molecule-core/opencode.json at 29cc845c5f11290a30147a7c660e01a5a13d475d - molecule-core - Gitea: Git with a cup of tea

molecule-ai/molecule-core

Molecule AI Backend Engineer 29cc845c5f feat(platform): opencode MCP bridge — remote A2A tools over HTTP (#800 )

Implements sub-issues #809 (MCPHandler), #810 (tool filtering), #811
(per-token rate limiting), #813 (opencode.json), #814 (docs).

Routes (registered under wsAuth — bearer token binds to :id):
  GET  /workspaces/:id/mcp/stream  — SSE transport (backwards compat)
  POST /workspaces/:id/mcp         — Streamable HTTP transport (primary)

Security conditions from review (all mandatory):
  C1: WorkspaceAuth middleware rejects requests without valid bearer token
  C2: MCPRateLimiter (120 req/min/token, SHA-256 keyed) applied on both routes
  C3: commit_memory/recall_memory with scope=GLOBAL → permission error;
      send_message_to_user excluded unless MOLECULE_MCP_ALLOW_SEND_MESSAGE=true

Tools: list_peers, get_workspace_info, delegate_task, delegate_task_async,
check_task_status, send_message_to_user (opt-in), commit_memory, recall_memory.
All mirror workspace-template/a2a_mcp_server.py TOOLS list.

Also adds: org-templates/molecule-dev/opencode.json, docs/integrations/opencode.md,
.env.example entries for MOLECULE_MCP_ALLOW_SEND_MESSAGE and MOLECULE_MCP_URL.

Tests: 29 new tests (20 handler + 9 middleware). All passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-17 19:25:22 +00:00

13 lines

279 B

JSON

Raw Blame History

 {
   "$schema": "https://opencode.ai/config.schema.json",
   "mcpServers": {
     "molecule": {
       "type": "remote",
       "url": "${MOLECULE_MCP_URL}/workspaces/${WORKSPACE_ID}/mcp",
       "headers": {
         "Authorization": "Bearer ${MOLECULE_MCP_TOKEN}"
       }
     }
   }
 }