Addresses the gap surfaced by CEO 2026-04-13: audit agents (Security
Auditor, QA Engineer, UIUX Designer) were running their crons successfully
but findings stayed in agent memory and didn't consistently flow to
GitHub issues or to developers with build ability. BE noticed Security
findings once via a manual escalation; subsequent hourly audits
accumulated 13 criticals (including an unauthenticated-plugin-install
RCE) with no durable tracking.
Changes:
1. Security Auditor schedule: replace 12h (7 6,18 * * *) with hourly
(17 * * * *) to match what's actually running in the platform DB.
Rewrite the prompt with the full body of the runtime cron — git diff
scoping, gosec/bandit, manual checklist, live API DAST, secrets scan,
open-PR review.
2. QA Engineer schedule: keep 12h cadence, tighten post-audit routing.
3. UIUX Designer: add a schedule (was previously runtime-only — see #24).
Uses hourly cadence to match runtime. Accepts Playwright may be
unavailable (see #23) and falls back to HTML analysis with the
limitation noted in the deliverable.
All three audit crons now end with an identical FINAL STEP — DELIVERABLE
ROUTING block that makes the post-audit flow MANDATORY:
a. File a GitHub issue for each CRITICAL / HIGH finding (dedupe first)
b. delegate_task to PM with a structured summary listing issue numbers;
PM decides which dev agent picks up which issue
c. Even on clean cycles, send PM a one-line "clean on SHA X" so audits
are observable
d. Memory write becomes a secondary record, not the primary deliverable
Rationale: findings need to flow into the issue tracker (durable, visible
to CEO, part of the PR/issue review feedback loop already in place) and
through PM (who owns cross-team orchestration). Memory-only output is
invisible to everyone except the auditor itself.
Related:
- #23 — UIUX Designer container missing libglib/X11 for Playwright.
This PR accepts the current limitation; #23 tracks the image fix.
- #24 — template-vs-runtime schedule drift. This PR backfills the template;
#24 tracks the platform-layer fix for preventing future drift.
- 13 open criticals in Security Auditor memory are out of scope for this
PR (that's team work once the routing is in place).
Addresses the gap surfaced by CEO 2026-04-13: audit agents (Security
Auditor, QA Engineer, UIUX Designer) were running their crons successfully
but findings stayed in agent memory and didn't consistently flow to
GitHub issues or to developers with build ability. BE noticed Security
findings once via a manual escalation; subsequent hourly audits
accumulated 13 criticals (including an unauthenticated-plugin-install
RCE) with no durable tracking.
Changes:
1. Security Auditor schedule: replace 12h (7 6,18 * * *) with hourly
(17 * * * *) to match what's actually running in the platform DB.
Rewrite the prompt with the full body of the runtime cron — git diff
scoping, gosec/bandit, manual checklist, live API DAST, secrets scan,
open-PR review.
2. QA Engineer schedule: keep 12h cadence, tighten post-audit routing.
3. UIUX Designer: add a schedule (was previously runtime-only — see #24).
Uses hourly cadence to match runtime. Accepts Playwright may be
unavailable (see #23) and falls back to HTML analysis with the
limitation noted in the deliverable.
All three audit crons now end with an identical FINAL STEP — DELIVERABLE
ROUTING block that makes the post-audit flow MANDATORY:
a. File a GitHub issue for each CRITICAL / HIGH finding (dedupe first)
b. delegate_task to PM with a structured summary listing issue numbers;
PM decides which dev agent picks up which issue
c. Even on clean cycles, send PM a one-line "clean on SHA X" so audits
are observable
d. Memory write becomes a secondary record, not the primary deliverable
Rationale: findings need to flow into the issue tracker (durable, visible
to CEO, part of the PR/issue review feedback loop already in place) and
through PM (who owns cross-team orchestration). Memory-only output is
invisible to everyone except the auditor itself.
Related:
- #23 — UIUX Designer container missing libglib/X11 for Playwright.
This PR accepts the current limitation; #23 tracks the image fix.
- #24 — template-vs-runtime schedule drift. This PR backfills the template;
#24 tracks the platform-layer fix for preventing future drift.
- 13 open criticals in Security Auditor memory are out of scope for this
PR (that's team work once the routing is in place).
