molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
962 Commits 79 Branches 39 Tags 58 MiB
e1d65607cf
Commit Graph

962 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hongming Wang
e1d65607cf feat(security): Phase 35.1 — SG lockdown script for tenant EC2 instances 
Restricts tenant EC2 port 8080 ingress to Cloudflare IP ranges only,
blocking direct-IP access. Supports two modes:

1. Lock to CF IPs (Worker deployment): 14 IPv4 CIDR rules
2. Close ingress entirely (Tunnel deployment): removes 0.0.0.0/0 only

Usage:
  bash scripts/lockdown-tenant-sg.sh --sg-id sg-xxxxx
  bash scripts/lockdown-tenant-sg.sh --sg-id sg-xxxxx --close-ingress
  bash scripts/lockdown-tenant-sg.sh --sg-id sg-xxxxx --dry-run

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 12:01:41 -07:00
Hongming Wang
0d538ab27a fix(ci): update working-directory for workspace-server/ and workspace/ renames 
- platform-build: working-directory platform → workspace-server
- golangci-lint: working-directory platform → workspace-server
- python-lint: working-directory workspace-template → workspace
- e2e-api: working-directory platform → workspace-server
- canvas-deploy-reminder: fix duplicate if: key (merged into single condition)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 07:05:44 -07:00
Hongming Wang
5f452e377a chore: update publish workflow name + document staging-first flow 
Default branch is now staging for both molecule-core and
molecule-controlplane. PRs target staging, CEO merges staging → main
to promote to production.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 07:02:02 -07:00
Hongming Wang
8332a3a21b
Merge pull request #953 from Molecule-AI/fix/chattab-comment-path 
fix: ChatTab comment path
 2026-04-18 01:49:05 -07:00
Hongming Wang
ecad02eadc fix: ChatTab comment path for workspace-server rename 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:48:59 -07:00
Hongming Wang
6538581922
Merge pull request #952 from Molecule-AI/fix/workspace-script-paths 
fix: workspace script path comments
 2026-04-18 01:48:10 -07:00
Hongming Wang
7786d6e1eb fix: update workspace script comments for workspace-template → workspace rename 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:48:05 -07:00
Hongming Wang
2fa3f9def9
Merge pull request #951 from Molecule-AI/fix/docs-architecture-paths 
fix(docs): architecture + API paths for workspace-server rename
 2026-04-18 01:25:32 -07:00
Hongming Wang
af2670cc53 fix(docs): update architecture + API reference paths for workspace-server rename 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:25:21 -07:00
Hongming Wang
8c1b0758c3
Merge pull request #950 from Molecule-AI/fix/docs-stale-paths 
fix(docs): update cd commands for workspace-server/ and workspace/ renames
 2026-04-18 01:24:13 -07:00
Hongming Wang
67d60d8d1b fix(docs): update cd commands for workspace-server/ and workspace/ renames 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:24:09 -07:00
Hongming Wang
b5d1a24ffd
Merge pull request #948 from Molecule-AI/fix/wire-verify-manifest-integrity 
fix(plugins): wire VerifyManifestIntegrity into install pipeline
 2026-04-18 01:15:40 -07:00
Hongming Wang
d17f57e29f fix(plugins): wire VerifyManifestIntegrity into install pipeline 
The supply_chain.go implementation was merged in #937 but never called
from the actual install handler. Plugins with a manifest.json sha256
field now get verified before staging completes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:15:26 -07:00
rabbitblood
b28f8498e8 Merge branch 'main' of https://github.com/Molecule-AI/molecule-core 2026-04-18 01:08:53 -07:00
rabbitblood
5c668cb283 fix(ci): add staging branch to CI triggers 
PRs targeting staging got no CI because the workflow only triggered
on main. Now runs on both main and staging pushes + PRs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:08:44 -07:00
Hongming Wang
b9c059d4d5 chore: rename publish-platform-image → publish-workspace-server-image 
Aligns CI workflow filename with the platform/ → workspace-server/ rename.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 01:05:09 -07:00
Hongming Wang
ecef07c456 chore: clean stale gitignore entries for removed dirs 
Remove entries for org-templates/, plugins/, docs/.vitepress/dist/
that no longer exist. Deduplicate .claude-bridge/ entry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:58:42 -07:00
Hongming Wang
83c5fd1060
Merge pull request #947 from Molecule-AI/chore/final-cleanup 
chore: final cleanup — remove internal tooling, gitignore local config
 2026-04-18 00:52:41 -07:00
Hongming Wang
fccf15681b chore: final cleanup — remove internal tooling, gitignore local config 
Removed:
- docs/.vitepress/ + package.json — docs site config belongs in Molecule-AI/docs
- scripts/bridge/ — internal Claude Code bridge server
- scripts/claude-code-bridge.py — internal agent bridge
- scripts/dedup_settings_hooks.py, verify_settings_hooks.py — internal maintenance

