24 Commits

Author	SHA1	Message	Date
Molecule AI Dev Engineer A (Kimi)	ef7e86f4fb	Merge branch 'main' into fix-365-scope-divergence-gate-check ... # Conflicts: # tools/gate-check-v3/test_gate_check.py	2026-05-26 09:26:30 +00:00
Molecule AI Dev Engineer A (Kimi)	d12cfc96e3	Merge main into PR branch - resolve test conflict	2026-05-26 09:06:19 +00:00
Molecule AI Dev Engineer A (Kimi)	8469a4817d	fix(gate-check-v3): signal_2 must ignore draft REQUEST_CHANGES and null users ... - Require official != False for REQUEST_CHANGES reviews, matching review-check.sh post-#1818 behavior. Draft/pending reviews must not block the gate. - Defend against user=null in signal_2 (same regression class as signal_1, triggered by deleted/bot reviews). - Add regression tests for both paths. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-26 04:20:14 +00:00
Molecule AI Dev Engineer A (Kimi)	65cb7339ac	fix(gate-check-v3): defend against user=null in review JSON ... Gitea can return reviews with user: null (deleted account / bot edge case). signal_1_comment_scan crashed with AttributeError when calling .get() on None. Fixed both occurrences: - reviews loop: r.get("user", {}).get("login", "") → (r.get("user") or {}).get("login", "") - comments loop: c.get("user", {}).get("login", "") → (c.get("user") or {}).get("login", "") Added regression test test_signal_1_null_user_in_review_does_not_crash. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-26 03:48:50 +00:00
Molecule AI Dev Engineer A (Kimi)	57b74ab31e	gate-check-v3: add Signal 4 — branch divergence / scope-creep guard (mc#365) ... Adds a heuristic that detects stale PR branches where the base SHA has drifted behind target HEAD. Distinguishes files that are "inherited" from base divergence (already on target via prior commits) from genuinely new PR work, preventing misattribution of scope creep when branches are stale. Implementation: - New signal_4_branch_divergence() compares PR.base.sha to current target-branch HEAD via the Gitea API. - If diverged, paginates /commits to count commits behind and collect filenames changed on target since base. - Cross-references with /pulls/{n}/files to compute inherited vs new-work fractions. - Emits WARNING when >50% inherited or >5 commits behind with overlap. - Advisory only — never blocks merge (WARNING is not in blockers list). Updates: - VERDICT_ORDER expanded with WARNING between N/A and CLEAR. - format_comment renders divergence stats + inherited file list. - Workflow YAML comment block updated to list signal 4. - 4 new unit tests cover: no-divergence, inherited-files WARNING, no-overlap CLEAR, and API-error N/A fallback. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 18:24:23 +00:00
Molecule AI Dev Engineer A (Kimi)	a120c86756	style(tools): fix ruff F401 and E741 in gate_check.py ... Remove unused imports (time, Any, Optional) and rename ambiguous variable l → role_login. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 01:51:11 +00:00
core-devops	7932bc4c48	chore(ssot): delete dead .github/workflows/ — Gitea is SSOT (#331 SSOT-Instance-4) ... Per CTO directive 2026-05-20 and task #347 (disabled GitHub-mirror push fleet-wide), .github/workflows/ on molecule-core is dead — Gitea Actions reads .gitea/workflows/ exclusively (memory: reference_molecule_core_actions_gitea_only), and GitHub Actions has had no real push activity since 2026-05-06 (the only post-2026-05-06 runs are dynamic CodeQL re-runs on frozen pre-suspension PRs). Empirical validation: - 24 files total in .github/workflows/. - 23 have same-name siblings in .gitea/workflows/ (port carries "Ported from .github/workflows/X on 2026-05-11 per RFC internal#219" header on most files). - 1 .github-only file: canary-staging.yml — already ported to .gitea/workflows/staging-smoke.yml on 2026-05-11 per the same RFC, Hongming directive renamed canary→smoke. Verified via header comment in staging-smoke.yml. - Last GitHub-side push event: 2026-05-06T07:06:12Z (pre-suspension). - All 24 .github/workflows/* files removed. Tooling updates needed (load-bearing): - tools/branch-protection/check_name_parity.sh: hard-coded $REPO_ROOT/.github/workflows path → switched to .gitea/workflows. Pre-existing parity findings (3x Analyze CodeQL names absent from any workflow file) are unchanged — that drift exists pre-PR and is out-of-scope (file as follow-up). - tools/branch-protection/test_check_name_parity.sh: synthetic test fixtures now create .gitea/workflows/ instead of .github/workflows/. All 6 unit tests pass after change. - .gitea/workflows/lint-required-workflows-docker-host-pinned.yml: dropped '.github/workflows/**' from path-filter triggers + dropped '.github/workflows' from the python directory-walk loop (the isdir-check would have made this a no-op cleanly, but pruning reflects current truth). Out-of-scope (NOT touched in this PR): - .github/CODEOWNERS, .github/dependabot.yml, .github/scripts/ remain (task is scoped to .github/workflows/). - COVERAGE_FLOOR.md, workspace/smoke_mode.py, workspace/main.py contain comment references to .github/workflows/* — stale docs string-references only, not behavioral. Separate follow-up. - Provenance comments inside .gitea/workflows/* of the form "Ported from .github/workflows/X on 2026-05-11" are intentionally preserved — useful history. Refs: task #331 (SSOT-Instance-4), task #347 (mirror push disabled), memory reference_molecule_core_actions_gitea_only, memory reference_per_repo_gitea_vs_github_actions_dir, RFC internal#219 §1 (the original 2026-05-11 port sweep).	2026-05-20 09:29:33 -07:00
core-be	f908aa894b	fix(gate-check): map infra-sre Gitea login to core-devops agent ... infra-sre IS the engineers/core-devops agent (same team, same work). Without this alias, infra-sre reviews and comments never satisfy the engineers gate in signal_1_comment_scan, causing PRs to remain blocked even when infra-sre explicitly posts [devops-agent] APPROVED. Changes: - Add LOGIN_ALIASES dict: infra-sre → core-devops - Resolve aliases in signal_1_comment_scan comment-matching loop - Resolve aliases in signal_1_comment_scan reviews collection - Add test covering infra-sre APPROVED review → engineers CLEAR Fixes #896. [core-be-agent] Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-13 22:37:50 +00:00
hongming-codex-laptop	879acd96d1	fix(ci): skip main gates for non-default-base prs	2026-05-13 14:32:41 -07:00
core-devops	0f63b7177a	fix(sre): add explicit 15s timeout to gate-check-v3 HTTP calls (closes #603) ... Adds DEFAULT_TIMEOUT=15 to gate_check.py and passes it to all urlopen() calls (api_get, comment POST, comment PATCH). Adds socket.setdefaulttimeout(15) to the inline Python in the workflow's cron step, catching the PR-polling loop too. Defence-in-depth: the real fix is provisioning SOP_TIER_CHECK_TOKEN in Gitea; this caps worst-case wall-clock at ~15 s per call when the token is missing or Gitea is unreachable. Fixes issue #603. Note: PR #603 (da1487ad) has the same changes but is missing `import socket` in the inline Python — that version would NameError at runtime. This branch carries the complete fix. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 23:36:21 +00:00
infra-sre	6d66e854cf	fix(sre): gate-check-v3 remove combined_state self-referential fallback ... The `elif ci_state == "failure"` fallback in signal_6_ci was creating a self-referential failure loop: gate-check posts failure → combined_state becomes failure → script re-blocks → posts failure again. Root cause: combined_state is Gitea's aggregate over ALL commit statuses, including gate-check-v3's own prior result. Using it as a fallback verdict driver means the script gates on its own output. Fix: remove the combined_state fallback. check_statuses already excludes gate-check (Bug-1 fix from PR #547). Use failing_required as the sole CI gate. If no required checks are defined on the branch, return CLEAR rather than re-using combined_state which includes our own status. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 21:07:03 +00:00
infra-sre	f5f27cb870	fix(ci): gate-check-v3 — 3 bug fixes ... Bug 1 (self-referential failure loop, #544): signal_6_ci now filters out its own prior status from check_statuses before evaluating, preventing a gate-check-v3 → failure → re-reads self → failure cycle. Bug 2 (hardcoded base branch, #544): signal_6_ci now uses the PR's actual base branch ref instead of hardcoded 'main'. Caller passes PR data to avoid redundant API call. Bug 3 (comment-post 403, #543): Wrapped POST/PATCH comment-post in try/except for HTTPError 403. Logs a warning and skips posting when the token lacks write:repository scope — verdict still drives exit code correctly. Also removed 3 lines of dead code at the end of format_comment (unreachable return after prior return). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 19:26:23 +00:00