- computeAutoLayout() BFS tree layout seeds from anchored nodes; assigns
distinct x/y to workspaces returned at 0,0 by the API and persists via PATCH
- buildNodesAndEdges() accepts layoutOverrides map so hydration uses computed
positions instead of raw 0,0 coordinates
- canvas-events WORKSPACE_PROVISIONING grid layout replaces offset===offset
assignment that caused position:{x:t,y:t} in the minified bundle
- 8 new vitest tests cover computeAutoLayout and override behaviour (365 pass)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- computeAutoLayout() BFS tree layout seeds from anchored nodes; assigns
distinct x/y to workspaces returned at 0,0 by the API and persists via PATCH
- buildNodesAndEdges() accepts layoutOverrides map so hydration uses computed
positions instead of raw 0,0 coordinates
- canvas-events WORKSPACE_PROVISIONING grid layout replaces offset===offset
assignment that caused position:{x:t,y:t} in the minified bundle
- 8 new vitest tests cover computeAutoLayout and override behaviour (365 pass)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Addresses FLAG 1 and FLAG 2 from the 7-Gate review on PR #20.
FLAG 1 (token persisted on disk):
Previous: `git clone https://x-access-token:${GITHUB_TOKEN}@github.com/...` wrote
the full tokenized URL into /workspace/repo/.git/config as `[remote "origin"] url = …`.
Token survived container restarts on any bind-mounted workspace_dir.
Fix: after clone, `git remote set-url origin https://github.com/${GITHUB_REPO}.git`
scrubs the token from the remote URL. Token is only in the clone command's argv
(transient) and not persisted on disk. Falls back to anonymous for public repos.
FLAG 2 (docs not updated):
Added GITHUB_REPO and GITHUB_TOKEN entries under a new 'GitHub' section in
.env.example with notes about (a) what they're read for, (b) that GITHUB_TOKEN
should be registered as a global secret via POST /admin/secrets, (c) how it's
handled to avoid on-disk persistence.
FLAG 3 (per-workspace gating) is deferred to a separate issue — it's a platform
design question about secret scope/ACLs, not a template fix.
Addresses FLAG 1 and FLAG 2 from the 7-Gate review on PR #20.
FLAG 1 (token persisted on disk):
Previous: `git clone https://x-access-token:${GITHUB_TOKEN}@github.com/...` wrote
the full tokenized URL into /workspace/repo/.git/config as `[remote "origin"] url = …`.
Token survived container restarts on any bind-mounted workspace_dir.
Fix: after clone, `git remote set-url origin https://github.com/${GITHUB_REPO}.git`
scrubs the token from the remote URL. Token is only in the clone command's argv
(transient) and not persisted on disk. Falls back to anonymous for public repos.
FLAG 2 (docs not updated):
Added GITHUB_REPO and GITHUB_TOKEN entries under a new 'GitHub' section in
.env.example with notes about (a) what they're read for, (b) that GITHUB_TOKEN
should be registered as a global secret via POST /admin/secrets, (c) how it's
handled to avoid on-disk persistence.
FLAG 3 (per-workspace gating) is deferred to a separate issue — it's a platform
design question about secret scope/ACLs, not a template fix.
Fixes the template-layer half of #13. Previously initial_prompt cloned
`https://github.com/${GITHUB_REPO}.git` with no authentication, which
fails for private repos in non-TTY docker exec with:
fatal: could not read Username for 'https://github.com':
terminal prompts disabled
Now the prompt uses `https://x-access-token:${GITHUB_TOKEN}@github.com/...`
when GITHUB_TOKEN is present in env (global secret, set per CEO on 2026-04-13),
falls back to anonymous clone when it isn't.
This is a belt-and-suspenders template default. The platform-level fix
(#13) is still needed so the provisioner rewrites clone URLs
consistently, but the template should work out of the box too.
Fixes the template-layer half of #13. Previously initial_prompt cloned
`https://github.com/${GITHUB_REPO}.git` with no authentication, which
fails for private repos in non-TTY docker exec with:
fatal: could not read Username for 'https://github.com':
terminal prompts disabled
Now the prompt uses `https://x-access-token:${GITHUB_TOKEN}@github.com/...`
when GITHUB_TOKEN is present in env (global secret, set per CEO on 2026-04-13),
falls back to anonymous clone when it isn't.
This is a belt-and-suspenders template default. The platform-level fix
(#13) is still needed so the provisioner rewrites clone URLs
consistently, but the template should work out of the box too.
