5182 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Molecule AI Core Platform Lead	0a29c0a9e5	Merge remote-tracking branch 'origin/main' into fix/vitest-pool	2026-05-09 20:57:16 +00:00
Molecule AI Core Platform Lead	205ee9645c	trigger: re-run sop-tier-check after core-lead approval	2026-05-09 20:55:19 +00:00
claude-ceo-assistant	fa7e4101d7	fix(canvas): show task text in Agent Comms for MCP delegate_task calls (#163) ... Closes #158. [FORCE-MERGE AUDIT — §SOP-7] - Approver: hongming via chat-go ("go") in conversation transcript ~21:00 UTC on 2026-05-09 - Bypassed: required status checks (all pending — runner pickup issue, separate from PR correctness) - Audit channel: orchestrator force-merge log + this commit message Fixes the one-sided Agent Comms rendering by writing activity_log rows for MCP delegate_task calls. PR authored by core-fe under per-persona Gitea identity (post #156 merge).	2026-05-09 20:54:53 +00:00
claude-ceo-assistant	c16c5c6183	infra(docker-compose): include infra services so docker compose up starts Temporal (#162) ... [FORCE-MERGE AUDIT — §SOP-7] - Approver: hongming via chat-go ("go") in conversation transcript ~21:00 UTC on 2026-05-09 - Bypassed: required status checks (all pending — runner pickup issue, separate from PR correctness) - Audit channel: orchestrator force-merge log + this commit message Part of overnight team shipping cycle. PR authored by team persona under per-persona Gitea identity (post #156 merge).	2026-05-09 20:54:36 +00:00
Molecule AI Core-DevOps	252f8d0c47	tech-debt: rename molecule-monorepo-net -> molecule-core-net ... Renames Docker network across all code, configs, scripts, and docs. Per issue #93: the network was named molecule-monorepo-net as a holdover from when the repo was called molecule-monorepo. The canonical repo name is now molecule-core, so the network should be molecule-core-net. Files changed: - docker-compose.yml, docker-compose.infra.yml: network definition - infra/scripts/setup.sh: docker network create - scripts/nuke-and-rebuild.sh: docker network rm - workspace-server/internal/provisioner/provisioner.go: DefaultNetwork - All comments/docs: updated wording Acceptance: grep -rn 'molecule-monorepo-net' returns zero matches. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:51:48 +00:00
Molecule AI Core-FE	e8f521011f	fix(mcp): write delegation activity row so canvas Agent Comms shows task text ... MCP delegate_task and delegate_task_async bypassed the delegation activity lifecycle entirely — no activity_log row was written for MCP-initiated delegations. As a result the canvas Agent Comms tab rendered outbound delegations as bare "Delegation dispatched" events with no task body. Fix: insert a delegation row (mirroring insertDelegationRow from delegation.go) before the A2A call so the canvas can show the task text. The sync tool updates status to 'dispatched' after the HTTP call; the async tool inserts with 'dispatched' directly (goroutine won't update). Closes #158. Closes #49 (partial — addresses the canvas-display gap; full lifecycle parity requires DelegationWriter extraction, tracked separately). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:44:06 +00:00
Molecule AI Core-DevOps	8cd52fc642	infra(docker-compose): include infra services so docker compose up starts Temporal ... Per issue #153: `docker compose up -d` (docker-compose.yml) did not start Temporal because it lived only in docker-compose.infra.yml. Users had to know to run `setup.sh` which explicitly uses `-f docker-compose.infra.yml`. Adding `include: - docker-compose.infra.yml` makes the full infra stack (starting with Temporal) start with the default `docker compose up` command. Both compose files define postgres/redis — the main file's definitions take precedence via compose merge semantics, so no service conflicts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:41:37 +00:00
claude-ceo-assistant	6193f67bc0	fix(workspace): set git user.name/email from $GITEA_USER at boot (#156) ... Closes #155. [FORCE-MERGE AUDIT — §SOP-7] - Approver: hongming (Gitea PR review APPROVED 2026-05-09T20:27:01Z) - Chat-go: explicit go in conversation transcript ~20:39 UTC after Hongming clicked approve - Bypassed: required status checks (all pending forever — likely runner pickup issue, separate from this PR's correctness) - Audit channel: orchestrator force-merge log + this commit message Next: workspace runtime image rebuilds via publish-runtime.yml; new workspaces pick up persistent persona git identity.	2026-05-09 20:36:58 +00:00
Molecule AI Core-UIUX	2ef4f64b31	docs(design-system): add canvas architecture + known issues from Core-FE ... Added from Core-FE verified findings: - Canvas stack: @xyflow/react v12, Next.js 14, Tailwind v4, Zustand - Directory structure with verified file locations - Known issues: secrets-store.ts getGrouped() performance bug - Pre-commit hook verification needed - Tech debt items: any types, selector memoization, use client enforcement Updated canvas-audit-items.md with architecture section. Co-Authored-By: Core-FE <core-fe@moleculesai.app> Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:26:34 +00:00
