# Phase 30 + Roadmap Context Brief — DevRel

> **Sourced from:** `Molecule-AI/internal` — `PLAN.md` (via GitHub API, read-only token)
> **Purpose:** Keep DevRel aligned with roadmap so content and demos anticipate what's coming

---

## Phase 30: Remote Workspaces — What's Shipped

Phase 30 shipped 8 sub-features (30.1–30.8), all GA as of 2026-04-20:

| Sub-feature | What it does |
|---|---|
| 30.1 Workspace auth tokens | 256-bit bearer tokens, minted at registration. Prevents spoofing. |
| 30.2 Secrets pull endpoint | `GET /workspaces/:id/secrets/values` — gated by auth token |
| 30.3 Plugin tarball download | `GET /plugins/:name/download` — remote agent plugin install |
| 30.4 Workspace state polling | `GET /workspaces/:id/state` — fallback for agents behind NAT |
| 30.5 A2A proxy token validation | Mutual auth on `POST /workspaces/:id/a2a` |
| 30.6 Sibling discovery + URL caching | `GET /registry/{parent_id}/peers`, cache sibling URLs |
| 30.7 Poll-liveness for external runtime | 90s offline threshold, behind `REMOTE_LIVENESS_POLLING_ENABLED` |
| 30.8 Remote-agent SDK + docs | `sdk/python/examples/remote-agent/`, Python thin client |

**Out of scope for Phase 30:**
- Mutual TLS from agent → platform (deferred)
- Agent-to-agent mesh across NATs (needs relay — deferred to Phase 31)
- Platform-managed persistent state for remote agents

---

## Phase 31 — Quality + Infra Pass — SHIPPED 2026-04-13

Completed in PRs #1–#8:
- Brand migration (Molecule → Molecule AI)
- Repo structural cleanup
- MCP per-domain split (1697 → 89 lines, 87 tools)
- Canvas dialog unification
- Platform handler decomposition (+47 Go tests, coverage 56.1% → 57.6%)
- Env-var documentation (all 21 vars now documented)
- E2E hardening + CI (`test_api.sh` 62/62, `test_comprehensive_e2e.sh` 67/67)

---

## Phase 32 — Cloud SaaS Launch (2026-Q2/Q3) — IN PROGRESS

**Goal:** Ship Molecule AI as a multi-tenant cloud SaaS (not just self-hosted per-customer).

**Live infrastructure (as of 2026-04-15):**
- Control plane: `https://molecule-cp.fly.dev`
- Tenant app: `molecule-tenant` (Fly)
- Database: **Neon** serverless Postgres (branch-per-org)
- Cache: **Upstash** Redis
- Auth: **WorkOS AuthKit** (`/cp/auth/{signup,login,callback,signout,me}`)
- Billing: Stripe scaffold deployed (no live keys yet — pending Stripe Atlas)
- Registry: `registry.fly.io/molecule-tenant:latest`
- Domain: `moleculesai.app` (Cloudflare routing, DNS pending)
- First real tenant provisioned: org `acme`

**Phase status:**
- A — Foundation (accounts, tokens, domain) ✅
- B — Fly provisioner + Neon branching ✅
- C — WorkOS AuthKit scaffold ✅
- D — Stripe billing scaffold ✅ (live keys pending Stripe Atlas)
- E — Cloudflare + DNS + per-tenant Vercel canvas ✅
- F — Sign-up UX + onboarding ✅ (basic flow done; polish + email pending)
- G — Observability + quotas + admin ✅
- H — Hardening ⏳ partial (KMS envelope encryption ✅, tenant-isolation CI ✅, legal pages ✅; load test + Stripe Atlas + status page custom domain pending)
- I — Launch ⏳ pending Stripe Atlas (~2 week lead)

**Architectural decisions relevant to DevRel messaging:**
- **Open-core split:** `Molecule-AI/molecule-controlplane` (private) handles orgs/signup/billing/provisioner/routing. This public repo stays OSS (tenant binary + plugins + channels).
- **Firecracker > Docker socket:** Fly Machines API replaces raw Docker socket for multi-tenant isolation. Docker path stays for local dev only.
- **Companion repo:** `molecule-controlplane/PLAN.md` has the private roadmap.

**Tier 1 blockers before first external user:**
- Multi-tenancy: `org_id` filter on every row-returning handler
- Human auth + orgs via WorkOS (separate from Phase 30.1 agent bearer tokens)
- Container isolation via Fly Machines (Firecracker microVMs)
- Stripe billing (subscriptions + usage metering)
- Per-org resource quotas
- Managed Postgres (Neon) + Redis (Upstash)
- Secrets at rest via AWS/GCP KMS
- Migration runner extraction (goose as release step)

---

## Upcoming: Phase 33+

**What to watch for:** The backlog (PLAN.md) lists:
- Canvas: Org template import, Workspace search (Cmd+K), Batch operations
- Sandbox: Firecracker/E2B backends
- SDK follow-ups: live tool-call visibility, cost telemetry, cancel UX
- Real webhook mode for channels (webhook vs. polling)
- More channel adapters: Slack (OAuth), Discord (Bot + Gateway), WhatsApp

---

## Known Issues (from `known-issues.md`)

Three issues tracked internally, not yet filed as GitHub issues:

**KI-001 — Telegram `kicked` event doesn't persist disabled state**
- File: `telegram.go:596`
- Severity: Medium
- When the bot is removed from a chat, it keeps retrying sends indefinitely
- Fix: set `enabled = false` on `workspace_channels` row

**KI-002 — Delegation system has no idempotency guard**
- File: `delegation.go`
- Severity: Medium
- Container restart mid-delegation → double execution risk
- Fix: add optional `idempotency_key` to `POST /workspaces/:id/delegate`

**KI-003 — `commit_memory` not surfaced in `activity_logs`**
- File: `memory.py` + `activity.go`
- Severity: Low (debugging quality)
- Memory writes invisible in Canvas "Agent Comms" tab
- Fix: emit `activity_log` entry of type `tool_call` for `commit_memory`

---

## Backlog Highlights for DevRel

The backlog has direct marketing angles:

1. **Canvas: Org template import** — no-code org deployment from Canvas UI (Phase 20.3)
2. **SDK follow-ups** — cost telemetry + live tool-call visibility → enterprise governance story
3. **Delegations list endpoint** — `GET /workspaces/:id/delegations` returns `[]` while `check_delegation_status` shows active. One source of truth needed.
4. **Per-agent repo access** — `workspace_access: none|read_only|read_write` in `org.yaml` — eliminates the "PM couriers documents to reports" workaround
5. **SDK executor stderr swallowing** — every CLI failure is opaque; fix captures stderr, includes first ~1 KB in A2A error response. High priority per PLAN.md.

---

## Ecosystem Watch

`docs/ecosystem-watch.md` is the canonical starting point for research agents doing competitive analysis. Notable projects to track: Holaboss, Hermes, gstack, Letta, Trigger.dev.

---

*Update this doc after token refresh — check PLAN.md for Phase 32 content.*