Walks the real UI end-to-end:
1. Creates + registers a workspace on the platform
2. Opens the detail side panel
3. Clicks the Files tab (force-click since it's in an overflow-x bar)
4. Asserts all 3 split components render:
- FilesToolbar: "+ New" + "Upload" buttons
- FileTree: the config.yaml seeded by the default template
- FileEditor: "Select a file to edit" empty-state
Saves screenshots at /tmp/filestab-{1,2,3}-*.png for manual review.
Run: cd canvas && npx playwright test e2e/filestab-smoke.spec.ts
Requires platform on :8080 + canvas on :3000.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Walks the real UI end-to-end:
1. Creates + registers a workspace on the platform
2. Opens the detail side panel
3. Clicks the Files tab (force-click since it's in an overflow-x bar)
4. Asserts all 3 split components render:
- FilesToolbar: "+ New" + "Upload" buttons
- FileTree: the config.yaml seeded by the default template
- FileEditor: "Select a file to edit" empty-state
Saves screenshots at /tmp/filestab-{1,2,3}-*.png for manual review.
Run: cd canvas && npx playwright test e2e/filestab-smoke.spec.ts
Requires platform on :8080 + canvas on :3000.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes partially #15 (network-split side of the same incident class).
Running `docker compose -f docker-compose.infra.yml up -d` puts postgres,
redis, clickhouse, langfuse (and the new temporal service) on a fresh
`molecule-monorepo_default` bridge network, while the platform container
lives on `molecule-monorepo-net` (created by the root docker-compose.yml).
Platform then fails DNS on `postgres:5432` and crashes until the
operator manually `docker network connect`s each service.
Declare `molecule-monorepo-net` as the external default network for the
infra compose file so new services join it automatically.
Also adds temporal + temporal-ui services (closes the 'Temporal unavailable'
noise that every agent logs at startup) and exposes the UI on :8233.
Incident: 2026-04-13 — running `up -d temporal` recreated postgres into
the wrong network and took the platform + all 12 workspace agents offline
until networks were manually reconnected.
Closes partially #15 (network-split side of the same incident class).
Running `docker compose -f docker-compose.infra.yml up -d` puts postgres,
redis, clickhouse, langfuse (and the new temporal service) on a fresh
`molecule-monorepo_default` bridge network, while the platform container
lives on `molecule-monorepo-net` (created by the root docker-compose.yml).
Platform then fails DNS on `postgres:5432` and crashes until the
operator manually `docker network connect`s each service.
Declare `molecule-monorepo-net` as the external default network for the
infra compose file so new services join it automatically.
Also adds temporal + temporal-ui services (closes the 'Temporal unavailable'
noise that every agent logs at startup) and exposes the UI on :8233.
Incident: 2026-04-13 — running `up -d temporal` recreated postgres into
the wrong network and took the platform + all 12 workspace agents offline
until networks were manually reconnected.
Pure restructure — no behavior change. Extracts FileTree, FileEditor,
FilesToolbar, useFilesApi hook, and tree utilities into sibling files
under canvas/src/components/tabs/FilesTab/. Top-level FilesTab.tsx is
now 240 lines (glue + confirmations); re-exports buildTree/TreeNode so
the existing import path and tests remain stable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pure restructure — no behavior change. Extracts FileTree, FileEditor,
FilesToolbar, useFilesApi hook, and tree utilities into sibling files
under canvas/src/components/tabs/FilesTab/. Top-level FilesTab.tsx is
now 240 lines (glue + confirmations); re-exports buildTree/TreeNode so
the existing import path and tests remain stable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CI run of test_api.sh failed on "Re-imported workspace exists" because
the assertion checked for status:"provisioning" but the async
provisioner flipped the workspace to status:"failed" first (CI has no
Docker images for agent runtimes — autogen/langgraph containers can't
actually start there).
Root cause is the same thing the rest of the E2E suite handles: the
test is about bundle round-trip fidelity, not provisioning success.
Fixes:
- test_api.sh: assert workspace id is present, not a specific status
- test_comprehensive_e2e.sh: send a fresh heartbeat before the
"Dev status online after register" check so status is re-asserted
to online regardless of what the provisioner did async
Verified locally against the same no-Docker-image state as CI:
- test_api.sh -> 62/62
- test_comprehensive_e2e.sh -> 67/67
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CI run of test_api.sh failed on "Re-imported workspace exists" because
the assertion checked for status:"provisioning" but the async
provisioner flipped the workspace to status:"failed" first (CI has no
Docker images for agent runtimes — autogen/langgraph containers can't
actually start there).
