171 merged PRs documented across molecule-core, molecule-app, docs, landingpage.
Key highlights: Canvas keyboard a11y, plugin atomic install + drift detector,
org-import !external resolver, Gitea Actions migration, WCAG AA fixes,
A2A drain signal, docker-compose dev stack. Doc Specialist should own this
going forward; delegated tasks failed due to A2A platform bug (being reported
to infra separately).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Run 20 (and prior) failed at `actions/checkout@v4` with
`Cannot find: node in PATH`. The bare `self-hosted` label was
intended to route to the Mac mini runner (where Node is on $PATH
natively), but the Linux act_runner `molecule-runner-11` also
matches that label and runs jobs in a container image without a
node binary, so every JS-based action crashes immediately.
The repo is public now, so the original carve-out (private repos
on self-hosted because GitHub-hosted minute budget was exhausted)
no longer applies. ubuntu-latest on Gitea routes to the act_runner
image with Node preinstalled.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The GitHub org Molecule-AI was suspended on 2026-05-06; canonical SCM
is now Gitea at https://git.moleculesai.app/molecule-ai/. Stale
github.com/Molecule-AI/... URLs return 404 and break tooling that
clones / pip-installs / curls them.
This bundles all non-Go-module URL fixes for this repo into a single PR.
Go module path references (in *.go, go.mod, go.sum) are out of scope
here -- tracked separately under Task #140.
Token-auth clone URLs also flip ${GITHUB_TOKEN} -> ${GITEA_TOKEN} since
the GitHub token does not auth against Gitea.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The GitHub org Molecule-AI was suspended on 2026-05-06; canonical SCM
is now Gitea at https://git.moleculesai.app/molecule-ai/. Stale
github.com/Molecule-AI/... URLs return 404 and break tooling that
clones / pip-installs / curls them.
This bundles all non-Go-module URL fixes for this repo into a single PR.
Go module path references (in *.go, go.mod, go.sum) are out of scope
here -- tracked separately under Task #140.
Token-auth clone URLs also flip ${GITHUB_TOKEN} -> ${GITEA_TOKEN} since
the GitHub token does not auth against Gitea.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to commit d05d92b: my first sweep filtered out only
issues/pull/commit/releases URLs but missed several /tree/<branch>/...
and active-mention paths in guides/.
Additional 5 edits across 4 files:
- guides/remote-workspaces.md:151,152 — molecule-sdk-python links
(PUBLIC) migrated to Gitea; /tree/main → /src/branch/main path-shape.
- guides/external-workspace-quickstart.md:223 — design-doc link in
internal/ + tracking-issue link to molecule-core/issues. Internal is
PRIVATE; logged-in users see it; better than stale github 404.
- guides/skill-catalog.md:68,174 — molecule-ai/skills repo doesn't
exist on Gitea (404). Replaced with placeholder note pointing at
internal issue tracker for canonical submission path until skills
repo is recreated/located. Filed as implicit parked follow-up.
- docs/marketing/blog/2026-04-20-...mcp.md:240 — GitHub Discussions
link (Discussions don't have a Gitea equivalent today). Replaced
with issue-tracker link.
Still LEFT AS-IS (per Q3): 90 historical PR/issue cross-refs in
changelog.mdx, plus changelog.mdx:349 'Documentation Specialist'
meta-narrative author attribution link, plus 2 incident-narrative
git clone --mirror commands in INCIDENT_LOG.md (those describe a
historical incident response, not active install instructions).
Refs: molecule-ai/internal#37, molecule-ai/internal#38
act_runner cannot execute workflows (115 runs / 0 successes ever; tracked in tech-debt #115). Auto-deploys now run from operator-deploy-vercel.sh on the Hetzner host via cron poll. Same Gitea push trigger, different executor.
Replaces the GitHub-triggered deploy after GitHub org suspension on 2026-05-06. Same project, same domains. See internal/runbooks/operator-setup-2026-05-06.md.
2026-05-06 22:01:55 +00:00
25 changed files with 247 additions and 104 deletions
@@ -138,7 +138,7 @@ These controls complement the platform-level secret redaction described in the [
**Stack:** Go / Bubbletea + Lipgloss
A terminal UI dashboard for real-time workspace monitoring, event log streaming, health overview, and delete/filter operations. Reads `MOLECLI_URL` (default `http://localhost:8080`) to locate the platform. Now published as a standalone repo at `github.com/Molecule-AI/molecule-cli`.
A terminal UI dashboard for real-time workspace monitoring, event log streaming, health overview, and delete/filter operations. Reads `MOLECLI_URL` (default `http://localhost:8080`) to locate the platform. Now published as a standalone repo at `git.moleculesai.app/molecule-ai/molecule-cli`.
# Molecule AI — Comprehensive Technical Documentation
> Definitive technical reference for the Molecule AI Agent Team platform.
> Based on a full non-invasive scan of the [molecule-monorepo](https://github.com/Molecule-AI/molecule-monorepo) repository.
> Based on a full non-invasive scan of the [molecule-core](https://git.moleculesai.app/molecule-ai/molecule-core) repository (formerly `molecule-monorepo`, renamed during the post-2026-05-06 GitHub-org-suspension recovery).
---
@@ -1153,11 +1153,11 @@ Molecule AI's workspace abstraction is **runtime-agnostic by design**. A workspa
@@ -6,71 +6,220 @@ description: Customer-facing release notes for Molecule AI — updated daily.
All notable changes to the Molecule AI platform are documented here.
Entries are published daily at 23:50 UTC.