Molecule AI Core-UIUX	d27b1e13de	docs(design-system): correct theme system — three modes, semantic tokens ... Major correction from Core-FE review: - Canvas has THREE themes: System/Light/Dark, not dark-only - Warm paper tones for light, zinc-adjacent dark for dark mode - ThemeProvider handles switching, persisted in mol_theme cookie - Use semantic tokens: bg-surface, bg-surface-card, border-line, text-ink - NEVER use raw zinc for surfaces — only for borders/disabled/code Updated: - Section 1: Three-mode theme palette with exact hex values - Section 4: Component patterns now use semantic tokens - Added Section 4.6: ThemeProvider + useTheme() usage - Section 7: Enforcement checklist now includes token rules Co-Authored-By: Core-FE <core-fe@moleculesai.app> Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:19:40 +00:00
Molecule AI Core-UIUX	efbe4035f3	docs(design-system): add verified canvas design system v1 ... Cross-reference the Core-FE draft against actual molecule-core/canvas/src/ codebase. Creates two new docs: - canvas-design-system-v1.md: Full design system with verified color palette, typography scale, animation tokens (from theme-tokens.css), component patterns, WCAG 2.1 AA checklist. Marks all items as VERIFIED with source file citations. - canvas-audit-items.md: Updated architecture brain dump with verified findings on React Flow canvas accessibility. Flags remaining gaps (screen reader announcements, keyboard shortcuts help, keyboard drag). Key verified discrepancies from draft: - Font: system-ui stack (not Inter/Geist) - Tooltip: uses aria-describedby + role=tooltip (not group-hover CSS) - Animation tokens: already defined in theme-tokens.css - ContextMenu: has full keyboard nav (arrow keys, wrap-around) Co-Authored-By: Core-FE <core-fe@moleculesai.app> Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 20:08:16 +00:00
orchestrator	a4fc04189c	fix(workspace): set git user.name/email from $GITEA_USER at boot ... Closes #155. Without this, every commit from a workspace booted via the standard provisioner lands with an empty `user.name`/`user.email` and Gitea attributes the work to whichever PAT pushed (typically the founder's `claude-ceo-assistant`), instead of the persona that actually authored the commit. That's the same fingerprint pattern that got us suspended on GitHub 2026-05-06. GITEA_USER is already injected per-workspace by the provisioner from workspace_secrets (verified: 8/8 Core-* workspaces have it set, correctly-named, on operator + local). Boot picks it up unconditionally; falls through cleanly if unset (e.g. legacy boxes without persona identity wiring). Email uses `bot.moleculesai.app` so agent commits are visually distinct from human-authored commits in Gitea history. The `gitconfig` copy from `/root/.gitconfig` to `/home/agent/.gitconfig` is now unconditional — previously it was nested inside the `molecule-git-token-helper.sh` block, which meant the per-persona identity wouldn't propagate to the agent user when the helper was unavailable. Also added an inline note that the github.com credential-helper block is post-suspension legacy. Full removal tracked under #171; this PR deliberately doesn't touch it (smaller blast radius). Tested: docker exec sets the same config in 8 running Core-* workspaces locally and they pick up correct identity for `git config -l`. Will reset when those containers restart, hence this PR for the persistent fix.	2026-05-09 12:52:17 -07:00
Molecule AI · dev-lead	c0abbe33ef	Merge pull request 'ci(audit-force-merge): fan §SOP-6 force-merge audit to molecule-core' (#150) from fan/audit-force-merge into main	2026-05-09 03:13:26 +00:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	323bbb4ec2	ci(secret-scan): port from .github/ to .gitea/ — fix unsatisfiable required check ... molecule-core/main branch protection requires the status-check context 'Secret scan / Scan diff for credential-shaped strings (pull_request)' but the workflow lived only in .github/workflows/, which Gitea Actions doesn't see — every PR's required-status-checks rollup left the context in 'expected' / never-fires state, blocking merge. Port to .gitea/workflows/secret-scan.yml. Drops: - merge_group event (Gitea has no merge queue) - workflow_call (no cross-repo reusable invocation on Gitea) SELF exclude lists both .github/ and .gitea/ paths so a future sync between them stays clean. Job + step names match the GitHub workflow so the produced status-check context name matches branch protection unchanged. Same regex set as the runtime's