core-devops	b57cebf8d4	fix(gate-check-v3): tier-aware gate verdict computation ... tier:low and tier:high are OR gates — any one positive verdict is sufficient. The previous implementation required ALL groups to have positive verdicts, causing INCOMPLETE even when core-devops APPROVED and core-lead was absent. Now uses tier-specific logic: - tier:low / tier:high (OR): any positive = CLEAR - tier:medium (AND): all positive = CLEAR Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 13:38:02 +00:00
core-devops	15e2d93989	fix(gate-check-v3): add pagination to api_list for comment/review scans ... Paginate all list endpoints (comments, reviews) to handle PRs with many comments without missing entries. Uses per_page=100 with page increment loop, safety-capped at 20 pages. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 13:38:02 +00:00
core-devops	3eb06e40e6	fix(gate-check-v3): use submitted_at for review timestamps ... Gitea reviews use "submitted_at" not "created_at" for when the review was submitted. The earlier signal_1_comment_scan fix (inherited from sop-tier-check investigation) already handled this; signal_2 and signal_3 were missing the same correction. Fixes KeyError: 'created_at' on PRs with no comments/reviews. Includes the individual-check-status fix (use "status" not "state"). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 13:38:02 +00:00
core-devops	9d05335b1a	fix(gate-check-v3): use correct API field for individual check status ... Gitea Actions API uses "status" (pending/success/failure) not "state" for individual status entries. The "state" field is null for pending runs. This caused all_check_statuses to show Python null instead of "pending" for queued jobs. Also verified on PR #391 and PR #393 — individual checks now correctly display "pending" while combined_state is "pending" (CI_PENDING verdict). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 13:38:02 +00:00
core-devops	f470f589c0	tools/gate-check-v3: MVP automated PR gate detector ... SOP-6 + CI gate checker for Gitea PRs. Detects: - Signal 1: Author-aware agent-tag comment scan (tier-aware) - Signal 2: REQUEST_CHANGES reviews state machine - Signal 3: Staleness detection (SOP-12) - Signal 6: CI required-checks awareness Post `[gate-check-v3] STATUS:` comment on PRs. CLI + Gitea Actions workflow (cron hourly + PR-triggered). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 13:38:02 +00:00
devops-engineer	34e05c35b9	chore: sync main → staging (auto, 6946cd12)	2026-05-07 22:45:14 +00:00
Hongming Wang	7c6acc18ae	ci(branch-protection): check-name parity gate (#144) ... Audit finding: every workflow that emits a required-status-check name on molecule-core's branch protection (apply.sh's STAGING_CHECKS + MAIN_CHECKS) ALREADY uses the safe always-runs-with-conditional-steps shape — Platform/Canvas/Python/Shellcheck in ci.yml, Canvas tabs E2E in e2e-staging-canvas.yml, E2E API Smoke in e2e-api.yml, PR-built wheel in runtime-prbuild-compat.yml, the codeql Analyze matrix, and the always-on Secret scan + Detect changes. No production drift to fix today. Adds a regression-guard so the next path-filter / matrix refactor / workflow rename can't silently re-introduce the bug shape called out in saved memory feedback_branch_protection_check_name_parity: "Path filters … silently break branch protection because no job emits the protected sentinel status when path-filter returns false." New tools: - tools/branch-protection/check_name_parity.sh — extracts every required check name from apply.sh's heredocs, then for each name classifies the owning workflow as safe (no top-level paths:) / safe (per-step if-gates without top-level paths:) / unsafe (top-level paths: without per-step if-gates) / unsafe-mix (top-level paths: WITH per-step if-gates — the workflow may still skip entirely on path exclusion, leaving the gates dormant) / missing (no emitter at all). Special-cases codeql.yml's matrix- expanded `Analyze (${{ matrix.language }})`. - tools/branch-protection/test_check_name_parity.sh — 6 unit tests covering each classification: safe, unsafe-path-filter, missing, safe-with-per-step-gates, unsafe-mix, matrix-expansion. Each test builds