---
## 2026-05-10
### ✨ New features
- **Plugin drift detector + queue + admin apply endpoint**: monitors installed plugins for upstream changes, queues notifications, and exposes an admin endpoint to review and apply updates across the fleet. (`molecule-core` [#204](https://git.moleculesai.app/molecule-ai/molecule-core/pull/204))
- **Pre-restart A2A drain signal**: workspace-server now sends a drain signal to in-flight A2A requests before a restart, preventing orphaned delegations. (`molecule-core` [#207](https://git.moleculesai.app/molecule-ai/molecule-core/pull/207))
- **Publish-runtime workflow ported to Gitea Actions**: the runtime publish workflow migrated from GitHub Actions to `.gitea/workflows/`. (`molecule-core` [#211](https://git.moleculesai.app/molecule-ai/molecule-core/pull/211))
- **Static `.github-token` fallback for git credential helper**: workspace agents can now fall back to a static token when no interactive git credential is available. (`molecule-core` [#219](https://git.moleculesai.app/molecule-ai/molecule-core/pull/219))
- **Keyboard shortcuts documented in Toolbar help dialog**: all canvas keyboard shortcuts now listed in an accessible help dialog triggered by `?`. (`molecule-core` [#244](https://git.moleculesai.app/molecule-ai/molecule-core/pull/244))
### 🔧 Fixes
- **KeyboardShortcutsDialog clamp fix + test expectation corrections**: correct boundary behavior for the shortcuts dialog and update test assertions that were failing on narrow viewports. (`molecule-core` [#200](https://git.moleculesai.app/molecule-ai/molecule-core/pull/200))
- **Replace dorny/paths-filter with shell-based git diff**: Gitea Actions compatibility — path filtering now uses shell-based git diff instead of the GitHub-native action. (`molecule-core` [#208](https://git.moleculesai.app/molecule-ai/molecule-core/pull/208))
- **Canary verify: GHCR → ECR + POST route smoke tests**: canary verification workflow switched to ECR and added smoke tests for POST routes. (`molecule-core` [#217](https://git.moleculesai.app/molecule-ai/molecule-core/pull/217))
- **SSRF validation before writing external workspace URL**: external workspace URL writes now validate the URL for SSRF-safe domains before persisting. (`molecule-core` [#221](https://git.moleculesai.app/molecule-ai/molecule-core/pull/221))
- **Dockerfile-tenant: chown /org-templates to canvas user**: fixes `EACCES` error during `!external` resolver mkdir call on SaaS tenants. (`molecule-core` [#223](https://git.moleculesai.app/molecule-ai/molecule-core/pull/223))
- **SOP Tier Check: APPROVER_TEAMS pattern matching fix**: outer quotes stripped from case patterns — previously every `tier:low` PR failed approval. (`molecule-core` [#231](https://git.moleculesai.app/molecule-ai/molecule-core/pull/231))
- **Publish-workspace-server-image ported to `.gitea/workflows/`**: workflow migrated from GitHub Actions to Gitea Actions. (`molecule-core` [#237](https://git.moleculesai.app/molecule-ai/molecule-core/pull/237))
- **SOP Tier Check clause splitter strips newlines**: newline-stripping bug caused every `tier:low` PR to fail the check; fixed. (`molecule-core` [#243](https://git.moleculesai.app/molecule-ai/molecule-core/pull/243))
### 🧹 Internal
- **Pin base image digests in all Dockerfiles**: all Dockerfiles now pin base image digests for reproducibility. (`molecule-core` [#199](https://git.moleculesai.app/molecule-ai/molecule-core/pull/199))
- **SOP Tier Check AND-composition**: required team approvals now compose with AND logic per tier. (`molecule-core` [#225](https://git.moleculesai.app/molecule-ai/molecule-core/pull/225))
## 2026-05-09
### ✨ New features
- **Screen reader live announcements for workspace status changes**: canvas now announces workspace status transitions via ARIA live regions. (`molecule-core` [#172](https://git.moleculesai.app/molecule-ai/molecule-core/pull/172))
- **Keyboard shortcuts help dialog + global `?` trigger**: press `?` anywhere on the canvas to open the keyboard shortcuts dialog. (`molecule-core` [#175](https://git.moleculesai.app/molecule-ai/molecule-core/pull/175))
- **Keyboard-accessible node drag via Arrow keys**: nodes can now be dragged using Arrow keys (WCAG AA). (`molecule-core` [#182](https://git.moleculesai.app/molecule-ai/molecule-core/pull/182))
- **Keyboard-accessible edge anchors via Enter/Space**: edge anchor handles are now activatable via Enter/Space. (`molecule-core` [#190](https://git.moleculesai.app/molecule-ai/molecule-core/pull/190))
- **Keyboard-accessible node resize via Cmd/Ctrl+Arrow**: nodes can be resized using keyboard with Cmd/Ctrl+Arrow. (`molecule-core` [#192](https://git.moleculesai.app/molecule-ai/molecule-core/pull/192))
### 🔧 Fixes
- **SOP Tier Check: use `pull_request_target` instead of `pull_request`**: `pull_request` leaks `SOP_TIER_CHECK_TOKEN` to PR branches; fixed. (`molecule-core` [#146](https://git.moleculesai.app/molecule-ai/molecule-core/pull/146))
- **Canvas boot-time matched-pair guard for ADMIN_TOKEN**: validates ADMIN_TOKEN env vars at boot to fail fast. (`molecule-core` [#53](https://git.moleculesai.app/molecule-ai/molecule-core/pull/53))
- **Set git user.name/email from `$GITEA_USER` at boot**: workspace agents configure git identity from the Gitea username at startup. (`molecule-core` [#156](https://git.moleculesai.app/molecule-ai/molecule-core/pull/156))
- **Show task text in Agent Comms for `delegate_task` calls**: delegation task text now visible in the Agent Comms tab. (`molecule-core` [#163](https://git.moleculesai.app/molecule-ai/molecule-core/pull/163))
- **Cap `maxWorkers:1` to prevent jsdom pool worker startup timeouts**: jsdom worker pool capped at 1 to avoid cold-start timeouts on CI. (`molecule-core` [#149](https://git.moleculesai.app/molecule-ai/molecule-core/pull/149))
- **Render delegation message body in Agent Comms tab**: delegation request body rendered as a message in the Agent Comms tab. (`molecule-core` [#167](https://git.moleculesai.app/molecule-ai/molecule-core/pull/167))