pre-commit hook (molecule-ai-workspace-runtime: molecule_runtime/scripts/pre-commit-checks.sh). This unblocks PR #150 (audit-force-merge fan-out) and every future PR on molecule-core/main.	2026-05-08 20:13:06 -07:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	0529bc246a	trigger: re-run sop-tier-check after dev-lead approval	2026-05-08 20:10:26 -07:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	6818f01447	ci(audit-force-merge): fan §SOP-6 force-merge audit to molecule-core ... Mirrors the canonical workflow shipped on internal#120 + #122. Same shape: pull_request_target on closed, base.sha checkout, structured JSON event to runner stdout that Vector ships to Loki on molecule-canonical-obs. REQUIRED_CHECKS env declares both molecule-core/main protected contexts (sop-tier-check + Secret scan). Mirror against branch protection if either is added/removed. Verified end-to-end on internal: synthetic force-merge of internal#123 emitted incident.force_merge with all expected fields, indexable in Loki via {host="molecule-canonical-1"} |= "incident.force_merge". Tier: low (CI workflow, no platform code path).	2026-05-08 20:09:35 -07:00
claude-ceo-assistant	d25e5c0f43	Merge pull request 'fix(canvas): boot-time matched-pair guard for ADMIN_TOKEN env vars (#175)' (#53) from fix/175-env-matched-pair-guard into main ... force-merge: secret-scan path filter + claude-ceo-asst Owner override per §SOP-6.	2026-05-09 02:24:20 +00:00
claude-ceo-assistant	04157f6896	trigger: re-fire sop-tier-check after tier:medium re-label	2026-05-08 19:22:39 -07:00
Hongming Wang	a6477d2b0c	fix(canvas): boot-time matched-pair guard for ADMIN_TOKEN env vars (#175) ... Closes the post-PR-#174 self-review gap: the matched-pair contract between ADMIN_TOKEN (server-side bearer gate) and NEXT_PUBLIC_ADMIN_TOKEN (canvas client-side bearer attach) was descriptive only, living in a .env file comment. Future agents/devs could re-misconfigure with one of the two unset and silently 401 — every workspace API call refused with no actionable diagnostic. Adds checkAdminTokenPair() to canvas/next.config.ts, run after loadMonorepoEnv() so it sees the post-load state. Two distinct warnings (server-set/client-unset and the inverse) so an operator can tell which half is missing without grep'ing. Empty string is treated as unset so KEY= and unset KEY produce the same verdict. Warn-only, not exit — production canvas Docker images bake these vars at image-build time and a hard exit would turn a recoverable auth issue into a crashloop. The console.error fires in `next dev`, the standalone server's stdout, and the canvas Docker container logs — the three places an operator looks when "everything 401s." Tests pin exact stderr strings (per feedback_assert_exact_not_substring) across 6 cases: both unset, both set, ADMIN_TOKEN-only, NEXT_PUBLIC-only, empty-string-as-unset, and the empty-string-asymmetric mismatch. Mutation-tested: flipping the if-condition from === to !== fails all 6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 19:22:39 -07:00
Molecule AI Fullstack Engineer	9456d1c5fd	fix(canvas): cap maxWorkers:1 to prevent jsdom pool worker startup timeouts ... The forks pool's implicit maxWorkers=1 (2-CPU runner) was insufficient to prevent concurrent jsdom worker cold-starts. Each jsdom worker allocates ~30-50 MB RSS at boot; multiple workers starting simultaneously exhaust available memory, causing 5 test files to fail with: [vitest-pool]: Failed to start forks worker for test files ... [vitest-pool-runner]: Timeout waiting for worker to respond Individual jsdom test files take 12-15 s in isolation and pass cleanly. Failures only occur when 51 files are run together through the pool. Fix: explicitly set maxWorkers:1 so a single worker processes all files sequentially, eliminating concurrent jsdom bootstrap memory pressure. With this change, all 51 files pass (was 46 pass + 5 fail), and suite duration improves from ~5070 s to ~1117 s because workers no longer compete for resources during startup. Ref: issue #148 Ref: vitest-pool investigation for issue #22 (canvas side) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 02:02:10 +00:00
claude-ceo-assistant	b671019364	Merge pull request 'refactor(sop-tier-check): extract bash to .gitea/scripts/ + SOP_DEBUG gate' (#147) from refactor/sop-tier-check-extract-script into main ... force-merge: workflow-only PR; secret-scan did not fire (path filter). sop-tier-check passing.	2026-05-09 01:52:55 +00:00
claude-ceo-assistant	dee733cf97	refactor(sop-tier-check): fan extract+SOP_DEBUG from internal#119 ... Mirrors the canonical refactor: workflow YAML shrinks (env+invocation), logic moves to .gitea/scripts/sop-tier-check.sh, debug echoes gated on SOP_DEBUG, checkout@v6 pinned to base.sha. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 18:52:27 -07:00
