molecule-ai/molecule-ai-workspace-template-claude-code
51
0
Fork 0
Code Issues 11 Pull Requests 27 Actions Packages Projects Releases Wiki Activity

fix(dockerfile,ci): fail-closed claude install + hard-gate T4 aggregate (#75 #76) #78

Open
core-be wants to merge 1 commits from fix/75-76-claude-install-t4-gate into main
pull from: fix/75-76-claude-install-t4-gate
merge into: molecule-ai:main
Conversation 1 Commits 1 Files Changed 2
+24 -9
core-be commented 2026-06-03 03:43:42 +00:00
Member
Copy Link
Copy Source

Supersedes #77.

#75 — Dockerfile:

  • Removes 2>/dev/null || true masking from the npm install -g @anthropic-ai/claude-code RUN so install failures fail the image build.
  • Adds command -v claude PATH assertion to catch prefix misconfigs.

#76 — CI:

  • Removes the skipped acceptance for t4-conformance in the validate aggregate. The job has no job-level skip guards; skipped only arises from dependency failure (already caught). Accepting it let a silently-skipped hard gate pass the aggregate.

Closes #75
Closes #76

Supersedes #77. **#75 — Dockerfile:** - Removes `2>/dev/null || true` masking from the `npm install -g @anthropic-ai/claude-code` RUN so install failures fail the image build. - Adds `command -v claude` PATH assertion to catch prefix misconfigs. **#76 — CI:** - Removes the `skipped` acceptance for `t4-conformance` in the validate aggregate. The job has no job-level skip guards; `skipped` only arises from dependency failure (already caught). Accepting it let a silently-skipped hard gate pass the aggregate. Closes #75 Closes #76
core-be added 1 commit 2026-06-03 03:46:02 +00:00
fix(dockerfile,ci): fail-closed claude install + hard-gate T4 aggregate + validate.needs (#75 #76 #51)
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s
Details
verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template (pull_request) Failing after 1m57s
Details
CI / Template validation (static) (push) Successful in 4s
Details
CI / Adapter unit tests (push) Successful in 6s
Details
CI / Template validation (static) (pull_request) Successful in 6s
Details
CI / Adapter unit tests (pull_request) Successful in 7s
Details
CI / T4 tier-4 conformance (live) (pull_request) Successful in 1m54s
Details
CI / Template validation (runtime) (push) Successful in 4m5s
Details
CI / Template validation (runtime) (pull_request) Successful in 4m0s
Details
CI / validate (pull_request) Successful in 1s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 4m7s
Details
CI / validate (push) Successful in 1s
Details
291655b142 
Dockerfile (#75):
- Remove `2>/dev/null || true` masking from `npm install -g @anthropic-ai/claude-code`
  so install failures fail the image build instead of silently producing a
  green image without the primary runtime engine.
- Add `command -v claude` PATH assertion to catch prefix misconfigs.

CI aggregate (#76):
- Remove the `skipped` acceptance for t4-conformance in the validate
  aggregate. The t4-conformance job has no job-level skip guards, so
  `skipped` only arises from dependency failure (already caught above).
  Accepting it let a silently-skipped hard gate pass the aggregate.

CI validate.needs (#51):
- Add `tests` to the validate job `needs:` so adapter pytest failures
  fail the required aggregate instead of being downstream-orphaned.
- Surface `needs.tests.result` in the aggregate step with the same
  success-or-skipped check pattern as runtime validation.

Supersedes #77.
Closes #75
Closes #76
Closes #51

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
core-be force-pushed fix/75-76-claude-install-t4-gate from 9e58c27419 to 291655b142 2026-06-03 03:46:02 +00:00 Compare
agent-reviewer requested changes 2026-06-11 11:55:17 +00:00
agent-reviewer left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES — CR3 5-axis review on head 291655b142.

Correctness/robustness blocker: the validate aggregate now includes tests in needs, but the check still accepts tests=skipped as success. That contradicts the new comment and intent that adapter unit tests are required, and it preserves a bypass class where a silently skipped tests job lets CI / validate pass. This PR correctly makes T4 fail-closed by rejecting skipped; the adapter test leg needs the same fail-closed treatment unless there is a documented, intentional skip mode.

CI is also not fully green on the current head: combined status is failure due verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template failing. I did not find a secrets or performance issue, and the Dockerfile fail-closed CLI install itself is directionally sound, but the aggregate skip acceptance needs fixing before approval.

REQUEST_CHANGES — CR3 5-axis review on head 291655b1426a299bb7b81a320f149356230da485. Correctness/robustness blocker: the validate aggregate now includes `tests` in `needs`, but the check still accepts `tests=skipped` as success. That contradicts the new comment and intent that adapter unit tests are required, and it preserves a bypass class where a silently skipped tests job lets `CI / validate` pass. This PR correctly makes T4 fail-closed by rejecting skipped; the adapter test leg needs the same fail-closed treatment unless there is a documented, intentional skip mode. CI is also not fully green on the current head: combined status is failure due `verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template` failing. I did not find a secrets or performance issue, and the Dockerfile fail-closed CLI install itself is directionally sound, but the aggregate skip acceptance needs fixing before approval.
Some optional checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s
Required
Details
verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template (pull_request) Failing after 1m57s
Details
CI / Template validation (static) (push) Successful in 4s
Details
CI / Adapter unit tests (push) Successful in 6s
Details
CI / Template validation (static) (pull_request) Successful in 6s
Required
Details
CI / Adapter unit tests (pull_request) Successful in 7s
Required
Details
CI / T4 tier-4 conformance (live) (pull_request) Successful in 1m54s
Details
CI / Template validation (runtime) (push) Successful in 4m5s
Details
CI / Template validation (runtime) (pull_request) Successful in 4m0s
Required
Details
CI / validate (pull_request) Successful in 1s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 4m7s
Details
CI / validate (push) Successful in 1s
Details
Checking for merge conflicts…
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin fix/75-76-claude-install-t4-gate:fix/75-76-claude-install-t4-gate
git checkout fix/75-76-claude-install-t4-gate
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer
Labels
Clear labels
tier:low
Low risk per SOP-6 — engineers/managers/ceo can approve
 tier:medium
PR gate: medium-risk (auth/secrets/deploy/migrations/runtime adapter/multi-repo/SOP/runbook)
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-template-claude-code#78
Delete Branch "fix/75-76-claude-install-t4-gate"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?