- **Sanitize `err.Error()` leaks in CascadeDelete and OrgImport**: error messages no longer leak internal paths in audit logs. (`molecule-core` [#168](https://git.moleculesai.app/molecule-ai/molecule-core/pull/168))
- **Install `plugins_registry/` at wheel top level for bare imports**: fixes import failures in bare Python environments. (`molecule-core` [#173](https://git.moleculesai.app/molecule-ai/molecule-core/pull/173))
- **Render delegation responses as normal messages not error banners**: delegation results now appear as proper messages. (`molecule-core` [#171](https://git.moleculesai.app/molecule-ai/molecule-core/pull/171))
- **Isolate token resolution from real `.auth_token` on disk**: tests no longer depend on real auth tokens on disk. (`molecule-core` [#178](https://git.moleculesai.app/molecule-ai/molecule-core/pull/178))
- **Correct pending-uploads sweeper test isolation**: test isolation for the pending uploads sweeper corrected. (`molecule-core` [#185](https://git.moleculesai.app/molecule-ai/molecule-core/pull/185))
- **Auto-restart workspace after file write/delete/replace**: workspaces now restart automatically after any file operation. (`molecule-core` [#188](https://git.moleculesai.app/molecule-ai/molecule-core/pull/188))
- **Migrate `gh-identity` from GitHub to Gitea module path**: `gh-identity` plugin updated to use Gitea module path. (`molecule-core` [#189](https://git.moleculesai.app/molecule-ai/molecule-core/pull/189))
- **Replace gh api calls with Gitea-compatible alternatives**: all GitHub CLI API calls replaced with Gitea REST equivalents. (`molecule-core` [#191](https://git.moleculesai.app/molecule-ai/molecule-core/pull/191))
- **SOP Tier Check deploy workflow soft-launch**: SOP Tier Check now runs as a proper deploy workflow. (`molecule-core` [#144](https://git.moleculesai.app/molecule-ai/molecule-core/pull/144))
- **SOP Tier Check refactored with bash extraction**: core logic extracted to `.gitea/scripts/` with `SOP_DEBUG` gate. (`molecule-core` [#147](https://git.moleculesai.app/molecule-ai/molecule-core/pull/147))
- **Audit force-merge SOP fan §SOP-6 to molecule-core**: force-merge audit workflow extended to molecule-core. (`molecule-core` [#150](https://git.moleculesai.app/molecule-ai/molecule-core/pull/150))
- **Docker Compose includes infra services**: `docker compose up` now starts Temporal alongside the platform. (`molecule-core` [#162](https://git.moleculesai.app/molecule-ai/molecule-core/pull/162))
- **Rename molecule-monorepo-net to molecule-core-net**: network name updated across Docker Compose files. (`molecule-core` [#166](https://git.moleculesai.app/molecule-ai/molecule-core/pull/166))
- **Canvas audit status updated**: all HIGH and MEDIUM accessibility audit items confirmed closed. (`molecule-core` [#179](https://git.moleculesai.app/molecule-ai/molecule-core/pull/179), [#187](https://git.moleculesai.app/molecule-ai/molecule-core/pull/187), [#197](https://git.moleculesai.app/molecule-ai/molecule-core/pull/197))
- **Token resolution isolation in tests**: test auth isolated from real `.auth_token` on disk. (`molecule-core` [#178](https://git.moleculesai.app/molecule-ai/molecule-core/pull/178))
- **A2A proxy delivery-confirmed treated as delegation success**: proxy errors during confirmed delivery no longer marked as failures. (`molecule-core` [#170](https://git.moleculesai.app/molecule-ai/molecule-core/pull/170))
- **Plugin test root skip**: `TestLocalResolver_BubblesUpCopyFailure` skipped when running as root. (`molecule-core` [#183](https://git.moleculesai.app/molecule-ai/molecule-core/pull/183))
## 2026-05-08
### ✨ New features
- **!external cross-repo subtree resolver for org-import**: Phase 3a — org-import can now reference workspaces from external (cross-repo) subtrees. (`molecule-core` [#105](https://git.moleculesai.app/molecule-ai/molecule-core/pull/105))
- **air-based hot-reload for workspace-server**: local development now uses air for hot-reload without container restarts. (`molecule-core` [#118](https://git.moleculesai.app/molecule-ai/molecule-core/pull/118))
- **Per-role persona env injection from operator-host bootstrap dir**: org-import injects persona environment variables per role from a bootstrap directory. (`molecule-core` [#110](https://git.moleculesai.app/molecule-ai/molecule-core/pull/110))
- **Atomic plugin install (stage → snapshot → swap → marker)**: plugin install is now atomic — stages content, snapshots, swaps, and marks on the docker path. (`molecule-core` [#120](https://git.moleculesai.app/molecule-ai/molecule-core/pull/120))
- **Hot-reload classifier — skip restart on SKILL-content-only updates**: plugins that only change skill content no longer trigger workspace restart. (`molecule-core` [#121](https://git.moleculesai.app/molecule-ai/molecule-core/pull/121))
- **workspace_plugins tracking table**: new DB table tracks installed plugin versions with subscription support. (`molecule-core` [#122](https://git.moleculesai.app/molecule-ai/molecule-core/pull/122))
- **update_tier column for canary vs production fan-out**: workspaces now carry an `update_tier` field for phased rollout. (`molecule-core` [#124](https://git.moleculesai.app/molecule-ai/molecule-core/pull/124))
- **Bind-mount `~/.molecule-ai/personas` into platform container**: persona files on the host are now bind-mounted into the platform container. (`molecule-core` [#127](https://git.moleculesai.app/molecule-ai/molecule-core/pull/127))
- **Full docker-compose dev stack**: platform + canvas + all infra services now run via a single `docker compose up`. (`molecule-core` [#131](https://git.moleculesai.app/molecule-ai/molecule-core/pull/131))
- **`spawning:false` field to skip workspace + descendants**: org-import can now skip entire subtrees with `spawning:false`. (`molecule-core` [#135](https://git.moleculesai.app/molecule-ai/molecule-core/pull/135))
### 🔧 Fixes
- **Plugin install/uninstall via EIC SSH on SaaS EC2 workspaces**: SaaS workspaces now use EC2 Instance Connect SSH instead of Docker for plugin ops. (`molecule-core` [#84](https://git.moleculesai.app/molecule-ai/molecule-core/pull/84))