a synthetic apply.sh + workflow file in a tmpdir, invokes the script, and asserts on exit code + stderr substring. Per feedback_assert_exact_not_substring the assertions pin specific classifications, not just non-zero exit. Wired into branch-protection-drift.yml so every PR touching .github/workflows/** runs the parity check; the existing daily schedule covers between-PR drift. The check is cheap (~1s) and runs without the admin token — only reads files in the checkout. Self- test step runs the unit tests on every invocation, so a regression in the script can't false-pass on production. Per BSD-vs-GNU portability hygiene: heredoc-marker extraction stays in plain awk + sed (no gawk-only `match()` array form), grep regex avoids `^` anchor for `if:` lines because real workflows use ` - if:` with the `-` step-marker between leading spaces and `if:` (the original anchor missed every workflow's per-step gates). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 14:42:50 -07:00
documentation-specialist	5d4184f4a3	fix(scripts): migrate ghcr.io→ECR + raw.githubusercontent.com→Gitea (#46) ... Per documentation-specialist's grep agent (2026-05-07T07:30, see internal#46): runtime-breaking ghcr.io references in shell scripts + docker-compose + the slip-past-workflow lint_secret_pattern_drift.py all need migration. These were missed by security-auditor's workflow-only audit. Files (6): - .github/scripts/lint_secret_pattern_drift.py:40 — workspace-runtime pre-commit-checks.sh consumer URL: raw.githubusercontent.com → Gitea raw URL (https://git.moleculesai.app/molecule-ai/.../raw/ branch/main/...). The lint job runs in CI and would 404 today. - scripts/refresh-workspace-images.sh:54 — workspace-template image pull URL: ghcr.io → ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com). - scripts/rollback-latest.sh — full rewrite of header + auth flow: * ghcr.io/molecule-ai/{platform,platform-tenant} → ECR * GITHUB_TOKEN with write:packages → AWS ECR auth (aws ecr get-login-password). Per saved memory reference_post_suspension_pipeline, prod cutover is to ECR. * Updated header docs to match new auth flow + prereqs. - scripts/demo-freeze.sh:13,17 — comment-only ghcr → ECR (the script doesn't currently exec these URLs, but the comments describe the cascade and need to match reality). - docker-compose.yml:215-216 — canvas image: ghcr.io → ECR + updated the auth comment to describe `aws ecr get-login-password` flow. - tools/check-template-parity.sh:21 — inline curl install instructions: raw.githubusercontent.com → Gitea raw URL. Hostile self-review: 1. rollback-latest.sh's GITHUB_TOKEN→aws-cli auth swap is a behavior change. Operators using this script now need aws CLI authenticated for region us-east-2 with ECR pull/push perms. Documented in updated header. Operators who don't have aws CLI will get 'aws: command not installed' which is a clear failure mode (not silent). 2. The Gitea raw URL shape (/raw/branch/main/) differs from GitHub's raw.githubusercontent.com structure. Verified pattern by inspecting other Gitea raw URLs in the codebase. If Gitea's URL changes (1.23+), update via the same one-line edit. 3. Doesn't touch packer/scripts/install-base.sh which has a similar ghcr.io ref per the grep agent's findings — that's bigger-scope (packer build pipeline) and lives in molecule-controlplane-ish territory; filing as parked follow-up under #46 if not already. Refs: molecule-ai/internal#46, molecule-ai/internal#37, molecule-ai/internal#38, saved memory reference_post_suspension_pipeline	2026-05-07 00:56:23 -07:00
hongming-personal	2e505e7748	fix(branch-protection): apply.sh respects live state + full-payload drift ... Multi-model review of #2827 caught: the script as-shipped would have silently weakened branch protection on EVERY non-checks dimension the moment anyone ran it. Live staging had enforce_admins=true, dismiss_stale_reviews=false, strict=true, allow_fork_syncing=false, bypass_pull_request_allowances={ HongmingWang-Rabbit + molecule-ai app } Script wrote the opposite for all five. Per memory feedback_dismiss_stale_reviews_blocks_promote.md, the dismiss_stale_reviews flip alone is the load-bearing one — would silently re-block every auto-promote PR (cost user 2.5h once). This PR: 1. apply.sh: per-branch payloads (build_staging_payload / build_main_payload) that codify the deliberate per-branch policy already on the repo, with the script's net contribution being ONLY the new check names (Canvas tabs E2E + E2E API Smoke on staging, Canvas tabs E2E on main). 