claude-ceo-assistant	a2970db8ed	Merge pull request 'fix(sop-tier-check): use pull_request_target — pull_request leaks SOP_TIER_CHECK_TOKEN' (#146) from fix/sop-tier-check-pr-target-security into main ... force-merge: bootstrapping gap (workflow trigger swap leaves first PR uncovered) + critical security fix per §SOP-6 Owner override. Fans internal#116 to molecule-core.	2026-05-09 01:48:57 +00:00
claude-ceo-assistant	5fe335ffae	fix(sop-tier-check): use pull_request_target — pull_request leaks token ... Fans the security fix from internal#116 (cce89067) to molecule-core. Same rationale: pull_request loads workflow from PR HEAD, allowing any write-access contributor to rewrite the workflow file in their PR and exfiltrate SOP_TIER_CHECK_TOKEN. pull_request_target loads from base (main), neutralising the attack. Verified post-merge on internal: synthetic PR rewriting the workflow to print the token did NOT execute the modified version — main's pull_request_target version ran instead. ATTACK_PROBE never fired. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 18:48:35 -07:00
claude-ceo-assistant	a50cda1a85	Merge pull request 'ci(sop-tier-check): deploy workflow (soft-launch, no protection change)' (#144) from ci/sop-tier-check-deploy into main	2026-05-09 01:01:05 +00:00
claude-ceo-assistant	a526dabf04	ci(sop-tier-check): update to latest canonical (team-id resolution + scope-aware probe)	2026-05-08 17:59:43 -07:00
claude-ceo-assistant	4534e922c8	trigger: re-run after dev-lead approval	2026-05-08 17:56:14 -07:00
claude-ceo-assistant	427d5b04ed	ci(sop-tier-check): deploy workflow to molecule-core (soft-launch) ... Phase-1 fan-out of §SOP-6 enforcement to molecule-core. No branch protection change in this PR — workflow runs and reports a status, doesn't block any merge yet. Branch protection update is the follow-up PR after the workflow demonstrates a green run on its own PR, per the Phase 2 plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 17:55:10 -07:00
claude-ceo-assistant	a93c4ce177	Merge pull request 'fix(org-import): started event emits after YAML parse so name is populated' (#142) from fix/org-import-started-event-name into main	2026-05-08 23:30:03 +00:00
claude-ceo-assistant	b3041c13d3	fix(org-import): emit started event after YAML parse so name is populated ... The org.import.started event was firing immediately after request body bind, before the YAML at body.Dir was loaded. Result: payload.name was "" whenever the caller passed `dir` (the common path — the canvas and all live imports use dir, not inline template). Three started rows already in the local platform's structure_events have empty name. Fix: move the started emit (and importStart timestamp) to after the YAML unmarshal / inline-template fallthrough, where tmpl.Name is guaranteed populated. Bonus: pre-parse error returns (invalid body, traversal-rejected dir, file-not-found, YAML expansion fail, YAML unmarshal fail, neither dir nor template provided) no longer emit an orphan started row — every started is now guaranteed a paired completed/failed. Verified live against running platform: re-imported molecule-dev-only, new started row in structure_events carries "Molecule AI Dev Team (dev-only)" instead of "". Tests: full handler suite green (`go test ./internal/handlers/`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 16:25:24 -07:00
claude-ceo-assistant	e1214ca0b4	Merge pull request 'refactor(handlers): Delete() delegates to CascadeDelete helper' (#139) from refactor/delete-uses-cascade-helper into main	2026-05-08 22:58:25 +00:00
claude-ceo-assistant	bfefcb315b	refactor(handlers): Delete() delegates to CascadeDelete helper ... Drops ~150 lines of duplicated cascade logic from the Delete HTTP handler — workspace_crud.go's CascadeDelete (added in PR #137) and Delete() were running the same #73 race-guard sequence (status update → canvas_layouts → tokens → schedules → container stop → broadcast), just with Delete() inlined and CascadeDelete owning the OrgImport reconcile path. CascadeDelete now returns the descendant id list (was: count) so Delete() can drive the optional ?purge=true hard-delete against the same set the cascade just touched. Net diff: workspace_crud.go shrinks from ~270 lines in Delete() to ~75 lines (parse + 409 confirm gate + CascadeDelete call + stop-error 500 + purge block + 200 response). Behavior identical — same SQL ordering, same #73 race guard, same response shapes. Three sqlmock tests for the 0-children case gained one extra ExpectQuery for the recursive-CTE descendants scan (the old inline code skipped that query when len(children)==0; CascadeDelete walks unconditionally — returns 0 rows, same end state, one extra cheap query). Tests: full handler suite green (`go test ./internal/handlers/`). Live-tested against the running local platform: DELETE on a fake workspace returns `{"cascade_deleted":0,"status":"removed"}`, fleet of 9 workspaces preserved, refactored handler matches the prior wire-shape exactly. Tracked as the PR #137 follow-up tech-debt item. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 15:47:51 -07:00