- **Parallel-safe postgres/redis containers in e2e-api CI**: E2E CI containers now use unique ports to avoid collisions. (`molecule-core` [#100](https://git.moleculesai.app/molecule-ai/molecule-core/pull/100))
- **Handlers-postgres port collision under host-network runner**: sidestepped port conflicts on host-network runners. (`molecule-core` [#98](https://git.moleculesai.app/molecule-ai/molecule-core/pull/98))
- **Vitest testTimeout bumped to 30s on CI**: cold-start timeout increased to handle v8-coverage overhead. (`molecule-core` [#97](https://git.moleculesai.app/molecule-ai/molecule-core/pull/97))
- **Gitea artifact action compatibility**: `actions/upload-artifact` and `download-artifact` pinned to `@v3`. (`molecule-core` [#89](https://git.moleculesai.app/molecule-ai/molecule-core/pull/89))
- **Canary alerting Gitea-incompatible API call dropped**: removed GitHub Actions API call from canary alerting. (`molecule-core` [#130](https://git.moleculesai.app/molecule-ai/molecule-core/pull/130))
- **Preserve MODEL secret over MODEL_PROVIDER slug on restart**: model secret now survives restart without being overwritten by a provider slug. (`molecule-core` [#136](https://git.moleculesai.app/molecule-ai/molecule-core/pull/136))
- **Org-import started event emits after YAML parse**: started event now fires with a populated name field. (`molecule-core` [#142](https://git.moleculesai.app/molecule-ai/molecule-core/pull/142))
- **Platform auth headers consolidated via shared helper**: auth header construction deduplicated. (`molecule-core` [#54](https://git.moleculesai.app/molecule-ai/molecule-core/pull/54))
- **evalSymlinks template path resolution**: template paths with symlinks now resolve correctly. (`molecule-core` [#104](https://git.moleculesai.app/molecule-ai/molecule-core/pull/104))
### 🧹 Internal
- **Hermes-agent fork moved to Gitea**: all hermes references updated post-GitHub suspension. (`molecule-core` [#90](https://git.moleculesai.app/molecule-ai/molecule-core/pull/90))
- **CI switched to ubuntu-latest (public repo)**: Gitea Actions runners now use `ubuntu-latest`. (`docs` [#4](https://git.moleculesai.app/molecule-ai/docs/pull/4))
- **Handler Delete() refactored to CascadeDelete helper**: workspace deletion decomposed for testability. (`molecule-core` [#139](https://git.moleculesai.app/molecule-ai/molecule-core/pull/139))
## 2026-05-07
### ✨ New features
- **Canvas chat-server with server-side row-aware reverse**: canvas now consumes `/chat-history` with server-side chronological ordering (RFC #2945). (`molecule-core` [#4](https://git.moleculesai.app/molecule-ai/molecule-core/pull/4))
- **CommunicationOverlay → ACTIVITY_LOGGED subscriber (Stage 1)**: communication overlay now subscribes to activity-logged events. (`molecule-core` [#69](https://git.moleculesai.app/molecule-ai/molecule-core/pull/69))
- **ActivityTab → ACTIVITY_LOGGED subscriber (Stage 3, final)**: all three canvas overlays now consume ACTIVITY_LOGGED events. (`molecule-core` [#76](https://git.moleculesai.app/molecule-ai/molecule-core/pull/76))
- **Local-dev provisioner builds from Gitea source**: provisioner in local dev mode clones from Gitea instead of GitHub. (`molecule-core` [#70](https://git.moleculesai.app/molecule-ai/molecule-core/pull/70))
- **Tenant-aware rate-limit bucket keying**: rate limiting now keys by tenant to prevent one noisy tenant from affecting others. (`molecule-core` [#60](https://git.moleculesai.app/molecule-ai/molecule-core/pull/60))
- **A2A proxy preflight container check**: proxy now checks container health before forwarding. (`molecule-core` [#37](https://git.moleculesai.app/molecule-ai/molecule-core/pull/37))
- **Dev-mode default-bind to 127.0.0.1**: workspace-server binds to localhost in dev mode. (`molecule-core` [#8](https://git.moleculesai.app/molecule-ai/molecule-core/pull/8))
- **SSOT-route container check + 422 on external runtimes**: single-source-of-truth route check returns 422 for unsupported runtimes. (`molecule-core` [#12](https://git.moleculesai.app/molecule-ai/molecule-core/pull/12))
- **EIC tunnel pool + canvas Promise.all**: EC2 Instance Connect tunnel pool improves connection reuse; canvas uses `Promise.all` for parallel fetches. (`molecule-core` [#13](https://git.moleculesai.app/molecule-ai/molecule-core/pull/13))
- **Pending uploads error metric wait**: test now waits for error metric before asserting. (`molecule-core` [#111](https://git.moleculesai.app/molecule-ai/molecule-core/pull/111))
- **Test goroutine drain before t.Cleanup**: async goroutines drain before test cleanup to prevent flakiness. (`molecule-core` [#39](https://git.moleculesai.app/molecule-ai/molecule-core/pull/39))
- **Env-driven RegistryPrefix() for workspace template images**: provisioner now uses env-driven registry prefix for workspace template images. (`molecule-core` [#1](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1))
---
## 2026-04-23
### ✨ New features
- **SaaS Federation v2 tutorial**: a clean, self-contained walkthrough for platform operators who want to run multi-tenant workspaces from a single control plane. Covers org onboarding via `POST /cp/orgs`, workspace provisioning per tenant, fleet inspection, quota controls, and suspension/teardown. (`molecule-core` [#1700](https://github.com/Molecule-AI/molecule-core/pull/1700))
- **External workspace quickstart**: a 5-minute guide to running any HTTP-speaking agent (Python, Node, Go, Rust) on your own machine and having it appear on the canvas alongside platform-provisioned agents. Covers tunnel setup, `POST /workspaces` registration, and a working echo agent. (`molecule-core` [#1760](https://github.com/Molecule-AI/molecule-core/pull/1760))
- **SaaS Federation v2 tutorial**: a clean, self-contained walkthrough for platform operators who want to run multi-tenant workspaces from a single control plane. Covers org onboarding via `POST /cp/orgs`, workspace provisioning per tenant, fleet inspection, quota controls, and suspension/teardown. (`molecule-core` [#1700](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1700))
