molecule-ai/molecule-dev-department
35
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
8710f88f93
molecule-dev-department/SECRETS_MATRIX.md
documentation-specialist dc966ac62d fix(personas): migrate gh CLI → tea (Gitea CLI) + curl-via-API (#45) 
Mass-sed across all 58 persona dirs in molecule-ai-org-template-molecule-dev.

Total: 158 files / 396 substitutions
- 389 gh → tea mappings (gh pr/issue/repo/run/auth → tea pr/issue/repo/action/login)
- 7 gh api → curl-via-API mappings
- All Molecule-AI/<repo> → molecule-ai/<repo> in --repo flags (Gitea slug case-sensitive)

Plus SHARED_RULES.md migration callout block + tea install snippet:
- Tea v0.9.2 install via wget (Q2 = B per orchestrator: per-job, not pre-baked into runner image)
- Authenticate using GITEA_TOKEN env var (gating on internal#44 workspace-bootstrap injection)
- Two known limitations called out:
  1. GITEA_TOKEN required for tea/curl auth (internal#44 pending)
  2. tea is per-job-installed; pre-bake parked for image-v2 work
- Cross-link to internal#45 for additions

Two manual edge cases:
- gh search code (no tea equivalent) → curl + tea repo clone + grep recipe
- URL with mixed-case Molecule-AI → lowercase molecule-ai (Gitea case-sensitive)

3 narrative GH_TOKEN references in SHARED_RULES.md intentionally preserved
(describe an env var name, not commands).

Q1=A (mega-PR) per orchestrator dispatch 2026-05-07T09:50:08.

Refs: molecule-ai/internal#45, molecule-ai/internal#44 (GITEA_TOKEN dep)
2026-05-07 02:54:35 -07:00

4.9 KiB
Raw Blame History

Secrets Matrix — Per-Role Least Privilege

The platform supports per-workspace .env files (loaded by org_import.go and stored encrypted in workspace_secrets). Each role gets only the secrets it needs.

Resolution order: Org-root .env (shared defaults) → per-workspace <role>/.env (overrides). Operator-managed; never committed.

Matrix

Role Secrets it gets Scope of action enabled
All workspaces (org-root .env) CLAUDE_CODE_OAUTH_TOKEN (or model-specific equivalent: ANTHROPIC_API_KEY, OPENAI_API_KEY) Run the LLM. Required for any agent to think.
PM TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID (CEO comms only) Send Telegram messages to CEO. Max 2-3/day per SHARED_RULES rule 11.
Dev Lead, Core Lead, App Lead, CP Lead, Infra Lead, SDK Lead GH_TOKEN (write) tea pr merge, tea issue close, tea pr review --approve on the team's repo. SHARED_RULES rule 9: Leads merge in their domain.
Triage Operator GH_TOKEN (write, org-wide) Cross-org triage: close stale, label, escalate. May merge mechanical PRs only.
Engineers (Backend, Frontend, Full-stack, DevOps, Platform, SRE, etc.) GH_TOKEN with PR-author scope only — can tea pr create, tea issue create, tea pr comment. Cannot merge. Raise PRs and respond to review comments. Per SHARED_RULES rule 9: engineers don't merge.
QA Engineer GH_TOKEN (PR-comment scope) Run tests + post [qa-agent] APPROVED / CHANGES REQUESTED comments. Required gate per rule 10.
Security Auditor, Offensive Security Engineer GH_TOKEN (PR-comment scope) Post [security-auditor-agent] APPROVED / CHANGES REQUESTED. Required gate per rule 10.
UIUX Designer GH_TOKEN (PR-comment scope) Post [uiux-agent] APPROVED / CHANGES REQUESTED. Required gate per rule 10.
Marketing Lead LINKEDIN_ACCESS_TOKEN, LINKEDIN_ORG_ID, X_API_KEY, X_API_SECRET, X_BEARER_TOKEN, BUFFER_API_KEY, MAILCHIMP_API_KEY Publish content to social channels. Sole publisher.
Content Marketer, Social Media Brand, SEO Analyst NO publishing keys — GH_TOKEN (PR-author scope only) Draft content via PRs to landing/docs/marketing repos. Marketing Lead reviews + publishes.
DevRel Engineer GH_TOKEN (PR-author + comment scope), DISCORD_BOT_TOKEN (read-only on community channel) Code demos via PRs. Read Discord for community questions. Marketing Lead handles outbound posts.
Community Manager SLACK_BOT_TOKEN, DISCORD_BOT_TOKEN (read + post on community channels only) Respond to community in Slack/Discord. No GitHub write.
Research Lead, Market Analyst, Competitive Intelligence, Tech Researcher GH_TOKEN (PR-author + issue-create scope), BRAVE_SEARCH_API_KEY or PERPLEXITY_API_KEY File research issues + PRs. No merge, no marketing publish.
DevOps Engineer, SRE Engineer, Infra-Runtime-BE GH_TOKEN (write), AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY (scoped IAM role), CLOUDFLARE_API_TOKEN (DNS-only scope), FLY_API_TOKEN, VERCEL_TOKEN Deploy + ops. Production access — heaviest scrutiny on changes.
CP-BE, CP-QA, CP-Security (control-plane) GH_TOKEN (write on molecule-controlplane only), AWS_ACCESS_KEY_ID/SECRET (CP IAM role) Control-plane code. CP Lead merges.
Documentation Specialist, Technical Writer GH_TOKEN (PR-author scope on docs/landingpage repos) Doc PRs only. No code-repo write.
Release Manager GH_TOKEN (write on all repos), NPM_TOKEN, PYPI_TOKEN Tag releases + publish packages after Lead-approved PRs land.

Why this matters

  • Prompt-injection blast radius: an attacker who exfiltrates a workspace's secrets via prompt injection only gets that role's keys. Engineer compromise ≠ org-wide write. Marketing Compromise ≠ Telegram CEO message.
  • Audit trail: when something goes wrong, the secret used identifies the role that did it.
  • Operator clarity: copy <role>/.env.example to <role>/.env, paste the right keys, don't put production secrets in roles that don't need them.

Operator setup

For each role's .env.example, copy to .env and fill in real values:

cd org-templates/molecule-dev
for role in dev-lead marketing-lead infra-lead pm; do
  cp $role/.env.example $role/.env  # then edit $role/.env
done

.env files are gitignored. The platform encrypts them on import to workspace_secrets.

Future hardening (filed in internal/security/credential-token-backlog.md)

  • Per-agent GitHub Apps (not shared org-wide token) — eliminates blast radius via #7 in backlog
  • Egress filtering on workspace networks — limits what an exfiltrated secret can be sent to
  • Volume encryption at rest — protects .env in workspace volumes from backup leak
  • Token issuance audit logging — answers "who fetched the org token at time X?"