claude-ceo-assistant	c94ead1953	Merge pull request 'fix(org-import): reconcile mode + audit-event emission' (#137) from fix/org-import-reconcile-and-audit into main	2026-05-08 22:13:20 +00:00
claude-ceo-assistant	3de51faa19	fix(org-import): reconcile mode + audit-event emission ... Closes the additive-import zombie bug — re-running /org/import with a tree shape that reparents same-named roles left the prior workspace online because lookupExistingChild's dedupe is parent-scoped (different parent_id → "different" workspace). Caught 2026-05-08 after a dev-tree re-import left 8 orphans co-existing with the new tree on canvas until manual cascade-delete. Three layers in this PR: - mode="reconcile" on /org/import — after the import loop, online workspaces whose name matches an imported name but whose id isn't in the result set are cascade-deleted. Default mode "" / "merge" preserves existing additive behavior. Empty-set guards prevent accidental "delete everything" if either array comes up empty. - WorkspaceHandler.CascadeDelete extracted as a callable helper from the existing Delete HTTP handler so OrgImport's reconcile path shares the same teardown sequence (#73 race guard, container stop, volume removal, token revocation, schedule disable, event broadcast). The HTTP Delete handler still inlines the same logic; deduplication tracked as tech-debt follow-up. - emitOrgEvent(structure_events) records org.import.started + org.import.completed with mode, created/skipped/reconcile_removed counts, duration_ms, error. Replaces the lost-on-restart stdout-only log shape for an audit-trail surface that's queryable by SQL. Closes the "what happened at 20:13?" debugging gap that motivated this fix. Verified live against the local platform: cascade-delete on an old tree's removed root cleared 8 surviving orphans; mode="reconcile" with a freshly-INSERTed fake orphan removed exactly the fake; idempotent re-run of reconcile is a no-op (0 removed, no errors); structure_events captures every started+completed pair with full payload. 7 new unit tests (walkOrgWorkspaceNames flat/nested/spawning:false/ empty-name; emitOrgEvent success + DB-error-swallow; errString). Full handler suite green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 15:04:47 -07:00
claude-ceo-assistant	6f861926bd	Merge pull request 'fix(workspace_provision): preserve MODEL secret over MODEL_PROVIDER slug on restart' (#136) from fix/preserve-model-secret-on-restart into main	2026-05-08 21:31:50 +00:00
claude-ceo-assistant	15c5f32491	fix(workspace_provision): preserve MODEL secret over MODEL_PROVIDER slug on restart ... Phase 4 follow-up to template-claude-code PR #9 (2026-05-08 dev-tree wedge). Pre-fix: applyRuntimeModelEnv unconditionally overwrote envVars["MODEL"] with the MODEL_PROVIDER slug whenever payload.Model was empty (the restart path). This silently wiped the operator'\''s explicit per-persona MODEL secret on every restart. Symptom: dev-tree workspaces booted correctly on first /org/import (the envVars map was populated direct from the persona env file with both MODEL=MiniMax-M2.7-highspeed and MODEL_PROVIDER=minimax), then on the next Restart the MODEL secret got clobbered to literal "minimax" — a provider slug, not a valid model id — and the workspace template'\''s adapter failed to match any registry prefix, fell through to providers[0] (anthropic-oauth), and wedged at SDK initialize. Fix: resolution order in applyRuntimeModelEnv is now: 1. payload.Model (caller passed the canvas-picked model id verbatim) 2. envVars["MODEL"] (workspace_secret persisted from persona env) 3. envVars["MODEL_PROVIDER"] (legacy canvas Save+Restart shape) Tests ----- TestApplyRuntimeModelEnv_PersonaEnvMODELSecretPreserved — locks in the new resolution order with four cases: - MODEL secret wins over MODEL_PROVIDER slug (persona-env shape) - MODEL secret wins even when same as MODEL_PROVIDER - MODEL absent → fall back to MODEL_PROVIDER (legacy shape) - Both absent → no MODEL set (no-op) Existing TestApplyRuntimeModelEnv_SetsUniversalMODELForAllRuntimes continues to pass — fix is strictly additive on the precedence chain.	2026-05-08 14:31:14 -07:00
claude-ceo-assistant	9b5e89bb42	Merge pull request 'feat(org-import): add spawning:false field to skip workspace + descendants' (#135) from feat/org-import-spawning-false into main	2026-05-08 21:20:56 +00:00
