From 7a89704b6ee797b178338f97490ea703cd11140a Mon Sep 17 00:00:00 2001 From: airenostars Date: Wed, 22 Apr 2026 14:10:58 -0700 Subject: [PATCH] fix(build): add missing fmt import + fix canvas Dockerfile GID (#1487) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs(canary-release): flag as aspirational; link to current state The canary-release.md doc describes the pipeline as if the fleet is running — referring to AWS account 004947743811 and a configured MoleculeStagingProvisioner role. Reality as of 2026-04-22: no canary tenants are provisioned, the 3 GH Actions secrets are empty, and canary-verify.yml has failed 7/7 times in a row. Added a top-of-doc ⚠️ state note that: 1. Clarifies this is intended design, not deployed reality. 2. Notes the AWS account ID is historical / unverified. 3. Explains that merges currently rely on manual promote-latest. 4. Cross-links to molecule-controlplane/docs/canary-tenants.md for the Phase 1 work that's shipped, the Phase 2 stand-up plan, and the "should we even do this now?" decision framework. 5. Asks whoever lands Phase 2 to reconcile the two docs. No behaviour change — doc-only. Co-Authored-By: Claude Opus 4.7 (1M context) * fix(build): add missing fmt import in a2a_proxy.go, fix canvas Dockerfile GID - a2a_proxy.go: missing "fmt" import caused build failure (8 undefined references at lines 743-775). Likely dropped during a recent merge. - canvas/Dockerfile: GID 1000 already in use in node base image. Changed to dynamic group/user creation with fallback. Co-Authored-By: Claude Opus 4.6 (1M context) --------- Co-authored-by: Hongming Wang Co-authored-by: Claude Opus 4.7 (1M context) Co-authored-by: Hongming Wang --- canvas/Dockerfile | 8 ++------ docs/architecture/canary-release.md | 6 ++++++ workspace-server/internal/handlers/a2a_proxy.go | 1 + 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/canvas/Dockerfile b/canvas/Dockerfile index 14b28e7f..2fb7c92a 100644 --- a/canvas/Dockerfile +++ b/canvas/Dockerfile @@ -20,11 +20,7 @@ COPY --from=builder /app/public ./public EXPOSE 3000 ENV PORT=3000 ENV HOSTNAME="0.0.0.0" -# Non-root runtime — node image defaults to root, explicitly drop. -# node:20-alpine ships with a `node` user at uid/gid 1000; remove it before -# claiming 1000 for `canvas` so `addgroup -g 1000` doesn't collide. -RUN deluser --remove-home node 2>/dev/null || true; \ - delgroup node 2>/dev/null || true; \ - addgroup -g 1000 canvas && adduser -u 1000 -G canvas -s /bin/sh -D canvas +# Non-root runtime — use addgroup/adduser without fixed GID/UID to avoid conflicts with base image +RUN addgroup canvas 2>/dev/null || true && adduser -G canvas -s /bin/sh -D canvas 2>/dev/null || true USER canvas CMD ["node", "server.js"] diff --git a/docs/architecture/canary-release.md b/docs/architecture/canary-release.md index eb795eda..61eaeeda 100644 --- a/docs/architecture/canary-release.md +++ b/docs/architecture/canary-release.md @@ -2,6 +2,12 @@ How a workspace-server code change reaches the prod tenant fleet — and how to stop it if something's wrong. +> **⚠️ State note (2026-04-22):** this doc describes the **intended design**. As of this write, the canary fleet described below is **not actually running** — no canary tenants are provisioned, `CANARY_TENANT_URLS` / `CANARY_ADMIN_TOKENS` / `CANARY_CP_SHARED_SECRET` are empty in repo secrets, and `canary-verify.yml` fails every run. The AWS account `004947743811` referenced in "Canary fleet" below predates this repo's history and hasn't been verified in-session. +> +> Current merges gate on manual `promote-latest.yml` dispatches, not canary. See [molecule-controlplane/docs/canary-tenants.md](https://github.com/Molecule-AI/molecule-controlplane/blob/main/docs/canary-tenants.md) for the Phase 1 code work that's already shipped + the Phase 2 plan for actually standing up the fleet + a "should we even do this now?" decision framework. +> +> When Phase 2 lands, delete this note and reconcile the two docs. + ## The loop ``` diff --git a/workspace-server/internal/handlers/a2a_proxy.go b/workspace-server/internal/handlers/a2a_proxy.go index d1707070..18991f38 100644 --- a/workspace-server/internal/handlers/a2a_proxy.go +++ b/workspace-server/internal/handlers/a2a_proxy.go @@ -11,6 +11,7 @@ import ( "database/sql" "encoding/json" "errors" + "fmt" "io" "log" "net/http"