Root cause is the same thing the rest of the E2E suite handles: the
test is about bundle round-trip fidelity, not provisioning success.
Fixes:
- test_api.sh: assert workspace id is present, not a specific status
- test_comprehensive_e2e.sh: send a fresh heartbeat before the
"Dev status online after register" check so status is re-asserted
to online regardless of what the provisioner did async
Verified locally against the same no-Docker-image state as CI:
- test_api.sh -> 62/62
- test_comprehensive_e2e.sh -> 67/67
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- _extract_token.py: narrow `except Exception` to
`except (json.JSONDecodeError, ValueError)`. Prevents swallowing
KeyboardInterrupt in edge cases and documents intent clearly.
- ci.yml shellcheck job: switch to ludeeus/action-shellcheck@master
(caches shellcheck binary across runs; saves the apt-get install).
Both changes verified locally: YAML parses, extract script still
extracts valid tokens and prints the stderr warning on malformed JSON.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- _extract_token.py: narrow `except Exception` to
`except (json.JSONDecodeError, ValueError)`. Prevents swallowing
KeyboardInterrupt in edge cases and documents intent clearly.
- ci.yml shellcheck job: switch to ludeeus/action-shellcheck@master
(caches shellcheck binary across runs; saves the apt-get install).
Both changes verified locally: YAML parses, extract script still
extracts valid tokens and prints the stderr warning on malformed JSON.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All 5 suggestions from the latest review pass.
## tests/e2e/_extract_token.py (new)
Extracted the 14-line python-in-bash heredoc from _lib.sh into a real
Python file. Easier to edit, fewer escaping traps, same behavior.
Shell helper now just shells out to it.
## tests/e2e/_lib.sh
- Replaced inline python with: python3 "$(dirname "${BASH_SOURCE[0]}")/_extract_token.py"
- Removed redundant sys.exit(0) as part of the extraction
## Shellcheck-clean scripts (new CI job enforces)
- Removed dead captures: BEFORE_COUNT (test_activity_e2e.sh), ORIG_SKILLS,
REIMPORT_SKILLS (test_api.sh), QA_TOKEN (test_comprehensive_e2e.sh)
- Renamed unused loop vars `i`, `j` -> `_` in 4 sites
- Added `# shellcheck disable=SC2046` on the two intentional word-splits
in test_claude_code_e2e.sh (docker stop/rm of multiple container IDs)
- Removed a useless re-register of QA mid-script (was done in Section 2)
## CI (.github/workflows/ci.yml)
- Replaced `sudo apt-get install postgresql-client` + psql with a direct
`docker exec` into the existing postgres:16 service container. Saves
~10-20s per CI run.
- Added new `shellcheck` job that lints tests/e2e/*.sh on every PR.
Local: shellcheck --severity=warning returns 0 across all 5 scripts.
## Verification
- go test -race ./internal/handlers/... : pass
- mcp-server: 96/96 jest
- canvas: 357/357 vitest + clean build
- tests/e2e/test_api.sh: 62/62
- tests/e2e/test_comprehensive_e2e.sh: 67/67
- shellcheck tests/e2e/*.sh : clean
- CI YAML: valid
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All 5 suggestions from the latest review pass.
## tests/e2e/_extract_token.py (new)
Extracted the 14-line python-in-bash heredoc from _lib.sh into a real
Python file. Easier to edit, fewer escaping traps, same behavior.
Shell helper now just shells out to it.
## tests/e2e/_lib.sh
- Replaced inline python with: python3 "$(dirname "${BASH_SOURCE[0]}")/_extract_token.py"
- Removed redundant sys.exit(0) as part of the extraction
## Shellcheck-clean scripts (new CI job enforces)
- Removed dead captures: BEFORE_COUNT (test_activity_e2e.sh), ORIG_SKILLS,
REIMPORT_SKILLS (test_api.sh), QA_TOKEN (test_comprehensive_e2e.sh)
- Renamed unused loop vars `i`, `j` -> `_` in 4 sites
- Added `# shellcheck disable=SC2046` on the two intentional word-splits
in test_claude_code_e2e.sh (docker stop/rm of multiple container IDs)
- Removed a useless re-register of QA mid-script (was done in Section 2)
## CI (.github/workflows/ci.yml)
- Replaced `sudo apt-get install postgresql-client` + psql with a direct
`docker exec` into the existing postgres:16 service container. Saves
~10-20s per CI run.
