infra-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
79c6f7f04c
molecule-core/docs/memory-plugins/CHANGELOG.md
claude-ceo-assistant 3501e6bfd7 fix(post-suspension): vanity import paths go.moleculesai.app/core/{platform,tests/harness/cp-stub} (closes molecule-ai/internal#71 phase 2) 
Migrates the two Go modules under molecule-core off the dead
github.com/Molecule-AI/molecule-monorepo/... identity onto the vanity
host go.moleculesai.app. Also fixes the historical naming
inconsistency where the Gitea repo is molecule-core but the Go module
path said molecule-monorepo.

Module changes:
- workspace-server/go.mod:
    github.com/Molecule-AI/molecule-monorepo/platform
    -> go.moleculesai.app/core/platform
- tests/harness/cp-stub/go.mod:
    github.com/Molecule-AI/molecule-monorepo/tests/harness/cp-stub
    -> go.moleculesai.app/core/tests/harness/cp-stub

Surfaces touched
- 174 *.go files (374 import lines) — every import under
  workspace-server/ + tests/harness/cp-stub/
- 2 Dockerfiles (workspace-server/Dockerfile + Dockerfile.tenant) —
  -ldflags strings updated in lockstep with the module rename so
  buildinfo.GitSHA injection still resolves correctly
- README + docs + scripts + comment URLs to git.moleculesai.app form
- NEW workspace-server/internal/lint/import_path_lint_test.go —
  structural lint gate rejecting future github.com/Molecule-AI/ or
  Molecule-AI/molecule-monorepo references. Identical template to the
  other migration PRs (plugin-gh-identity#3, molecule-cli#2,
  molecule-controlplane#32).

Cross-repo dep allowlist (documented in lint gate)
workspace-server requires molecule-ai-plugin-gh-identity, whose own
vanity migration is PR molecule-ai-plugin-gh-identity#3. Until that PR
merges + a tag is cut at go.moleculesai.app/plugin/gh-identity, the
two locations referencing the legacy github.com path
(workspace-server/go.mod require, cmd/server/main.go import) remain
allowlisted. Follow-up PR drops the allowlist + updates both refs in
one shot once gh-identity is fully migrated.

Test plan
- go build ./... clean for both modules
- go test ./... green except two pre-existing failures
  (TestStartSweeper_RecordsMetricsOnSuccess flaky-on-suite,
  TestLocalResolver_BubblesUpCopyFailure relies on read-only fs perms
  but runs as root on operator host) — both reproduce identically on
  baseline main pre-migration; NOT regressions of this PR
- Mutation-tested: lint gate fails on canaries in .go + .md;
  allowlist correctly suppresses cross-repo dep references in go.mod
  while still flagging unrelated additions

Open dependency
- go.moleculesai.app responder must be deployed before fresh-clone
  external builds resolve the vanity path. Existing CI / Docker builds
  ride pinned go.sum + self-referential module path + responder is
  not on critical path for those.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 22:37:42 +00:00

4.6 KiB
Raw Blame History

Memory Plugin Contract — Changelog

Every breaking or operationally-relevant change to the v1 plugin contract or the workspace-server-side wiring lands here. Plugin authors should subscribe to PRs touching this file.

[Unreleased] — fixup wave 1 (post-RFC-#2728 self-review)

A self-review of the initial 11-PR rollout (PRs #2729-#2742) flagged two correctness bugs and three operational hazards. This wave fixes all of them. Order matches operator-impact severity.

Critical: backfill idempotency via MemoryWrite.id (#2744)

The bug. The backfill CLI claimed idempotent on re-run, but gen_random_uuid() in the plugin's INSERT meant every retry created a fresh row. Operators retrying a failed -apply would silently double their memory count.

The fix. Optional id field on MemoryWrite. When supplied, plugins MUST upsert. The backfill now forwards agent_memories.id to MemoryWrite.id, so retries update in place.

Plugin author action. If your plugin uses INSERT INTO ... DEFAULT gen_random_uuid(), switch to INSERT ... ON CONFLICT (id) DO UPDATE when id is set. The wire contract is forward-compatible — plugins that ignore the field still work for production agent commits (which leave id empty), but they will silently corrupt backfill retries.

Critical: memory-backfill -verify mode (#2747)

The miss. The original PR-7 task spec called for a parity-check mode but it never landed. Operators had no way to confirm a migration succeeded short of "no errors logged."

The fix. New -verify flag samples N workspaces, queries agent_memories direct, runs an equivalent plugin search via the namespace resolver, multiset-compares contents. Reports mismatches to stdout and exits non-zero so CI can gate the cutover.

memory-backfill -verify                        # default sample 50
memory-backfill -verify -verify-sample=200     # bigger
memory-backfill -verify -workspace=<uuid>      # one workspace

Important: expires_at validation (#2746)

The bug. commit_memory_v2 silently dropped malformed expires_at strings. Agent passes expires_at: "tomorrow", gets a 200, memory has no TTL — agent thinks it set a TTL, didn't.

The fix. Returns fmt.Errorf("invalid expires_at: must be RFC3339") on parse failure. Plugin is not called in this case.

Plugin author action. None — this is a workspace-server-side fix. But: if your plugin advertises the ttl capability, make sure you actually evict expired rows on read (not just on a janitor cron that runs once a day). The harness in testing-your-plugin.md has a TTL-eviction test you should run.

Important: audit log JSON via json.Marshal (#2746)

The bug. auditOrgWrite built activity_logs.metadata via fmt.Sprintf with %q. For ASCII (today's UUID + hex digest) this coincidentally produces valid JSON; for unicode or control bytes it silently produces non-JSON.

The fix. Replaced with json.Marshal(map[string]string{...}). Same wire shape today, won't regress when metadata grows.

Plugin author action. None — workspace-server-internal.

Operator action: staging verification (#292)

Status. Tracked as task #292. PR-merged ≠ verified. Operator must:

  1. Provision a staging tenant, set MEMORY_PLUGIN_URL
  2. Run real commit_memory_v2 from a workspace
  3. memory-backfill -dry-run against staging data
  4. memory-backfill -apply, then -verify
  5. Set MEMORY_V2_CUTOVER=true, verify admin export still works
  6. Run a legacy commit_memory from a workspace, verify it lands in plugin storage via the PR-6 shim

Other follow-ups still open

  • #289: admin export O(workspaces) → O(namespaces) — N+1 pattern in exportViaPlugin (1000-workspace tenants run 1000× resolver CTEs + 1000× plugin searches today).
  • #291: workspace deletion must call DELETE /v1/namespaces/{name} — orphans accumulate today.
  • #293: real-subprocess boot E2E — current PR-11 is integration (httptest + sqlmock), not E2E.

These are tracked but deferred; they're operationally annoying, not incident-shaped.

[v1.0.0] — initial release (RFC #2728, PRs #2729-#2742)

Initial plugin contract + 11-PR rollout. See issue #2728 for the full RFC.

Endpoints: /v1/health, /v1/namespaces/{name} (PUT/PATCH/DELETE), /v1/namespaces/{name}/memories (POST), /v1/search (POST), /v1/memories/{id} (DELETE).

Capabilities: embedding, fts, ttl, pin, propagation.

Operator runbook: see README.md § Replacing the built-in plugin.