Gitignored:
- .mcp.json → .mcp.json.example (local MCP config, users create their own)
- test-results/ — ephemeral build artifacts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:52:30 -07:00
Hongming Wang
cbda5665b7
Merge pull request #946 from Molecule-AI/chore/move-internal-docs 
chore: move internal docs to private repo
 2026-04-18 00:48:03 -07:00
Hongming Wang
a91d82d1e2 chore: move internal docs to Molecule-AI/internal (private) 
Moved to private repo so the public monorepo only contains docs
useful for contributors and users:

Removed (now in Molecule-AI/internal):
- edit-history/ — 15 daily dev session logs
- retrospectives/ — session postmortems with ops details
- marketing/ — competitor analysis, SEO strategy, landing briefs
- product/ — PRD, SaaS strategy, growth research
- runbooks/ — SaaS ops (secrets rotation, GDPR, admin auth)
- security/ — internal security advisories
- research/ — competitive framework analysis
- ecosystem-watch.md — competitive landscape tracking
- demo/, spikes/ — internal prototypes
- known-issues.md, remote-workspaces-readiness.md

Also removed duplicate docs/architecture.md (superseded by
docs/architecture/overview.md).

Remaining public docs: architecture, API reference, adapters,
agent-runtime, plugins, guides, tutorials, development, frontend,
integrations, glossary, quickstart.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:47:41 -07:00
Hongming Wang
ca8949177a
Merge pull request #945 from Molecule-AI/chore/gitignore-claude-md-add-docs 
chore: gitignore CLAUDE.md, extract architecture + API docs
 2026-04-18 00:44:36 -07:00
Hongming Wang
a9036aec04 chore: gitignore CLAUDE.md, extract content to proper docs 
CLAUDE.md was a 44KB catch-all mixing architecture docs (useful for
everyone) with agent operating instructions (internal). Split:

- docs/architecture/overview.md — system architecture, component
  descriptions, 13 key patterns (import cycles, health detection,
  communication rules, WebSocket flow, lifecycle, etc.)
- docs/api-reference.md — full REST API route table + database schema
- CLAUDE.md → gitignored (stays local for agent tooling)