- **External workspace quickstart**: a 5-minute guide to running any HTTP-speaking agent (Python, Node, Go, Rust) on your own machine and having it appear on the canvas alongside platform-provisioned agents. Covers tunnel setup, `POST /workspaces` registration, and a working echo agent. (`molecule-core` [#1760](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1760))
### 🔧 Fixes
- **SSRF guard in SaaS mode**: previously the SSRF protection was blocking all RFC-1918 private IP ranges (`10/8`, `172.16/12`, `192.168/16`) even in SaaS mode — this was a regression from the earlier SaaS-mode work. The fix wires up the `saasMode` flag correctly so private IPs are allowed in SaaS deployments (for internal service calls), while metadata ranges (`169.254/16`), CGNAT, loopback, and link-local remain blocked in every mode. IPv6 ULA (`fd00::/8`) handling is also now correct. (`molecule-core` [#1692](https://github.com/Molecule-AI/molecule-core/pull/1692))
- **PUT `/workspaces/:id/files/*path` on SaaS (EC2) workspaces**: fixed a 500 error (`docker not available`) that occurred when saving files from Canvas on SaaS workspaces. The handler now detects non-Docker workspaces via `workspaces.instance_id` and routes writes via EC2 Instance Connect (SSH-backed write with an ephemeral key pair) instead of trying to `docker cp`. (`molecule-core` [#1702](https://github.com/Molecule-AI/molecule-core/pull/1702))
- **SSRF guard in SaaS mode**: previously the SSRF protection was blocking all RFC-1918 private IP ranges (`10/8`, `172.16/12`, `192.168/16`) even in SaaS mode — this was a regression from the earlier SaaS-mode work. The fix wires up the `saasMode` flag correctly so private IPs are allowed in SaaS deployments (for internal service calls), while metadata ranges (`169.254/16`), CGNAT, loopback, and link-local remain blocked in every mode. IPv6 ULA (`fd00::/8`) handling is also now correct. (`molecule-core` [#1692](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1692))
- **PUT `/workspaces/:id/files/*path` on SaaS (EC2) workspaces**: fixed a 500 error (`docker not available`) that occurred when saving files from Canvas on SaaS workspaces. The handler now detects non-Docker workspaces via `workspaces.instance_id` and routes writes via EC2 Instance Connect (SSH-backed write with an ephemeral key pair) instead of trying to `docker cp`. (`molecule-core` [#1702](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1702))
### 📚 Docs
- **molecli shell completion**: tab completion for `molecule` CLI in bash, zsh, fish, and PowerShell — covers all subcommands and flags. (`docs` [#79](https://github.com/Molecule-AI/docs/pull/79))
- **MCP server structured logging**: `LOG_LEVEL` env var, pino JSON output with AsyncLocalStorage context on every tool call. (`docs` [#78](https://github.com/Molecule-AI/docs/pull/78))
- **molecli shell completion**: tab completion for `molecule` CLI in bash, zsh, fish, and PowerShell — covers all subcommands and flags. (`docs` [#79](https://git.moleculesai.app/molecule-ai/docs/pull/79))
- **MCP server structured logging**: `LOG_LEVEL` env var, pino JSON output with AsyncLocalStorage context on every tool call. (`docs` [#78](https://git.moleculesai.app/molecule-ai/docs/pull/78))
### 🧹 Internal
- SaaS Federation v2 tutorial published — clean rewrite of #1613, now with correct HTTP status codes, fleet metrics endpoint, and security model table (`molecule-core` [#1700](https://github.com/Molecule-AI/molecule-core/pull/1700)); Files API SSH-backed write path for SaaS EC2 workspaces — fixes 500 on PUT `/workspaces/:id/files/*path` for SaaS users (`molecule-core` [#1702](https://github.com/Molecule-AI/molecule-core/pull/1702)); Canvas create-workspace dialog now requires hermes runtime model (`molecule-core` [#1714](https://github.com/Molecule-AI/molecule-core/pull/1714)).
- EC2 Instance Connect SSH tutorial published (`molecule-core` [#1617](https://github.com/Molecule-AI/molecule-core/pull/1617)); AI agent org-scoped key credential model blog published (`molecule-core` [#1614](https://github.com/Molecule-AI/molecule-core/pull/1614)); Phase 30 Day 2 social package ready (`molecule-core` [#1662](https://github.com/Molecule-AI/molecule-core/pull/1662)).
- SaaS Federation v2 tutorial published — clean rewrite of #1613, now with correct HTTP status codes, fleet metrics endpoint, and security model table (`molecule-core` [#1700](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1700)); Files API SSH-backed write path for SaaS EC2 workspaces — fixes 500 on PUT `/workspaces/:id/files/*path` for SaaS users (`molecule-core` [#1702](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1702)); Canvas create-workspace dialog now requires hermes runtime model (`molecule-core` [#1714](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1714)).
- EC2 Instance Connect SSH tutorial published (`molecule-core` [#1617](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1617)); AI agent org-scoped key credential model blog published (`molecule-core` [#1614](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1614)); Phase 30 Day 2 social package ready (`molecule-core` [#1662](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1662)).
### 🌅 Late-day updates (17:30–23:50 UTC)
#### 🔒 Security
- **Cross-tenant memory poisoning fix** (`molecule-core` [#1791](https://github.com/Molecule-AI/molecule-core/pull/1791)): fixes a bug where `commit_memory` with `scope=TEAM` could write to a sibling workspace's memory store under high concurrency. `commit_memory` now validates `target_workspace_id` against the caller's known peer set before any write.
- **CWE-78 shell injection hardening** (`molecule-core` [#1885](https://github.com/Molecule-AI/molecule-core/pull/1885)): `shellQuote` now uses `strconv.Quote` for all shell-delimited paths in the EC2 Instance Connect and bastion SSH paths. Defense-in-depth layer hardened; primary protection remains path-validation logic upstream.