- Added new `shellcheck` job that lints tests/e2e/*.sh on every PR.
Local: shellcheck --severity=warning returns 0 across all 5 scripts.
## Verification
- go test -race ./internal/handlers/... : pass
- mcp-server: 96/96 jest
- canvas: 357/357 vitest + clean build
- tests/e2e/test_api.sh: 62/62
- tests/e2e/test_comprehensive_e2e.sh: 67/67
- shellcheck tests/e2e/*.sh : clean
- CI YAML: valid
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Last sweep of code-review items before merging PR #5.
## _lib.sh cleanup
- Removed unused e2e_register and e2e_heartbeat helpers (dead code —
no caller ever invoked them)
- Standardized on $BASE variable set via : "${BASE:=...}" so every
script uses one name (was mixed $BASE / $e2e_base)
- e2e_extract_token now writes stderr warnings on JSON parse failure
or missing auth_token, instead of silently returning empty. Previous
behavior made downstream "missing workspace auth token" 401s much
harder to diagnose
## Script cleanup
- test_api.sh, test_comprehensive_e2e.sh, test_activity_e2e.sh all
drop the redundant `e2e_base + BASE="$e2e_base"` aliasing; sourcing
_lib.sh sets BASE via : "${BASE:=...}" default
## CI hardening (.github/workflows/ci.yml)
- Postgres credentials now match .env.example (dev:dev — was
molecule:molecule, caused confusion for local repros)
- Added Go module cache via actions/setup-go cache:true +
cache-dependency-path: platform/go.sum. ~30s cold-run improvement
- New pre-E2E step asserts migrations actually ran by checking for
the 'workspaces' table. Catches future migration-author mistakes
before they surface as obscure E2E failures
## Follow-up issue
Filed Molecule-AI/molecule-monorepo#6 for the deterministic token-
mint admin endpoint. PR #5 uses an empirical "beat the container"
race (5/5 wins in benchmarks); issue #6 tracks the real fix for
any future CI load that invalidates the assumption.
## Verification
- bash tests/e2e/test_api.sh -> 62/62
- bash tests/e2e/test_comprehensive_e2e.sh -> 67/67
- python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))" -> ok
## Operational note
Hourly PR-triage + issue-pickup cron scheduled this session (job id
0328bc8f, fires at :17 past each hour). Runtime reports it as
session-only despite durable:true — re-invoke via /loop or
CronCreate in a fresh session if needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Last sweep of code-review items before merging PR #5.
## _lib.sh cleanup
- Removed unused e2e_register and e2e_heartbeat helpers (dead code —
no caller ever invoked them)
- Standardized on $BASE variable set via : "${BASE:=...}" so every
script uses one name (was mixed $BASE / $e2e_base)
- e2e_extract_token now writes stderr warnings on JSON parse failure
or missing auth_token, instead of silently returning empty. Previous
behavior made downstream "missing workspace auth token" 401s much
harder to diagnose
## Script cleanup
- test_api.sh, test_comprehensive_e2e.sh, test_activity_e2e.sh all
drop the redundant `e2e_base + BASE="$e2e_base"` aliasing; sourcing
_lib.sh sets BASE via : "${BASE:=...}" default
## CI hardening (.github/workflows/ci.yml)
- Postgres credentials now match .env.example (dev:dev — was
molecule:molecule, caused confusion for local repros)
- Added Go module cache via actions/setup-go cache:true +
cache-dependency-path: platform/go.sum. ~30s cold-run improvement
- New pre-E2E step asserts migrations actually ran by checking for
the 'workspaces' table. Catches future migration-author mistakes
before they surface as obscure E2E failures
## Follow-up issue
Filed Molecule-AI/molecule-monorepo#6 for the deterministic token-
mint admin endpoint. PR #5 uses an empirical "beat the container"
race (5/5 wins in benchmarks); issue #6 tracks the real fix for
any future CI load that invalidates the assumption.
## Verification
- bash tests/e2e/test_api.sh -> 62/62
- bash tests/e2e/test_comprehensive_e2e.sh -> 67/67
- python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))" -> ok
## Operational note
Hourly PR-triage + issue-pickup cron scheduled this session (job id
0328bc8f, fires at :17 past each hour). Runtime reports it as
session-only despite durable:true — re-invoke via /loop or
CronCreate in a fresh session if needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Follow-up to the test_api.sh fix. Same Phase 30.1 + 30.6 staleness
existed in the other E2E scripts; same pattern applied.