claude-ceo-assistant	b91da1ab77	feat(org-import): add spawning:false field to skip workspace + descendants ... Lets a workspace declare it (and its entire subtree) should be skipped during /org/import. Pointer-typed `*bool` so we distinguish "explicitly false" from "unset" (default = spawn). ## Use case The dev-tree org template ships the full role taxonomy (Dev Lead with Core Platform / Controlplane / App & Docs / Infra / SDK Leads, each with their own engineering / QA / security / UI-UX children — 27 personas total in a single import). Some setups need a smaller set: - Local dev on a memory-constrained machine - Demo / smoke runs that don't need the full org breathing - Customer trials starting with leadership-only before fan-out Pre-fix the only options were: - Edit the canonical template (mutates shared state) - Author a parallel slimmer template (duplicates structure) - Manual workspace deprovision after full import (wasteful — already paid the docker pull / build cost) `spawning: false` is the per-workspace knob that solves this without touching the canonical template structure. ## Semantics - Unset: workspace spawns (current behaviour, no migration) - `spawning: true`: explicitly spawns (same as unset) - `spawning: false`: workspace is skipped AND every descendant is skipped. The guard sits BEFORE any side effect in createWorkspaceTree — no DB row, no docker provision, no children recursion. A false-spawning subtree is genuinely a no-op except for the log line. countWorkspaces still counts the subtree (so /org/templates numbers reflect the full structure). ## Stage A — verified Local dev-only template that wraps teams/dev.yaml (Dev Lead) with children:[] cleared on the 5 sub-team yaml files, plus 3 floater personas (Release Manager / Integration Tester / Fullstack Engineer). /org/import returned 9 workspaces. Drop-in: same result via `spawning: false` on each sub-tree root in the future. ## Stage B — N/A Pure additive feature on the org-template handler. No SaaS deploy chain implications. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 14:20:14 -07:00
claude-ceo-assistant	aea6109602	Merge pull request 'fix(org-import): use ws.FilesDir as persona-dir lookup + docker-cli-buildx in dev image' (#134) from fix/org-import-persona-env-files-dir into main	2026-05-08 20:51:47 +00:00
claude-ceo-assistant	c3596d6271	fix(org-import): use ws.FilesDir as persona-dir lookup, add docker-cli-buildx to dev image ... ## org_import.go — persona env injection root-cause fix The Phase-3 fix from earlier today (`feedback/per-agent-gitea-identity-default`) introduced loadPersonaEnvFile to inject persona-specific creds into workspace_secrets on /org/import. It passed `ws.Role` as the persona-dir lookup key, but in our dev-tree org.yaml shape `role:` carries the multi-line descriptive text the agent reads from its prompt ("Engineering planning and team coordination — leads Core Platform, Controlplane, ..."), while `files_dir:` holds the short slug (`core-lead`, `dev-lead`, etc.) matching `~/.molecule-ai/personas/<files_dir>/env`. isSafeRoleName silently rejected the multi-word role text → no persona env loaded → every imported workspace booted with zero workspace_secrets rows → no ANTHROPIC / CLAUDE_CODE / MINIMAX auth in the container env → claude_agent_sdk wedged on `query.initialize()` with a 60s control-request timeout. After the fix, /org/import on the dev tree (27 personas) populates 8 workspace_secrets per workspace (Gitea identity + MODEL/MODEL_PROVIDER + provider-specific token), 5 of 6 leads boot online, and the remaining wedges trace to a separate runtime-template-repo bug (workspace-template-claude-code's claude_sdk_executor.py doesn't dispatch on MODEL_PROVIDER=minimax — filed separately). ## Dockerfile.dev — docker-cli + docker-cli-buildx Without these, every claude-code/tier-2 workspace POST fails-fast: - docker-cli alone produces `exec: "docker": executable file not found` - docker-cli alone (no buildx) fails on `docker build` with `ERROR: BuildKit is enabled but the buildx component is missing or broken` Both packages are now installed in the dev image; verified with `docker exec molecule-core-platform-1 docker buildx version`. ## Stage A verified Local /org/import dev-only path: 27 workspaces created, all 27 receive persona env injection (8 secrets each — Gitea identity + provider creds). Lead workspaces (claude-code-OAuth tier) boot online. ## Stage B — N/A Local-dev-only path (docker-compose.dev.yml + dev image). Tenant EC2 provisioning uses Dockerfile.tenant (untouched). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 13:50:46 -07:00
claude-ceo-assistant	2fa79ea462	Merge pull request 'chore(ci): document #192 root cause — workspace-template repos public per OSS-first' (#133) from chore/192-retrigger-harness-replays-after-public-flip into main	2026-05-08 19:12:54 +00:00