2. apply.sh: R3 preflight that hits /commits/{sha}/check-runs and asserts every desired check name has at least one historical run on the branch tip. Catches typos like "Canvas Tabs E2E" vs "Canvas tabs E2E" — pre-fix a typo would silently block every PR forever waiting for a context that never emits. Skip via --skip-preflight for genuinely-new workflows whose first run hasn't fired. 3. drift_check.sh: compares the FULL normalised payload (admin, review, lock, conversation, fork-syncing, deletion, force-push) not just the checks list. Pre-fix the drift gate would have missed a UI click that flipped enforce_admins or dismiss_stale_reviews. Drops app_id from the comparison since GH auto-resolves -1 to a specific app id post-write. 4. branch-protection-drift.yml: per memory feedback_schedule_vs_dispatch_secrets_hardening.md — schedule + pull_request triggers HARD-FAIL when GH_TOKEN_FOR_ADMIN_API is missing (silent skip masks the gate disappearing). workflow_dispatch keeps soft-skip for one-off operator runs. Verified by running drift_check against live state: pre-fix would have shown 5 destructive drifts on staging + 5 on main. Post-fix shows ONLY the 2 intended additions on staging + 1 on main, which go away after `apply.sh` runs.	2026-05-04 20:52:11 -07:00
Hongming Wang	7cc1c39c49	ci: e2e coverage matrix + branch-protection-as-code ... Closes #9. Three pieces, all small: 1. **docs/e2e-coverage.md** — source of truth for which E2E suites guard which surfaces. Today three were running but informational only on staging; that's how the org-import silent-drop bug shipped without a test catching it pre-merge. Now the matrix shows what's required where + a follow-up note for the two suites that need an always-emit refactor before they can be required. 2. **tools/branch-protection/apply.sh** — branch protection as code. Lets `staging` and `main` required-checks live in a reviewable shell script instead of UI clicks that get lost between admins. This PR's net change: add `E2E API Smoke Test` and `Canvas tabs E2E` as required on staging. Both already use the always-emit path-filter pattern (no-op step emits SUCCESS when the workflow's paths weren't touched), so making them required can't deadlock unrelated PRs. 3. **branch-protection-drift.yml** — daily cron + drift_check.sh that compares live protection against apply.sh's desired state. Catches out-of-band UI edits before they drift further. Fails the workflow on mismatch; ops re-runs apply.sh or updates the script. Out of scope (filed as follow-ups): - e2e-staging-saas + e2e-staging-external use plain `paths:` filters and never trigger when paths are unchanged. They need refactoring to the always-emit shape (same as e2e-api / e2e-staging-canvas) before they can be required. - main branch protection mirrors staging here; if main wants the E2E SaaS / External added later, do it in apply.sh and rerun. Operator must apply once after merge: bash tools/branch-protection/apply.sh The drift check picks it up from there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 20:21:59 -07:00
Hongming Wang	5ebe6ccb33	test: regression guards for 2026-04-23 hermes + CP bug wave ... Three complementary regression tests for the chain of P0s fixed today. Each targets a specific bug class that reached production, and will fire loud if any of them regress. ## 1. E2E A2A assertion enhancements (tests/e2e/test_staging_full_saas.sh) The existing A2A check looked for "error|exception" in the response text, which was too broad and missed the actual error patterns we hit. Now matches each known error class individually with a diagnostic fail message pointing at the exact bug: - "[hermes-agent error 401]" → hermes #12 (API_SERVER_KEY) - "hermes-agent unreachable" → gateway process died - "model_not_found" → hermes #13 (model prefix) - "Encrypted content is not supported" → hermes #14 (api_mode) - "Unknown provider" → bridge PROVIDER misconfig Also asserts the response contains the PONG token the prompt asked for — catches silent-truncation/echo regressions. ## 2. Hermes install.sh bridge shell harness (tools/test-hermes-bridge.sh) 4 scenarios × 16 assertions, all