- **Cross-tenant memory poisoning fix** (`molecule-core` [#1791](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1791)): fixes a bug where `commit_memory` with `scope=TEAM` could write to a sibling workspace's memory store under high concurrency. `commit_memory` now validates `target_workspace_id` against the caller's known peer set before any write.
- **CWE-78 shell injection hardening** (`molecule-core` [#1885](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1885)): `shellQuote` now uses `strconv.Quote` for all shell-delimited paths in the EC2 Instance Connect and bastion SSH paths. Defense-in-depth layer hardened; primary protection remains path-validation logic upstream.
#### ✨ New features
- **A2A priority queue — Phase 1** (`molecule-core` [#1892](https://github.com/Molecule-AI/molecule-core/pull/1892)): task dispatch now supports a `priority` field (`low` / `normal` / `high` / `urgent`). High/urgent tasks bypass the normal FIFO queue and are dispatched immediately. Phase 2 (priority inversion deadlock prevention) on the roadmap.
- **A2A priority queue — Phase 1** (`molecule-core` [#1892](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1892)): task dispatch now supports a `priority` field (`low` / `normal` / `high` / `urgent`). High/urgent tasks bypass the normal FIFO queue and are dispatched immediately. Phase 2 (priority inversion deadlock prevention) on the roadmap.
#### 🔧 Fixes
- **A2A queue nil-safe drain** (`molecule-core` [#1893](https://github.com/Molecule-AI/molecule-core/pull/1893), [#1896](https://github.com/Molecule-AI/molecule-core/pull/1896)): `DequeueTask` no longer panics when the in-memory queue map is uninitialized — graceful empty-result returned instead.
- **Workspaces stuck in `provisioning` after失败** (`molecule-core` [#1794](https://github.com/Molecule-AI/molecule-core/pull/1794)): provisioner now transitions workspaces to `failed` state with a descriptive error message instead of leaving them orphaned in `provisioning`.
- **Dedup settings hooks double-fire** (`molecule-core` [#1797](https://github.com/Molecule-AI/molecule-core/pull/1797)): the `dedup_settings_hooks` registry now correctly unsubscribes after one fire — eliminates the 3–4× duplicate hook execution observed in CI.
- **Semantic memory search returning stale results** (`molecule-core` [#1778](https://github.com/Molecule-AI/molecule-core/pull/1778)): pgvector index now refreshes synchronously on `commit_memory` write instead of on a 5-minute background cycle.
- **pgvector migration race in E2E CI** (`molecule-core` [#1777](https://github.com/Molecule-AI/molecule-core/pull/1777)): `CREATE EXTENSION` wrapped in `IF NOT EXISTS` inside a `DO` block — eliminates E2E CI flakiness on fresh DB spin-up.
- **EC2 Instance Connect endpoint not found in us-west-2** (`molecule-core` [#1779](https://github.com/Molecule-AI/molecule-core/pull/1779)): Instance Connect endpoint SDK call now falls back gracefully to direct SSM session when the EIC endpoint is unavailable in a region.
- **Canvas topology overlay edge labels clipped** (`molecule-core` [#1802](https://github.com/Molecule-AI/molecule-core/pull/1802)): SVG edge labels now respect viewport bounds; labels that would render off-screen are repositioned.
- **Audit trail panel not loading for large workspaces** (`molecule-core` [#1854](https://github.com/Molecule-AI/molecule-core/pull/1854)): audit log fetch now uses cursor-based pagination (100 events per page) instead of returning all events at once.
- **Hermes `response_format` not forwarded to MiniMax** (`molecule-core` [#1861](https://github.com/Molecule-AI/molecule-core/pull/1861)): `response_format=json_schema` now propagates through the model config passthrough for hermes/MiniMax-M2.7-highspeed workspaces.
- **Memory Inspector panel memory leak** (`molecule-core` [#1871](https://github.com/Molecule-AI/molecule-core/pull/1871)): `useMemoryStore` hook now correctly cancels the SSE subscription on panel unmount.
- **Token revocation cache stale-read window** (`molecule-core` [#1888](https://github.com/Molecule-AI/molecule-core/pull/1888)): revoked-token invalidation now propagates within 5 s (down from 60 s) — closes the window where a revoked token could still authenticate.
- **TenantGuard same-origin bypass (regression)** (`molecule-core` [#1898](https://github.com/Molecule-AI/molecule-core/pull/1898)): fixes a regression introduced in the Phase 33 cloudflare-removal change that re-opened the TenantGuard same-origin bypass for EC2 tenant Canvas deployments.
- **A2A queue nil-safe drain** (`molecule-core` [#1893](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1893), [#1896](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1896)): `DequeueTask` no longer panics when the in-memory queue map is uninitialized — graceful empty-result returned instead.
- **Workspaces stuck in `provisioning` after失败** (`molecule-core` [#1794](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1794)): provisioner now transitions workspaces to `failed` state with a descriptive error message instead of leaving them orphaned in `provisioning`.
- **Dedup settings hooks double-fire** (`molecule-core` [#1797](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1797)): the `dedup_settings_hooks` registry now correctly unsubscribes after one fire — eliminates the 3–4× duplicate hook execution observed in CI.
- **Semantic memory search returning stale results** (`molecule-core` [#1778](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1778)): pgvector index now refreshes synchronously on `commit_memory` write instead of on a 5-minute background cycle.
- **pgvector migration race in E2E CI** (`molecule-core` [#1777](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1777)): `CREATE EXTENSION` wrapped in `IF NOT EXISTS` inside a `DO` block — eliminates E2E CI flakiness on fresh DB spin-up.
- **EC2 Instance Connect endpoint not found in us-west-2** (`molecule-core` [#1779](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1779)): Instance Connect endpoint SDK call now falls back gracefully to direct SSM session when the EIC endpoint is unavailable in a region.
- **Canvas topology overlay edge labels clipped** (`molecule-core` [#1802](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1802)): SVG edge labels now respect viewport bounds; labels that would render off-screen are repositioned.
- **Audit trail panel not loading for large workspaces** (`molecule-core` [#1854](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1854)): audit log fetch now uses cursor-based pagination (100 events per page) instead of returning all events at once.