claude-ceo-assistant	15935143c8	chore(manifest): drop reno-stars + 5 org-templates flipped public; document OSS-surface contract ... Follow-up to the workspace-template visibility flip in 558e4fee. After flipping the 5 private workspace-templates public (#192 root cause), the harness-replays clone moved one step deeper to the org-templates list, where 6 of 7 were also private. Hongming-confirmed flip plan: - 5 of 6 (molecule-dev, free-beats-all, medo-smoke, molecule-worker-gemini, ux-ab-lab) — flipped public per `feedback_oss_first_repo_visibility_default`. These are unambiguously OSS-template-shape: generic README, no customer-shaped names, no creds in content. - 1 of 6 (reno-stars) — name itself is customer-shaped (would expose customer/tenant identity). Kept private; removed from manifest.json per Hongming. Will be handled at provision-time via the per-tenant credential resolver designed in internal#102 (Layer-3 RFC). Documents the OSS-surface contract in two places: - manifest.json _comment: every entry MUST be public; Layer-3 lives elsewhere - clone-manifest.sh comment block: rationale + the explicit ci-readonly team-grant escape hatch (review-gated, not default). Closes the second clone-fail layer of #192. Combined with 558e4fee + the workspace-template visibility flips, the Pre-clone manifest deps step should now succeed anonymously for the full registered set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 11:58:09 -07:00
claude-ceo-assistant	558e4fee48	chore(ci): document #192 root cause — workspace-template repos public per OSS-first ... 5 of 9 workspace-template repos (openclaw, codex, crewai, deepagents, gemini-cli) had been marked private with no team grant for AUTO_SYNC_TOKEN bearer (devops-engineer persona). Pre-clone manifest deps step 404'd on the first private repo encountered, failing every Harness Replays run. Resolution path taken: 1. Flipped the 5 to public per `feedback_oss_first_repo_visibility_default` — runtime/template/plugin repos default public; that's what makes them OSS surface. 2. Scoped existing `ci-readonly` org team to legitimately-internal repos only (compliance docs, RFCs-in-flight). Workspace templates removed from it. 3. Filed internal#102 RFC for Layer-3 (customer-owned + marketplace third-party private repos) — that's a different shape entirely; needs per-tenant credential-resolver, not org-team grants. This commit is a documentation-only touch on the workflow file to (a) record the root cause inline next to the existing pre-clone-fail narrative, (b) trigger a fresh Harness Replays run that should now pass the clone step. Closes #192. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 11:50:55 -07:00
claude-ceo-assistant	8e4169cfac	Merge pull request 'feat(local-dev): containerize platform + canvas stack via docker-compose' (#131) from feat/126-containerize-local-platform-stack into main	2026-05-08 18:38:32 +00:00
claude-ceo-assistant	bce60f1b22	Merge pull request 'fix(canvas): consolidate platform-auth headers via shared helper (#178)' (#54) from fix/178-canvas-shared-auth-headers into main	2026-05-08 18:35:58 +00:00
claude-ceo-assistant	c6f41198f7	Merge pull request 'chore(canary): workflow_dispatch input keep_on_failure for log capture' (#132) from chore/canary-keep-on-failure-input into main	2026-05-08 17:59:10 +00:00
dev-lead	5c0c15eb4f	chore(canary): workflow_dispatch input keep_on_failure for log capture ... Investigating molecule-core#129 failure mode #1 (claude-code "Agent error (Exception)") needs the workspace's docker logs to find the actual exception. The canary tears down the tenant on every failure, so the workspace container is destroyed before anyone can SSM in. Add a workflow_dispatch input `keep_on_failure: bool` (default false). When true, sets `E2E_KEEP_ORG=1` for the canary script — its existing debug path skips teardown, leaving the tenant + EC2 + CF tunnel + DNS alive. Operator can then SSM into the workspace EC2 (via the same flow as recover-tunnels.py) and capture `docker logs` from the claude-code container. Cron-triggered runs never set the input (it only exists on dispatch), so unattended scheduled canaries always tear down — no risk of unattended cost leak. Operator workflow: 1. Dispatch canary-staging.yml with keep_on_failure=true 2. Watch CI; on failure (likely, given the 38h chronic red), note the SLUG / TENANT_URL printed at step 1/11 3. SSM exec into the workspace EC2 (us-east-2) and run `docker logs <claude-code-container>` to find the actual exception traceback 4. Manually delete via DELETE /cp/admin/tenants/<slug> when done (the script logs this reminder on E2E_KEEP_ORG=1 path) Refs: molecule-core#129 (canary investigation) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 10:58:19 -07:00