offline (no docker, no network): - openai-bridge-happy: OPENAI_API_KEY + openai/gpt-4o → provider=custom, model="gpt-4o" (prefix stripped), api_mode=chat_completions - operator-custom-wins: explicit HERMES_CUSTOM_* → bridge skipped - openrouter-not-touched: OPENROUTER_API_KEY → provider=openrouter, slug kept - non-prefixed-model: bare "gpt-4o" → prefix-strip is a no-op Runs in <1s, can be wired into template-hermes CI. Pins the exact config.yaml shape — any drift in derive-provider.sh or the bridge if-block breaks a test. ## 3. Canvas ConfigTab hermes tests (ConfigTab.hermes.test.tsx) 5 vitest cases covering the #1894 bugs: - Runtime loads from workspace metadata when config.yaml missing - "No config.yaml found" red error hidden for hermes - Hermes info banner shown instead - Langgraph workspace still sees the red error (regression-guard the other way) - config.yaml runtime wins over workspace metadata when present ## Running bash tools/test-hermes-bridge.sh # 16 assertions cd canvas && npx vitest run src/components/tabs/__tests__/ConfigTab.hermes.test.tsx # 5 cases # E2E enhancements ride on the existing staging E2E workflow ## Not yet covered (tracked in #1900) CP admin delete-tenant EC2 cascade, cp-provisioner instance_id lookup (#1738), purge audit SQL mismatch (#241), and pq prepared- statement cache collision (#242). These are in-controlplane-repo concerns — separate PR with CP-side sqlmock + integration tests. Closes items in #1900. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 17:45:13 -07:00
hongming-personal	a56b765b2d	docs: testing strategy + PR hygiene + backend parity matrix + boot-event postmortem (#1824) ... Bundles the documentation and lightweight tooling landed during the 2026-04-23 ops/triage session. Pure additions — no behavior changes. ## Added ### docs/architecture/backends.md Parity matrix for Docker vs EC2 (SaaS) workspace backends. 18 features tabulated with current status; 6 ranked drift risks; enforcement hooks (parity-lint + contract tests). Living document — owners are workspace-server + controlplane teams. ### docs/engineering/testing-strategy.md Tiered test-coverage floors instead of a blanket 100% target. Seven tiers by code class (auth/crypto → generated DTOs). Per-package current-state snapshot + targets. Tracks the 3 biggest coverage gaps (tokens.go 0%, workspace_provision.go 0%, wsauth ~48%) against their tier-1/2 floors. ### docs/engineering/pr-hygiene.md Captures the patterns that keep diffs reviewable. Motivated by the 2026-04-23 backlog audit where 8 of 23 open PRs had 70-380-file bloat from stale branch drift. Covers: small-PR sizing, rebase-not-merge, cherry-pick-onto-fresh-base for recovery, targeting staging first, describing why-not-what. ### docs/engineering/postmortem-2026-04-23-boot-event-401.md Postmortem for the /cp/tenants/boot-event 401 race. Root cause (DB INSERT ordered AFTER readiness check), detection path (E2E + manual log inspection), lessons (write-before-read pattern, integration tests needed, E2E alerting gap, invariants-as-comments). ### tools/check-template-parity.sh CI lint for template repos — diffs the `${VAR:+VAR=${VAR}}` provider- key forwarders between install.sh (bare-host / EC2 path) and start.sh (Docker path). Catches the #5 drift risk from backends.md before it ships. ### workspace-server/internal/provisioner/backend_contract_test.go Shared behavioral contract scaffold for Provisioner + CPProvisioner. Compile-time assertions catch method-signature drift today; scenario- level runs are t.Skip'd pending backend nil-hardening (drift risk #6, see backends.md). ## Updated ### README.md Links the new engineering docs + backends parity matrix into the Documentation Map so agents and humans can actually find them. ## Related issues - #1814 — unblock workspace_provision_test.go (broadcaster interface) - #1813 — nil-client panic hardening (drift risk #6) - #1815 — Canvas vitest coverage instrumentation - #1816 — tokens.go 0% → 85% - #1817 — 5 sqlmock column-drift failures - #1818 — Python pytest-cov setup - #1819 — wsauth middleware coverage gap - #1821 — tiered coverage policy (meta) - #1822 — backend parity drift tracker Co-authored-by: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: molecule-ai[bot] <276602405+molecule-ai[bot]@users.noreply.github.com>	2026-04-23 19:59:38 +00:00