / rate limiting: CORS_ORIGINS, RATE_LIMIT
- Activity retention: ACTIVITY_RETENTION_DAYS, ACTIVITY_CLEANUP_INTERVAL_HOURS
- Container detection: MOLECULE_IN_DOCKER (moved to dedup)
- Observability: AWARENESS_URL
- Webhooks: GITHUB_WEBHOOK_SECRET
- CLI: MOLECLI_URL

All 21 distinct os.Getenv / envx.* keys (excluding HOME) now documented.
Zero orphans in the other direction.

## Go handler function splits (4 funcs, pure refactor)

No behavior change; same tests pass.

| Function                  | Before | After | Helpers                                                       |
|---------------------------|-------:|------:|---------------------------------------------------------------|
| proxyA2ARequest           |    257 |    56 | resolveAgentURL, normalizeA2APayload, dispatchA2A,            |
|                           |        |       | handleA2ADispatchError, maybeMarkContainerDead,               |
|                           |        |       | logA2AFailure, logA2ASuccess                                  |
| Delegate                  |    127 |    60 | bindDelegateRequest, lookupIdempotentDelegation,              |
|                           |        |       | insertDelegationRow                                           |
| Discover                  |    125 |    40 | discoverWorkspacePeer, writeExternalWorkspaceURL,             |
|                           |        |       | discoverHostPeer                                              |
| SessionSearch             |    109 |    24 | parseSessionSearchParams, buildSessionSearchQuery,            |
|                           |        |       | scanSessionSearchRows                                         |

Preserved exact error semantics, log.Printf calls, status codes, and
response shapes. Introduced a proxyDispatchBuildError sentinel in
a2a_proxy so the orchestrator can distinguish "couldn't build the
request" from "Do() failed" without changing existing branches.

## Verification

- go build ./... clean
- go vet ./... clean
- go test -race ./internal/... — all pass
- canvas npm run build — clean
- canvas npm test -- --run — 352/352 pass
- grep window.confirm|window.alert|window.prompt in canvas/src — 0 matches
- every platform os.Getenv key present in .env.example

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-13 14:36:30 -07:00

Hongming Wang

24fec62d7f

initial commit — Molecule AI platform

Forked clean from public hackathon repo (Starfire-AgentTeam, BSL 1.1)
with full rebrand to Molecule AI under github.com/Molecule-AI/molecule-monorepo.

Brand: Starfire → Molecule AI.
Slug: starfire / agent-molecule → molecule.
Env vars: STARFIRE_* → MOLECULE_*.
Go module: github.com/agent-molecule/platform → github.com/Molecule-AI/molecule-monorepo/platform.
Python packages: starfire_plugin → molecule_plugin, starfire_agent → molecule_agent.
DB: agentmolecule → molecule.

History truncated; see public repo for prior commits and contributor
attribution. Verified green: go test -race ./... (platform), pytest
(workspace-template 1129 + sdk 132), vitest (canvas 352), build (mcp).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-13 11:55:37 -07:00

3 Commits