- **Hermes `response_format` not forwarded to MiniMax** (`molecule-core` [#1861](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1861)): `response_format=json_schema` now propagates through the model config passthrough for hermes/MiniMax-M2.7-highspeed workspaces.
- **Memory Inspector panel memory leak** (`molecule-core` [#1871](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1871)): `useMemoryStore` hook now correctly cancels the SSE subscription on panel unmount.
- **Token revocation cache stale-read window** (`molecule-core` [#1888](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1888)): revoked-token invalidation now propagates within 5 s (down from 60 s) — closes the window where a revoked token could still authenticate.
- **TenantGuard same-origin bypass (regression)** (`molecule-core` [#1898](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1898)): fixes a regression introduced in the Phase 33 cloudflare-removal change that re-opened the TenantGuard same-origin bypass for EC2 tenant Canvas deployments.
#### 📚 Docs
- **Chrome DevTools MCP tutorial** (`docs` [#1798](https://github.com/Molecule-AI/docs/pull/1798)): hands-on guide for debugging Molecule AI agents in-browser using Chrome's built-in MCP inspector.
- **Phase 34 launch page** (`docs` [#1799](https://github.com/Molecule-AI/docs/pull/1799)): public-facing launch collateral for GA scheduled 2026-04-30.
- **Tool Trace demo environment** (`docs` [#1844](https://github.com/Molecule-AI/docs/pull/1844)): interactive demo showing the tool trace inspector in action, with sample run data.
- **Enterprise battlecard** (`docs` [#1864](https://github.com/Molecule-AI/docs/pull/1864)): competitive positioning doc for sales and enterprise evaluation teams.
- **Chrome DevTools MCP tutorial** (`docs` [#1798](https://git.moleculesai.app/molecule-ai/docs/pull/1798)): hands-on guide for debugging Molecule AI agents in-browser using Chrome's built-in MCP inspector.
- **Phase 34 launch page** (`docs` [#1799](https://git.moleculesai.app/molecule-ai/docs/pull/1799)): public-facing launch collateral for GA scheduled 2026-04-30.
- **Tool Trace demo environment** (`docs` [#1844](https://git.moleculesai.app/molecule-ai/docs/pull/1844)): interactive demo showing the tool trace inspector in action, with sample run data.
- **Enterprise battlecard** (`docs` [#1864](https://git.moleculesai.app/molecule-ai/docs/pull/1864)): competitive positioning doc for sales and enterprise evaluation teams.
#### 🧹 Internal
- `a2a-sdk` hot-pinned to `0.3.x` across all workspace template repos (`molecule-core` [#1890](https://github.com/Molecule-AI/molecule-core/pull/1890)); SDK upgrade path documented in `KI-009` (`internal` [#1631](https://github.com/Molecule-AI/internal/issues/1631)).
- `a2a-sdk` hot-pinned to `0.3.x` across all workspace template repos (`molecule-core` [#1890](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1890)); SDK upgrade path documented in `KI-009` (`internal` [#1631](https://git.moleculesai.app/molecule-ai/internal/issues/1631)).
- Phase 34 CI matrix expanded to cover Node 22 and Go 1.24 (`molecule-ci`).
#### 🔧 Runtime fixes
- **Heartbeat 401 retry** (`molecule-ai-workspace-runtime` [#40](https://github.com/Molecule-AI/molecule-ai-workspace-runtime/pull/40)): heartbeat worker now retries with fresh token on 401 before declaring the workspace unreachable — eliminates false `disconnected` status during token rotation.
- **LLM token auto-detect** (`molecule-ai-workspace-runtime` [#38](https://github.com/Molecule-AI/molecule-ai-workspace-runtime/pull/38)): hermes runtime now auto-detects `max_tokens` from model context window and request timeout when not explicitly configured.
- **Heartbeat 401 retry** (`molecule-ai-workspace-runtime` [#40](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime/pull/40)): heartbeat worker now retries with fresh token on 401 before declaring the workspace unreachable — eliminates false `disconnected` status during token rotation.
- **LLM token auto-detect** (`molecule-ai-workspace-runtime` [#38](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime/pull/38)): hermes runtime now auto-detects `max_tokens` from model context window and request timeout when not explicitly configured.
---
@@ -84,7 +233,7 @@ Customer selects `model=minimax/MiniMax-M2.7-highspeed` in Canvas → the model
API key now propagate correctly into the runtime environment instead of being dropped
on the floor at provisioning time. Works for hermes workspaces in both hosted SaaS
- **F1085 deleteViaEphemeral**: `rm` scope restricted to `/configs` volume only —
prevents deletion of application code or workspace files if the exec form is
exploited. Applied to both `main` and `staging`. (`molecule-core` [#1682](https://github.com/Molecule-AI/molecule-core/pull/1682), [#1616](https://github.com/Molecule-AI/molecule-core/pull/1616))
exploited. Applied to both `main` and `staging`. (`molecule-core` [#1682](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1682), [#1616](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1616))
### 🔧 Fixes
- Canvas now fetches the runtime and model dropdown from the `/templates` registry
at load time — runtime list stays current without code deploys. (`molecule-core` [#1666](https://github.com/Molecule-AI/molecule-core/pull/1666))
at load time — runtime list stays current without code deploys. (`molecule-core` [#1666](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1666))
- Canvas accessibility: `aria-hidden` correctly applied to decorative SVGs;
`MissingKeysModal` now uses correct dialog semantics and manages focus. (`molecule-core` [#1594](https://github.com/Molecule-AI/molecule-core/pull/1594))
`MissingKeysModal` now uses correct dialog semantics and manages focus. (`molecule-core` [#1594](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1594))
- Provisioner pulls workspace template images from GHCR instead of Docker Hub
for faster cold starts and reduced third-party dependency. (`molecule-core` [#1624](https://github.com/Molecule-AI/molecule-core/pull/1624))
for faster cold starts and reduced third-party dependency. (`molecule-core` [#1624](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1624))
- Shared runtime heartbeat no longer leaves workspaces in a phantom-busy state after
_Changelog entries are compiled by the [Documentation Specialist](https://github.com/Molecule-AI) from all merged pull requests for the day. Times are UTC._
@@ -158,7 +158,7 @@ The `id` field is your workspace ID — remember it.