## New tests/e2e/_lib.sh
Shared bash helpers so future scripts don't reimplement:
- e2e_extract_token — parse auth_token from register response
- e2e_register — register + echo token
- e2e_heartbeat — heartbeat with bearer auth
- e2e_cleanup_all_workspaces — pre-test state reset
## test_comprehensive_e2e.sh (14 fail -> 0 fail)
Root cause was deeper than test_api.sh: the script creates workspaces
at Section 2 but doesn't register them until Section 3. In between,
the platform provisioner spawns the Docker container, whose main.py
calls /registry/register first and claims the single-issue token.
The script's later register gets no auth_token back.
Fix: register each workspace immediately after POST /workspaces,
beating the container to the token. Empirically 5/5 wins in a tight
loop. PM/Dev/QA tokens captured at creation time; bearer auth threaded
through all heartbeat/update-card/discover/peers calls.
Removed the duplicate register calls in Section 3/4 that followed
(tokens already captured).
Result: 53/68 -> 67/67 (one duplicate check dropped).
## test_activity_e2e.sh
Same pattern applied on faith. Script still SKIPs cleanly when no
online agent is present; when an agent IS online, it now re-registers
it to mint a fresh bearer token and threads Authorization: Bearer on
the 3 heartbeat calls.
## test_api.sh refactor
Now sources _lib.sh and uses the shared helpers. No behavior change,
still 62/62.
## .github/workflows/ci.yml — new e2e-api job
Spins up Postgres 16 + Redis 7 as GitHub Actions services, builds the
platform binary, runs it in background with DATABASE_URL/REDIS_URL,
polls /health for 30s, then runs tests/e2e/test_api.sh. On failure
dumps platform.log for triage. 10-min job timeout.
This is the watchdog that would have caught Phase 30.1 auth drift
the day it landed. Picks test_api.sh not test_comprehensive_e2e.sh
because the latter depends on Docker-in-Docker for container
provisioning which is heavier than a PR gate should carry.
## Verification
- bash tests/e2e/test_api.sh -> 62/62
- bash tests/e2e/test_comprehensive_e2e.sh -> 67/67
- bash tests/e2e/test_activity_e2e.sh -> cleanly SKIPs (no agent)
- go build ./... -> clean
- .github/workflows/ci.yml -> valid YAML, new job added
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Follow-up to the test_api.sh fix. Same Phase 30.1 + 30.6 staleness
existed in the other E2E scripts; same pattern applied.
## New tests/e2e/_lib.sh
Shared bash helpers so future scripts don't reimplement:
- e2e_extract_token — parse auth_token from register response
- e2e_register — register + echo token
- e2e_heartbeat — heartbeat with bearer auth
- e2e_cleanup_all_workspaces — pre-test state reset
## test_comprehensive_e2e.sh (14 fail -> 0 fail)
Root cause was deeper than test_api.sh: the script creates workspaces
at Section 2 but doesn't register them until Section 3. In between,
the platform provisioner spawns the Docker container, whose main.py
calls /registry/register first and claims the single-issue token.
The script's later register gets no auth_token back.
Fix: register each workspace immediately after POST /workspaces,
beating the container to the token. Empirically 5/5 wins in a tight
loop. PM/Dev/QA tokens captured at creation time; bearer auth threaded
through all heartbeat/update-card/discover/peers calls.
Removed the duplicate register calls in Section 3/4 that followed
(tokens already captured).
Result: 53/68 -> 67/67 (one duplicate check dropped).
## test_activity_e2e.sh
Same pattern applied on faith. Script still SKIPs cleanly when no
online agent is present; when an agent IS online, it now re-registers
it to mint a fresh bearer token and threads Authorization: Bearer on
the 3 heartbeat calls.
## test_api.sh refactor
Now sources _lib.sh and uses the shared helpers. No behavior change,
still 62/62.
## .github/workflows/ci.yml — new e2e-api job
Spins up Postgres 16 + Redis 7 as GitHub Actions services, builds the
platform binary, runs it in background with DATABASE_URL/REDIS_URL,
polls /health for 30s, then runs tests/e2e/test_api.sh. On failure
dumps platform.log for triage. 10-min job timeout.
