docs(security): backfill security/index.mdx — link OWASP Top 10 + changelog, add severity table

Opportunistic stub backfill. The index was a 277-byte stub with only a title, description, and one link. Expanded to: - Link to OWASP Agentic Top 10 (2026-04-28) - Link to Security Changelog - Severity level table (CRITICAL/HIGH/MEDIUM/LOW) to orient readers No paired PR — this is a documentation quality improvement, not tied to a source-code change. Co-Authored-By: Molecule AI Documentation Specialist <documentation-specialist@agents.moleculesai.app>
docs(mcp-server): rename MOLECULE_URL → MOLECULE_API_URL; add MOLECULE_API_KEY and MCP_SERVER_PORT
2026-05-13 16:17:08 +00:00 · 2026-05-13 12:32:17 +00:00
2 changed files with 23 additions and 5 deletions
@@ -25,7 +25,7 @@ npx @molecule-ai/mcp-server@1.0.0
      "command": "npx",
      "args": ["@molecule-ai/mcp-server@1.0.0"],
      "env": {
-        "MOLECULE_URL": "http://localhost:8080"
+        "MOLECULE_API_URL": "http://localhost:8080"
      }
    }
  }
@@ -36,10 +36,10 @@ npx @molecule-ai/mcp-server@1.0.0
  **Pin the package version.** The examples above use `@1.0.0` — always specify an exact version and omit the `-y` flag. An unpinned `npx -y @molecule-ai/mcp-server` (no version) silently installs whatever npm serves on the next restart; if the package is ever compromised, it runs with your full MCP client permissions. Check [npm](https://www.npmjs.com/package/@molecule-ai/mcp-server) for the latest stable release before upgrading.
 </Callout>

-For SaaS deployments, set `MOLECULE_URL` to your tenant URL:
+For SaaS deployments, set `MOLECULE_API_URL` to your tenant URL:

 ```json
-"MOLECULE_URL": "https://your-org.moleculesai.app"
+"MOLECULE_API_URL": "https://your-org.moleculesai.app"
 ```

 ### Verify
@@ -151,12 +151,14 @@ The MCP server exposes tools across these categories:

 | Variable | Default | Description |
 |---|---|---|
-| `MOLECULE_URL` | `http://localhost:8080` | Platform API URL |
+| `MOLECULE_API_URL` | `http://localhost:8080` | Platform API base URL |
+| `MOLECULE_API_KEY` | — | API key for platform authentication |
+| `MCP_SERVER_PORT` | `3000` | Port (for HTTP/SSE transport) |

 ## Troubleshooting

 | Issue | Fix |
 |---|---|
-| Connection refused | Check `MOLECULE_URL` points to running platform |
+| Connection refused | Check `MOLECULE_API_URL` points to running platform |
 | 401 Unauthorized | Token expired or revoked — create a new one |
 | Tools not showing | Run `npx @molecule-ai/mcp-server@1.0.0` standalone to check errors |
@@ -7,3 +7,19 @@ description: Security guides, advisories, and coverage reports for the Molecule

 - [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) —
  Three HIGH-severity findings for self-hosted operators
+- [OWASP Agentic Top 10 (2026-04-28)](/docs/security/owasp-agentic-top-10) —
+  Risk framework for LLM-agent systems; covers goal misalignment, data exfiltration,
+  privilege escalation, and six additional agent-specific threats
+- [Security Changelog](/docs/security/changelog) —
+  Record of all security findings, fixes, and advisory publications
+
+## Severity levels
+
+All advisories follow this classification:
+
+| Level | Meaning |
+|---|---|
+| **CRITICAL** | Active exploitation confirmed; patch immediately |
+| **HIGH** | Proof-of-concept or significant attack path; remediate within 48h |
+| **MEDIUM** | Moderate risk; remediate within 30 days |
+| **LOW** | Minor risk; address in next release cycle |