All internal PR/issue references stripped from the new docs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:43:33 -07:00
Hongming Wang
2959bde0b1
Merge pull request #944 from Molecule-AI/chore/open-source-final-fixes 
chore: final open-source cleanup — binary, stale paths, private refs
 2026-04-18 00:39:12 -07:00
Hongming Wang
92c60c313c chore: final open-source cleanup — binary, stale paths, private refs 
- Remove compiled workspace-server/server binary from git
- Fix .gitignore, .gitattributes, .githooks/pre-commit for renamed dirs
- Fix CI workflow path filters (workspace-template → workspace)
- Replace real EC2 IP and personal slug in test_saas_tenant.sh
- Scrub molecule-controlplane references in docs
- Fix stale workspace-template/ paths in provisioner, handlers, tests
- Clean tracked Python cache files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:38:55 -07:00
Hongming Wang
08beabccd4
Merge pull request #943 from Molecule-AI/fix/remaining-platform-refs 
fix: last stale platform/ refs in scripts, tests, compose
 2026-04-18 00:32:08 -07:00
Hongming Wang
dd878b819b fix: remaining platform/ path references in scripts, tests, compose 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:32:03 -07:00
Hongming Wang
96c463b8a2
Merge pull request #942 from Molecule-AI/fix/dockerfile-gosum-path 
fix: Dockerfile go.sum path after workspace-server rename
 2026-04-18 00:31:27 -07:00
Hongming Wang
b8edcbe6c1 fix: Dockerfile go.sum path after platform → workspace-server rename 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:31:16 -07:00
Hongming Wang
d6f0a9b9ef
Merge pull request #941 from Molecule-AI/fix/railway-build-context 
fix: railway.toml buildContext for workspace-server rename
 2026-04-18 00:29:51 -07:00
Hongming Wang
9992665908 fix: railway.toml buildContext must be repo root for workspace-server COPY paths 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:29:38 -07:00
Hongming Wang
3cf17e4ddc
Merge pull request #940 from Molecule-AI/chore/open-source-prep 
chore: open-source preparation — scrub secrets, add community files
 2026-04-18 00:27:19 -07:00
Hongming Wang
479a027e4b chore: open-source restructure — rename dirs, remove internal files, scrub secrets 
Renames:
- platform/ → workspace-server/ (Go module path stays as "platform" for
  external dep compat — will update after plugin module republish)
- workspace-template/ → workspace/

Removed (moved to separate repos or deleted):
- PLAN.md — internal roadmap (move to private project board)
- HANDOFF.md, AGENTS.md — one-time internal session docs
- .claude/ — gitignored entirely (local agent config)
- infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy
- org-templates/molecule-dev/ → standalone template repo
- .mcp-eval/ → molecule-mcp-server repo
- test-results/ — ephemeral, gitignored

Security scrubbing:
- Cloudflare account/zone/KV IDs → placeholders
- Real EC2 IPs → <EC2_IP> in all docs
- CF token prefix, Neon project ID, Fly app names → redacted
- Langfuse dev credentials → parameterized
- Personal runner username/machine name → generic

Community files:
- CONTRIBUTING.md — build, test, branch conventions
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1

All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml,
README, CLAUDE.md updated for new directory names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:24:44 -07:00
Hongming Wang
6b6ea4d57a chore: move platform/docs/adr/ to root docs/adr/ — single docs location 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:12:47 -07:00
Hongming Wang
e906f49ec0 chore: open-source preparation — scrub secrets, add community files 
Security:
- Replace hardcoded Cloudflare account/zone/KV IDs in wrangler.toml
  with placeholders; add wrangler.toml to .gitignore, ship .example
- Replace real EC2 IPs in docs with <EC2_IP> placeholders
- Redact partial CF API token prefix in retrospective
- Parameterize Langfuse dev credentials in docker-compose.infra.yml
- Replace Neon project ID in runbook with <neon-project-id>

Community:
- Add CONTRIBUTING.md (build, test, branch conventions, CI info)
- Add CODE_OF_CONDUCT.md (Contributor Covenant 2.1)

Cleanup:
- Replace personal runner username/machine name in CI + PLAN.md
- Replace personal tenant URL in MCP setup guide
- Replace personal author field in bundle-system doc
- Replace personal login in webhook test fixture
- Rewrite cryptominer incident reference as generic security remediation
- Remove private repo commit hashes from PLAN.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-18 00:10:56 -07:00
Hongming Wang
164af21def
Merge pull request #939 from Molecule-AI/docs/tunnel-migration-report 
docs: Cloudflare Tunnel migration report + Worker source
 2026-04-17 23:59:54 -07:00
Hongming Wang
812b630a93 docs: Cloudflare Tunnel migration report + track Worker source 
- Full session retrospective: tunnel E2E verified on prod + staging subdomains
- Worker source tracked in infra/cloudflare-worker/ (was only in /tmp)
- Worker changes: reserved slug passthrough + multi-level subdomain bypass
- Known issues, follow-ups, cost impact, key learnings documented

