From 4f4604eabe24721a96241c8a2266dbf94debe66b Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@agents.moleculesai.app>
Date: Mon, 18 May 2026 15:05:58 -0700
Subject: [PATCH] feat(image): bake molecule-askpass binary for env-driven
 HTTPS git auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Image-side companion to molecule-core PR #1525 (merge_sha 73a09443a086,
workspace-server applyAgentGitIdentity). PR #1525 sets GIT_ASKPASS=
/usr/local/bin/molecule-askpass on every workspace container so git can
authenticate to private HTTPS remotes from the persona env vars already
arriving via workspace_secrets — but until this binary ships in the
runtime image, git invocations error with 'exec: /usr/local/bin/
molecule-askpass: not found' (forward-only pin gap).

This is the same class as Hermes list_peers / codex #219: ws-server
changed contract, runtime image hadn't yet caught up. Closing the
image-side gap unblocks Dev-A/Dev-B (claude-code runtime) durable
HTTPS git auth on any private host.

Generic by design — no hardcoded hostnames, no vendor literals. Script
body is identical to workspace/scripts/molecule-askpass in molecule-core
and the parallel external workspace template repos, so any deployer
can fork this template and use it against their own git host without
editing.
---
 Dockerfile               | 21 +++++++++++++++++++++
 scripts/molecule-askpass | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100755 scripts/molecule-askpass

diff --git a/Dockerfile b/Dockerfile
index 04948ca..f8864cd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -119,6 +119,27 @@ COPY scripts/molecule-git-token-helper.sh /app/scripts/molecule-git-token-helper
 COPY scripts/molecule-gh-token-refresh.sh /app/scripts/molecule-gh-token-refresh.sh
 RUN chmod +x /app/scripts/molecule-git-token-helper.sh /app/scripts/molecule-gh-token-refresh.sh
 
+# Generic GIT_ASKPASS helper — image-side companion to molecule-core PR
+# #1525 (workspace-server applyAgentGitIdentity, merge_sha 73a09443a086).
+# Reads HTTPS Basic-Auth credentials from env vars (GIT_HTTP_USERNAME /
+# GIT_HTTP_PASSWORD, with GITEA_USER / GITEA_TOKEN as fallback) and emits
+# them on the git credential-prompt protocol, so container-side `git` can
+# authenticate to any private HTTPS remote without on-disk ~/.gitconfig
+# or ~/.git-credentials mutation. The platform provisioner sets
+# GIT_ASKPASS=/usr/local/bin/molecule-askpass via applyAgentGitIdentity;
+# until this binary ships in the runtime image, git invocations error
+# with "exec: /usr/local/bin/molecule-askpass: not found" (forward-only
+# pin gap — same class as Hermes list_peers and codex template breakage,
+# fixed image-side here).
+#
+# No hardcoded hostnames or vendor names — the script body is identical
+# to the one shipped in molecule-core workspace/scripts/molecule-askpass
+# and the parallel external workspace template repos, so any deployer
+# can fork this template and use it against their own git host without
+# editing.
+COPY scripts/molecule-askpass /usr/local/bin/molecule-askpass
+RUN chmod +x /usr/local/bin/molecule-askpass
+
 # Drop-priv entrypoint — claude-code refuses --dangerously-skip-permissions
 # as root, so we run molecule-runtime as the agent user (uid 1000).
 # The script handles volume-ownership fix + session-dir symlink before
diff --git a/scripts/molecule-askpass b/scripts/molecule-askpass
new file mode 100755
index 0000000..925e567
--- /dev/null
+++ b/scripts/molecule-askpass
@@ -0,0 +1,35 @@
+#!/bin/sh
+# git-askpass helper. Reads HTTPS Basic-Auth credentials from env vars so
+# the deployer can wire git authentication for any private remote without
+# touching ~/.gitconfig or ~/.git-credentials inside the container.
+#
+# Wire-up: set GIT_ASKPASS=/usr/local/bin/molecule-askpass in the
+# container env, then export GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (or the
+# GITEA_USER / GITEA_TOKEN fallback pair). When git encounters an HTTPS
+# auth challenge on a host that has no credential.helper configured for
+# it, git invokes GIT_ASKPASS twice — once with a "Username for ..."
+# prompt and once with a "Password for ..." prompt. We pattern-match on
+# that prompt and emit the matching env var.
+#
+# No hardcoded hostnames or vendor names — the deployer decides which
+# host these credentials apply to by virtue of setting GIT_ASKPASS only
+# when the target remote is in scope. The helper itself is reusable for
+# any HTTPS git remote.
+#
+# Failure mode: if the env vars are unset, we emit an empty string and
+# let git surface "Authentication failed" — this is intentional, so a
+# misconfigured deployment fails loudly at first push instead of silently
+# falling through to an unrelated credential chain.
+
+case "$1" in
+    Username*)
+        printf '%s\n' "${GIT_HTTP_USERNAME:-${GITEA_USER:-}}"
+        ;;
+    Password*)
+        printf '%s\n' "${GIT_HTTP_PASSWORD:-${GITEA_TOKEN:-}}"
+        ;;
+    *)
+        # Unknown prompt — emit empty and let git decide.
+        printf '\n'
+        ;;
+esac