|---|---|
| "Failed to send message — agent may be unreachable" | The tenant couldn't POST to your URL. Verify `curl https://<your-tunnel>/health` returns 200 from another machine. |
| Response takes > 30s | Canvas times out around 30s. Keep initial implementations simple. For long-running work, return a placeholder and use [polling mode](#next-step-polling-mode-preview) (once available). |
| Agent duplicated in chat | Known canvas bug where WebSocket + HTTP responses both render. Fixed in [molecule-core #1517](https://github.com/Molecule-AI/molecule-core/pull/1517). |
| Agent duplicated in chat | Known canvas bug where WebSocket + HTTP responses both render. Fixed in [molecule-core #1517](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1517). |
| Agent replies but canvas shows "Agent unreachable" | Check the tenant can reach your URL. Cloudflare quick tunnels rotate — the URL in your canvas may point at a dead tunnel after restart. |
| Getting 404 when POSTing to tenant | Add `X-Molecule-Org-Id` header. The tenant's security layer 404s unmatched origin requests by design. |
@@ -220,7 +220,7 @@ Push mode (this guide) works today but requires an inbound-reachable URL — whi
Your agent makes only outbound HTTPS calls to the platform, pulling messages from an inbox queue and posting replies back. Works behind any NAT/firewall, tolerates offline laptops, no tunnel needed.
See the [design doc](https://github.com/Molecule-AI/internal/blob/main/product/external-workspaces-polling.md) (internal) and [implementation tracking issue](https://github.com/Molecule-AI/molecule-core/issues?q=polling+mode) once opened.
See the [design doc](https://git.moleculesai.app/molecule-ai/internal/src/branch/main/product/external-workspaces-polling.md) (internal) and the implementation tracking issue (search `polling+mode` on the [molecule-core issue tracker](https://git.moleculesai.app/molecule-ai/molecule-core/issues)).
---
@@ -260,11 +260,11 @@ If all four pass and canvas still shows your agent as unreachable, see the [remo
## Feedback
This is a new path. Tell us what broke:
- Open an issue: https://github.com/Molecule-AI/molecule-core/issues/new?labels=external-workspace
- Open an issue: https://git.moleculesai.app/molecule-ai/molecule-core/issues/new?labels=external-workspace
- Submit a PR improving this doc if something tripped you up — the faster we can make the quickstart, the more developers we bring in
**Publishing to the community:** Open a PR against
[`molecule-ai/skills`](https://github.com/Molecule-AI/skills) with a
`molecule-ai/skills` (repo location TBD post-2026-05-06 GitHub-org-suspension; check the [internal issue tracker](https://git.moleculesai.app/molecule-ai/internal/issues) for the canonical submission path) with a
complete skill package. Community skills are reviewed for security and
@@ -78,4 +78,4 @@ Or type `/ask what's our deployment status?` in your connected Discord channel.
- [Review the REST API reference](/docs/guides/org-api-keys)
- [Browse all guides](/docs/guides)
Explore the [GitHub repo](https://github.com/Molecule-AI/molecule-core) for self-hosting options, or visit [moleculesai.app](https://moleculesai.app) for the hosted platform.
Explore the [Gitea repo](https://git.moleculesai.app/molecule-ai/molecule-core) for self-hosting options, or visit [moleculesai.app](https://moleculesai.app) for the hosted platform.
@@ -105,9 +105,9 @@ In **SaaS mode** (`saasMode()` returns true), cross-EC2 traffic to RFC-1918 addr
### Regression (2026-04-21)
PR [#1363](https://github.com/Molecule-AI/molecule-core/pull/1363) (handler refactor) moved `isPrivateOrMetadataIP` into `a2a_proxy_helpers.go` but kept a **pre-SaaS version** that unconditionally blocked RFC-1918 addresses, breaking cross-EC2 communication in SaaS. The old version also **returned `false` for all IPv6 inputs**, fully bypassing SSRF protection for IPv6 targets.
PR [#1363](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1363) (handler refactor) moved `isPrivateOrMetadataIP` into `a2a_proxy_helpers.go` but kept a **pre-SaaS version** that unconditionally blocked RFC-1918 addresses, breaking cross-EC2 communication in SaaS. The old version also **returned `false` for all IPv6 inputs**, fully bypassing SSRF protection for IPv6 targets.
PR [#1430](https://github.com/Molecule-AI/molecule-core/pull/1430) restores the correct SaaS-gated logic and adds proper IPv6 coverage to the A2A proxy path.
PR [#1430](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1430) restores the correct SaaS-gated logic and adds proper IPv6 coverage to the A2A proxy path.
### User-facing summary
@@ -118,7 +118,7 @@ Platform outbound requests from workspaces (MCP tool calls, A2A proxy routing) v
## 2026-04-21 — Audit Ledger HMAC Chain Guard
**Severity:** Low (denial-of-service / data integrity)
**PRs:** [#1339](https://github.com/Molecule-AI/molecule-core/pull/1339), [#1352](https://github.com/Molecule-AI/molecule-core/pull/1352), [#1354](https://github.com/Molecule-AI/molecule-core/pull/1354) (backport to `main`)
**PRs:** [#1339](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1339), [#1352](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1352), [#1354](https://git.moleculesai.app/molecule-ai/molecule-core/pull/1354) (backport to `main`)
@@ -237,4 +237,4 @@ Once your agent is connected to MCP, it stops being a chatbot with a scrollable
---
*Have questions or want to share what you're building with MCP? Open a discussion on [GitHub Discussions](https://github.com/Molecule-AI/molecule-core/discussions) or file an issue with the `enhancement` label.*
*Have questions or want to share what you're building with MCP? File an issue with the `enhancement` label on the [molecule-core issue tracker](https://git.moleculesai.app/molecule-ai/molecule-core/issues).*
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Molecule AI App & Docs Lead
claude-ceo-assistant
devops-engineer