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-17 23:58:55 -07:00
Hongming Wang
ba35138dd5
Merge pull request #938 from Molecule-AI/fix/a11y-team-member-chip 
fix(canvas): add a11y to TeamMemberChip — keyboard nav + ARIA
 2026-04-17 21:53:54 -07:00
Hongming Wang
89c8c14b3b fix(canvas): add a11y attributes to TeamMemberChip — role, aria-label, keyboard nav 
Adds role="button", tabIndex, aria-label="Select <name>", and keyboard
handlers (Enter/Space) to TeamMemberChip. Fixes 5 failing a11y tests
from issue #831. Updates eject button test to match existing label format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-17 21:53:39 -07:00
Hongming Wang
251fa985f5
Merge pull request #937 from Molecule-AI/fix/vet-errors-supply-chain 
fix(platform): resolve go vet errors + supply chain hardening
 2026-04-17 21:50:37 -07:00
Hongming Wang
64d061f42c fix(platform): resolve go vet errors + implement supply chain hardening (#768) 
- Add supply_chain.go with VerifyManifestIntegrity (SHA256 content check)
- Add pinned-ref enforcement to GithubResolver.Fetch (rejects bare org/repo)
- Fix duplicate TestSlackAdapter_Type across channels_test.go and slack_test.go
- Fix sync.Once lock copy in audit_test.go resetAuditKeyCache
- Fix slack_test.go horizontal rule expectations to match implementation
- Existing tests updated with PLUGIN_ALLOW_UNPINNED=true for bare-ref specs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-17 21:50:18 -07:00
Hongming Wang
69433bf687
Merge pull request #929 from Molecule-AI/feat/issue-837-temporal-checkpoint-step3 
feat(checkpoints): Temporal crash-resume — GET /checkpoints/latest + history injection (closes #583)
 2026-04-17 21:45:01 -07:00
Hongming Wang
3f03052d55
Merge pull request #921 from Molecule-AI/feat/issue-753-audit-trail-panel 
feat(canvas): audit trail visualization panel (closes #753)
 2026-04-17 21:44:58 -07:00
Hongming Wang
d751a25768
Merge pull request #915 from Molecule-AI/feat/issue-852-hermes-runtime 
feat(plugins): extend runtime declarations to hermes — 5 SKILL.md plugins
 2026-04-17 21:44:55 -07:00
Hongming Wang
3f97ce04b6
Merge pull request #879 from Molecule-AI/fix/canvas-test-fixture-budgetlimit 
fix(canvas): repair TypeScript fixture drift in BudgetLimit and test factories
 2026-04-17 21:44:52 -07:00
Hongming Wang
00e748eab9
Merge pull request #925 from Molecule-AI/fix/issue-893-hitl-audit-log 
fix(hitl): emit log_event() on approval grant and denial — Art. 14 audit gap (closes #893)
 2026-04-17 21:43:00 -07:00
Hongming Wang
57d1bc2866
Merge pull request #913 from Molecule-AI/fix/issue-834-commit-memory-secret-scrub 
fix(security): redact secrets from commit_memory before persistence (closes #834)
 2026-04-17 21:42:57 -07:00
Hongming Wang
23f32b22ca
Merge pull request #849 from Molecule-AI/docs/partner-api-keys 
docs: Partner API Keys — programmatic org management (Phase 34)
 2026-04-17 21:41:46 -07:00
Hongming Wang
76d3b32ab9 fix: resolve PLAN.md merge conflict — keep both Phase 34 and Phase 36 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-17 21:41:32 -07:00
Hongming Wang
4bf13bbb81
Merge pull request #927 from Molecule-AI/chore/eco-watch-2026-04-18 
chore(eco-watch): 2026-04-18 daily sweep — chrome-devtools-mcp + craft-agents-oss + BLOCK MemPalace
 2026-04-17 21:40:29 -07:00