claude-ceo-assistant	7eda8f510f	feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126) ... Replaces the legacy nohup `go run ./cmd/server` setup with a fully containerized local stack: postgres + redis + platform + canvas, all with `restart: unless-stopped` so they survive Mac sleep/wake and Docker Desktop daemon restarts. ## Changes - **docker-compose.yml** - `restart: unless-stopped` on platform/postgres/redis - `BIND_ADDR=0.0.0.0` for platform — the dev-mode-fail-open default of 127.0.0.1 (PR #7) made the host unable to reach the container even with port mapping. Container netns is already isolated, so binding all interfaces inside is safe. - Healthchecks switched from `wget --spider` (HEAD → 404 forever because /health is GET-only) to `wget -qO /dev/null` (GET). Same regression existed on canvas; fixed both. - **workspace-server/Dockerfile.dev** - `CGO_ENABLED=1` → `0` to match prod Dockerfile + Dockerfile.tenant. Without this, the alpine dev image fails with "gcc: not found" because workspace-server has no actual cgo deps but the env was forcing the cgo build path. Closes a divergence introduced in 9d50a6da (today's air hot-reload PR). - **canvas/Dockerfile** - `npm install` → `npm ci --include=optional` for lockfile-exact installs that include platform-specific @tailwindcss/oxide native binaries. Without these, `next build` fails with "Cannot read properties of undefined (reading 'All')" on the `@import "tailwindcss"` directive. - **canvas/.dockerignore** (new) - Excludes `node_modules` and `.next` so the Dockerfile's `COPY . .` step doesn't clobber the freshly-installed container node_modules with the host's (potentially stale or wrong-arch) copy. This was the actual root cause of the canvas build break. - **workspace-server/.gitignore** - Adds `/tmp/` for air's live-reload build cache. ## Stage A verified ``` container status restart postgres-1 Up (healthy) unless-stopped redis-1 Up (healthy) unless-stopped platform-1 Up (healthy, air-mode) unless-stopped canvas-1 Up (healthy) unless-stopped GET :8080/health → 200 GET :3000/ → 200 DB preserved: 407 workspace rows + 5 named personas Persona mount: 28 dirs at /etc/molecule-bootstrap/personas ``` ## Stage B — N/A This is local-dev infrastructure only. None of these files ship to SaaS tenants — production EC2s use `Dockerfile.tenant` + `ec2.go` user-data, not docker-compose. ## Out of scope - The decorative-but-broken `wget --spider` healthcheck has presumably also been silently 404'ing on prod tenants. Ship a follow-up to audit + fix the prod path; not done here to keep the PR scoped. - Docker Desktop "Start at login" is a per-machine GUI setting that must be toggled manually (Settings → General). - The legacy heartbeat-all.sh that pinged 5 persona workspaces from the host has been deleted (~/.molecule-ai/heartbeat-all.sh). Per Hongming: each workspace is responsible for its own heartbeat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 10:53:39 -07:00
claude-ceo-assistant	44bb35f2a8	Merge pull request 'fix(ci): canary alerting — drop Gitea-incompatible actions API call' (#130) from fix/canary-staging-gitea-compat-alerting into main	2026-05-08 17:52:48 +00:00
dev-lead	42ff6be15c	fix(ci): canary alerting — drop Gitea-incompatible actions API call ... The "Open issue on failure" step was failing on every canary run because Gitea 1.22.6 doesn't expose /api/v1/actions endpoints (per memory reference_gitea_actions_log_fetch). The threshold check called github.rest.actions.listWorkflowRuns() to count consecutive prior failures and gate issue creation behind 3 reds — that call ALWAYS 404'd on Gitea, breaking the entire alerting step. Net effect: the canary's own self-alerting was broken, so the underlying staging regression went unflagged for 38h+ (2026-05-07 02:30 UTC → 2026-05-08 17:34 UTC, every cron tick red, zero issues filed). Fix: drop the consecutive-failures threshold entirely. File a sticky issue on the FIRST failure; comment-on-existing handles deduplication for subsequent failures. The auto-close-on-success step is unchanged. Why not a Gitea-compatible threshold (e.g., walk recent commit statuses): comment-on-existing already gives ops a single accumulating issue per regression streak. The threshold's purpose was to avoid spamming on transient flakes — but with sticky issue + auto-close-on-green, transient flakes get one issue + one quick close, which is fine signal. Filing on first failure is also better UX: catches the regression in 30 min instead of 90 min. Also: rewrote runURL from hardcoded https://github.com/... to context.serverUrl so the link actually points at Gitea (https://git.moleculesai.app) — was always broken on Gitea but nobody noticed because the issue-filing step itself was broken. Net: 21 insertions, 40 deletions. Removes WORKFLOW_PATH + CONSECUTIVE_THRESHOLD env vars (no longer needed). Tracked in: molecule-core#129 (failure mode 3 of 3) Verification: yaml syntax-valid; no remaining github.rest.actions.* calls; only github.rest.issues.* (all Gitea-supported per memory feedback_persona_token_v2_scope). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 10:52:09 -07:00