This is the watchdog that would have caught Phase 30.1 auth drift
the day it landed. Picks test_api.sh not test_comprehensive_e2e.sh
because the latter depends on Docker-in-Docker for container
provisioning which is heavier than a PR gate should carry.
## Verification
- bash tests/e2e/test_api.sh -> 62/62
- bash tests/e2e/test_comprehensive_e2e.sh -> 67/67
- bash tests/e2e/test_activity_e2e.sh -> cleanly SKIPs (no agent)
- go build ./... -> clean
- .github/workflows/ci.yml -> valid YAML, new job added
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The script was stuck on pre-auth API expectations and hadn't been
updated when /registry heartbeat and /registry/discover tightened:
- Phase 30.1 (/registry/heartbeat, /registry/update-card): require
Authorization: Bearer <token>. The token is returned in the register
response as auth_token.
- Phase 30.6 (/registry/discover/:id, /registry/:id/peers): require
X-Workspace-ID caller identity + bearer token on the caller.
Changes:
- Capture ECHO_TOKEN and SUM_TOKEN from /registry/register responses
- Thread Authorization: Bearer on every heartbeat + update-card call
- Assert the new 400 "X-Workspace-ID header is required" rejection for
the no-caller discover path (previously asserted old success shape)
- Add bearer auth to sibling discover + /peers calls
- Pre-test cleanup: delete all workspaces at script start so count
assertions are reproducible across back-to-back runs
Result: 62 passed, 0 failed (was 46/62).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The script was stuck on pre-auth API expectations and hadn't been
updated when /registry heartbeat and /registry/discover tightened:
- Phase 30.1 (/registry/heartbeat, /registry/update-card): require
Authorization: Bearer <token>. The token is returned in the register
response as auth_token.
- Phase 30.6 (/registry/discover/:id, /registry/:id/peers): require
X-Workspace-ID caller identity + bearer token on the caller.
Changes:
- Capture ECHO_TOKEN and SUM_TOKEN from /registry/register responses
- Thread Authorization: Bearer on every heartbeat + update-card call
- Assert the new 400 "X-Workspace-ID header is required" rejection for
the no-caller discover path (previously asserted old success shape)
- Add bearer auth to sibling discover + /peers calls
- Pre-test cleanup: delete all workspaces at script start so count
assertions are reproducible across back-to-back runs
Result: 62 passed, 0 failed (was 46/62).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Follow-up to the quality-fixes-pass2 code review.
## Go: direct unit tests for PR #5 extracted helpers (~47 new tests)
a2a_proxy_test.go:
- resolveAgentURL: cache hit, cache-miss DB hit, not-found, null-URL,
docker-rewrite guard
- dispatchA2A: build error, canvas timeout, agent timeout, success
- handleA2ADispatchError: context deadline, generic error, build error
- maybeMarkContainerDead: nil-provisioner, runtime=external short-circuits
- logA2AFailure, logA2ASuccess: activity_logs row content + status
delegation_test.go:
- bindDelegateRequest: valid / malformed / bad-UUID
- lookupIdempotentDelegation: no-key / no-match / failed-row-deleted / existing-pending
- insertDelegationRow: insertOK / insertHandledByIdempotent /
insertTrackingUnavailable
- insertDelegationOutcome: zero-value is insertOutcomeUnknown sentinel
discovery_test.go:
- discoverWorkspacePeer: online / not-found / access-denied + 2 edges
- writeExternalWorkspaceURL: 3 cases
- discoverHostPeer: smoke test documents the unreachable-by-design path
activity_test.go:
- parseSessionSearchParams: defaults + custom limit/offset/q
- buildSessionSearchQuery: no-filters + with-query shapes
- scanSessionSearchRows: empty / single / multiple rows
Package coverage: 56.1% → 57.6%. Every helper extracted in PR #5 is
now at or near 100% line coverage (see PR notes for the 4 remaining
gaps, all blocked on provisioner interface mockability).
## Defensive enum zero-value fix
insertDelegationOutcome now starts with insertOutcomeUnknown=0 as a
sentinel so an un-initialized variable can't silently read as
"success". insertOK, insertHandledByIdempotent, insertTrackingUnavailable
shift to 1/2/3. No caller changes needed.
## Canvas: ConfirmDialog.singleButton test (5 cases)
canvas/src/components/__tests__/ConfirmDialog.test.tsx covers:
- default render (both buttons)
- singleButton hides Cancel
- singleButton: Escape still fires onCancel
- singleButton: backdrop-click still fires onCancel
- singleButton: onConfirm fires on click
vitest total: 352 → 357, all passing.
## Docstring clarity
ConfirmDialog.tsx: expanded singleButton prop comment to explicitly
instruct callers to pass the same handler for onConfirm/onCancel when
using it as an info toast (matches TemplatePalette usage).
## ErrorBoundary clipboard observability
.catch(() => {}) silently swallowed rejections. Now:
.catch((e) => console.warn("clipboard write failed:", e))
so permission-denied / insecure-context failures surface in the console.
## Verification
- go build ./... clean
- go vet ./... clean
- go test -race ./internal/... — all pass
- canvas npm run build — clean
- canvas npm test -- --run — 357/357 pass
- tests/e2e/test_api.sh — 46/62 pass; all 16 failures are pre-existing
(token-auth enforcement + stale test workspaces + missing Docker
network). None involve handlers touched in PR #5.
- Manual: platform + canvas running locally, title=Molecule AI,
/workspaces returns [], /health returns ok. Identified + killed a
stale Next.js server from the old Starfire-AgentTeam repo that was
serving the old brand on IPv4 port 3000.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Follow-up to the quality-fixes-pass2 code review.
## Go: direct unit tests for PR #5 extracted helpers (~47 new tests)
a2a_proxy_test.go:
- resolveAgentURL: cache hit, cache-miss DB hit, not-found, null-URL,
docker-rewrite guard
- dispatchA2A: build error, canvas timeout, agent timeout, success
- handleA2ADispatchError: context deadline, generic error, build error
- maybeMarkContainerDead: nil-provisioner, runtime=external short-circuits
- logA2AFailure, logA2ASuccess: activity_logs row content + status
delegation_test.go:
- bindDelegateRequest: valid / malformed / bad-UUID
- lookupIdempotentDelegation: no-key / no-match / failed-row-deleted / existing-pending
- insertDelegationRow: insertOK / insertHandledByIdempotent /
insertTrackingUnavailable
- insertDelegationOutcome: zero-value is insertOutcomeUnknown sentinel
discovery_test.go:
- discoverWorkspacePeer: online / not-found / access-denied + 2 edges
- writeExternalWorkspaceURL: 3 cases
- discoverHostPeer: smoke test documents the unreachable-by-design path
activity_test.go:
- parseSessionSearchParams: defaults + custom limit/offset/q
- buildSessionSearchQuery: no-filters + with-query shapes
- scanSessionSearchRows: empty / single / multiple rows
Package coverage: 56.1% → 57.6%. Every helper extracted in PR #5 is
now at or near 100% line coverage (see PR notes for the 4 remaining
gaps, all blocked on provisioner interface mockability).
## Defensive enum zero-value fix
insertDelegationOutcome now starts with insertOutcomeUnknown=0 as a
sentinel so an un-initialized variable can't silently read as
"success". insertOK, insertHandledByIdempotent, insertTrackingUnavailable
shift to 1/2/3. No caller changes needed.
## Canvas: ConfirmDialog.singleButton test (5 cases)
canvas/src/components/__tests__/ConfirmDialog.test.tsx covers:
- default render (both buttons)
- singleButton hides Cancel
- singleButton: Escape still fires onCancel
- singleButton: backdrop-click still fires onCancel
- singleButton: onConfirm fires on click
vitest total: 352 → 357, all passing.
## Docstring clarity
ConfirmDialog.tsx: expanded singleButton prop comment to explicitly
instruct callers to pass the same handler for onConfirm/onCancel when
using it as an info toast (matches TemplatePalette usage).
## ErrorBoundary clipboard observability
.catch(() => {}) silently swallowed rejections. Now:
.catch((e) => console.warn("clipboard write failed:", e))
so permission-denied / insecure-context failures surface in the console.
## Verification
- go build ./... clean
- go vet ./... clean
- go test -race ./internal/... — all pass
- canvas npm run build — clean
- canvas npm test -- --run — 357/357 pass
- tests/e2e/test_api.sh — 46/62 pass; all 16 failures are pre-existing
(token-auth enforcement + stale test workspaces + missing Docker
network). None involve handlers touched in PR #5.
- Manual: platform + canvas running locally, title=Molecule AI,
/workspaces returns [], /health returns ok. Identified + killed a
stale Next.js server from the old Starfire-AgentTeam repo that was
serving the old brand on IPv4 port 3000.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
